Support Questions

Find answers, ask questions, and share your expertise
Celebrating as our community reaches 100,000 members! Thank you!

Kinit not working after migrating principals from one KDC to other one


Hi Team,

I have recently migrated Kerberos principals using the below command from one KDC to another KDC, post-migration kinit is not working and it is throwing some error whereas the same identity is working in the original KDC. Can you please help us in identifying the error? Did I make any mistakes while migrating the principles? 


Command Used - kdb5_util dump -verbose dumpfile 

 and logged in to other KDC and executed the restore 

kdb5_util restore -verbose /tmp/dumpfile



KRB5_TRACE=/dev/stdout kinit testuser

[8962] 1645765308.654184: Getting initial credentials for testuser@EXAMPLE.COM

[8962] 1645765308.654186: Sending unauthenticated request

[8962] 1645765308.654187: Sending request (181 bytes) to EXAMPLE.COM

[8962] 1645765308.654188: Resolving hostname stg-hdplucykrb101.phonepe.nb6

[8962] 1645765308.654189: Sending initial UDP request to dgram

[8962] 1645765308.654190: Received answer (163 bytes) from dgram

[8962] 1645765308.654188: Resolving hostname

[8962] 1645765308.654191: Sending DNS URI query for _kerberos.EXAMPLE.COM.

[8962] 1645765308.654192: No URI records found

[8962] 1645765308.654193: Sending DNS SRV query for _kerberos-master._udp.EXAMPLE.COM.

[8962] 1645765308.654194: Sending DNS SRV query for _kerberos-master._tcp.EXAMPLE.COM.

[8962] 1645765308.654195: No SRV records found

[8962] 1645765308.654196: Response was not from master KDC

[8962] 1645765308.654197: Received error from KDC: -1765328353/Decrypt integrity check failed

[8962] 1645765308.654198: Retrying AS request with master KDC

[8962] 1645765308.654199: Getting initial credentials for testuser@EXAMPLE.COM

[8962] 1645765308.654201: Sending unauthenticated request

[8962] 1645765308.654202: Sending request (181 bytes) to EXAMPLE.COM (master)

[8962] 1645765308.654203: Sending DNS URI query for _kerberos.EXAMPLE.COM.

[8962] 1645765308.654204: No URI records found

[8962] 1645765308.654205: Sending DNS SRV query for _kerberos-master._udp.EXAMPLE.COM.

[8962] 1645765308.654206: Sending DNS SRV query for _kerberos-master._tcp.EXAMPLE.COM.

[8962] 1645765308.654207: No SRV records found

kinit: Password incorrect while getting initial credentials


Master Guru
  1. Stop CDH Services and Stop Cloudera Manager Management Services.
  2. Import the new kerberos account. You will need an admin account on the KDC for this:
    1. CM UI -> Administration -> Security -> Kerberos credentials -> "Import Kerberos Account Manager Credentials"
    2. Enter username and password
    3. Click Import button
  3. Re-generate missing principals if the previous step was successful
    1. CM UI -> Administration -> Security -> "Kerberos credentials"
    2. Click the button "Generate Missing Credentials"
  4. Wait until credentials have been generated
  5. Start Cloudera Manager Management Services
  6. Start CDH Services

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.