Support Questions

banshidhar_saho · ‎05-30-2023

Hi Team,

I want to setup kerberos client in my Mac Laptop having MacOS Monterey (version 12.6.5). I have put the krb5.conf file at below paths.
/etc/krb5.conf
/Library/Preferences/edu.mit.kerberos

But when I try to run kinit, i get gelow error.
--
kinit -kt /Users/banshidhar_sahoo/Desktop/POC_KEYTAB/test.headless.keytab test@EXAMPLE.COM
kinit: krb5_get_init_creds: unable to reach any KDC in realm EXAMPLE.COM, tried 0 KDCs
--

I have also set the ENV Variable as below:
KRB5_CONFIG=/etc/krb5.conf

But getting same error while doing kinit.

Can you please suggest how to point to krb5.conf so that it can reach out to the correct kdc server.

Regards,
Banshi.

banshidhar_saho · ‎05-30-2023

Hi @steven-matison

The issue got fixed after making below 2 changes in /etc/krb5.conf file

1. Issue was a include line in my /etc/krb5.conf file which was not valid.

Removed below from /etc/krb5.conf
"includedir /etc/krb5.conf.d/"

2. On macOS the default client does not fall back to TCP. In krb5.conf prefix kdc value with tcp/ to force the client to use TCP if your corporate network blocks UDP.
kdc = tcp/kdc.example.com:88

Regards,

Banshi.

View solution in original post

steven-matison · ‎05-30-2023

@banshidhar_saho I am assuming you are not using @EXAMPLE.COM. Have you confirmed that your client (mac os) has network and dns connectivity with the KDC Host?

There's a few things you must do to configure it properly:

Ensure the Kerberos client libraries are installed on that host
Your on-prem krb5.conf file must be copied to the client host.
- The sections [realms] and [domain_realm] are especially important to solve your issue.
Ensure that the hostname of your KDC can be resolved from the client (you can test it with nslookup and/or ping). This must work correctly for Kerberos to work. If there's no integrated DNS you will have to add entries to your /etc/hosts file to ensure the resolution is correct.
Ensure that any firewalls are configured correctly to open ports between your application and your on-prem environment:
- Open all the ports required for the client to communicate with the KDC (typically, ports 88 UDP and 88 TCP)

banshidhar_saho · ‎05-30-2023

Hi @steven-matison You are right. I have replaced actual REALM with EXAMPLE.COM while posting.

I have checked connectivity using "nc -zv" and "ping" command. Connectivity is fine.

====

nc -zv <kdc_server_VIP> <KDC_Port>
Connection to xxxxxxxx port xxxxxx [tcp/sqlexec] succeeded!

====

--- <kdc_server_VIP> ping statistics ---
13 packets transmitted, 12 packets received, 7.7% packet loss

====

"kinit: krb5_get_init_creds: unable to reach any KDC in realm EXAMPLE.COM, tried 0 KDCs"

By seeing the above error, I feel it's not able to locate the krb5.conf file.

When we run kinit command, is it referring to /etc directory for krb5.conf file or some other location in Mac machine?

Regards,

Banshi.

banshidhar_saho · ‎05-30-2023

Hi @steven-matison

The issue got fixed after making below 2 changes in /etc/krb5.conf file

1. Issue was a include line in my /etc/krb5.conf file which was not valid.

Removed below from /etc/krb5.conf
"includedir /etc/krb5.conf.d/"

2. On macOS the default client does not fall back to TCP. In krb5.conf prefix kdc value with tcp/ to force the client to use TCP if your corporate network blocks UDP.
kdc = tcp/kdc.example.com:88

Regards,

Banshi.

Cloudera Community

Support Questions

Kerberos authentication from MacOS Monterey to access Hadoop Web UI post cluster Kerberization

Creating a local hadoop principal and keytab in a...

Connect Hadoop client on Mac OS X to Kerberized HD...

CDP7 can't access Atlas Web UI

Running Spark Application on a Kerberized Hadoop c...

Configure TEZ View for Kerberized HDP Cluster.

Secured access to Hive using Zeppelin's jdbc(hive)...

Configure Knox to access AmbarI UI

Configure Knox to access HDFS UI

Knox with kerberos authentication to proxy to hive

hadoop client kerberos error