I've got a problem with the authentication of Kerberos using the Keytab, when I try to start any instance of HDFS service I keep getting the next error.
org.apache.hadoop.security.KerberosAuthException: Login failure for user: hdfs/<fqdn>@<REALM.COM> from keytab hdfs.keytab javax.security.auth.login.LoginException: Message stream modified (41)
I did not found any satisfactory answer for this problem, and the principals authenticates very well using that keytab file through kinit command.
Thank you in advance.
Hi again @saranvisa,
I checked the logs and I saw that the error that I was getting on starting a service was caused from a certain process so I got in that directory and looked for the error on hdfs.keytab. When doing the klist -kt hdfs.keytab I got the principals list, tried to make a kinit with one of them and it worked well.
What I've seen is that the imported keytabs I was trying to klist were some old keytab files, modified few weeks ago, and the logs gave me the clue on which directory test the keytab files.
So we are at the same point, seems that krb5-workstation commands work fine, keytabs were generated right and the service keeps outputing the same error again and again.
Some more ideas to test?
We surpassed the error just configuring Cloudera to authenticate to a local KDC, we were using a KDC provided by WSO2, this problem got solved but not with the scenario it appeared first.
When you get below error message when doing kinit using a keytab file
klist: Unsupported key table format version number while starting keytab scan
Make sure that keytab file is not of zero byte
e.g This is Zero byte keytab file and you will get the above error when trying to do kinit with it
-rw------- 1 cloudera-scm cloudera-scm 0 Aug 30 12:15 ./32-cloudera-mgmt-SERVICEMONITOR/cmon.keytab
A good keytab file will have non-zero size e.g. 778 for the below file
-rw------- 1 cloudera-scm cloudera-scm 778 Oct 12 05:21 ./150-cloudera-mgmt-SERVICEMONITOR/cmon.keytab