Support Questions

Find answers, ask questions, and share your expertise

Kerberos authentication error with keytab

avatar
Contributor

Hello,

 

I've got a problem with the authentication of Kerberos using the Keytab, when I try to start any instance of HDFS service I keep getting the next error.

 

org.apache.hadoop.security.KerberosAuthException: Login failure for user: hdfs/<fqdn>@<REALM.COM> from keytab hdfs.keytab javax.security.auth.login.LoginException: Message stream modified (41)

I did not found any satisfactory answer for this problem, and the principals authenticates very well using that keytab file through kinit command.

 

Thank you in advance.

13 REPLIES 13

avatar
New Contributor

Hi,

 

check that the Domain name in your krb5.conf is in uppercase:

 

 

default_realm = EXAMPLE.COM

EXAMPLE.COM = {
kdc = domaincontroller.example.com
admin_server = domaincontroller.example.com
default_domain = EXAMPLE.COM
}

.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

 

regards

avatar
Contributor

Yes, the realm name is in uppercase, the same as in the examples

avatar
Champion

@rrodriguez

 

1. Get the node has keytab. Ex: I am using the node which belongs to impala daemon.
2. Go to /var/run/cloudera-scm-agent/process and ls, it will list the process
3. cd xxxxxx-impala-IMPALAD .. ## Run ls cmd and make sure it has impala.keytab
4. klist -kt impala.keytab ## This will list all the available and valid principals
5. kinit -kt impala.keytab <copy paste the valid principal from the above step>
6. klist ## make sure kinit initiated

avatar
Contributor

Sorry for the late response.

 

I did that and it worked with kinit and an imported keytab

 

Thank you

avatar
Champion

@rrodriguez happy to know that it worked!!

avatar
Contributor

Sorry, worked the kinit command, Cloudera keeps giving the first mentioned exception.

avatar
Champion

@rrodriguez

 

Is it? my bad, i didn't get it... Did you get a chance to follow 'all' the steps that i've mentioned? if so, were you able to run all the steps successfully?

avatar
Contributor

@saranvisa

 

Yes I've done all the steps in multiple ocasions, kinit command works fine with the keytabs imported but HDFS continues writing that error in logs.

avatar
Contributor

Hello @saranvisa

 

I tested it again after doing a regenerate keytabs and when doing the klist -kt I got the next message.

 

# klist -kt hdfs.keytab
Keytab name: FILE:hdfs.keytab
klist: Unsupported key table format version number while starting keytab scan

 

This is not the same for other keytab files in other directories into /var/run/cloudera-scm-agent/process just for some of them.

 

Any idea of what's happening? Why some processes are getting empty keytab files? I don't understand.

 

Thank you for the help