Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Kinit not working after migrating principals from one KDC to other one

Labels:
avatar
author-rank saivenkatg55
Explorer

Created ‎02-24-2022 09:18 PM

Hi Team,

I have recently migrated Kerberos principals using the below command from one KDC to another KDC, post-migration kinit is not working and it is throwing some error whereas the same identity is working in the original KDC. Can you please help us in identifying the error? Did I make any mistakes while migrating the principles? 

 

Command Used - kdb5_util dump -verbose dumpfile 

 and logged in to other KDC and executed the restore 

kdb5_util restore -verbose /tmp/dumpfile

 

Error:

KRB5_TRACE=/dev/stdout kinit testuser

[8962] 1645765308.654184: Getting initial credentials for testuser@EXAMPLE.COM

[8962] 1645765308.654186: Sending unauthenticated request

[8962] 1645765308.654187: Sending request (181 bytes) to EXAMPLE.COM

[8962] 1645765308.654188: Resolving hostname stg-hdplucykrb101.phonepe.nb6

[8962] 1645765308.654189: Sending initial UDP request to dgram 10.57.55.228:88

[8962] 1645765308.654190: Received answer (163 bytes) from dgram 10.57.55.228:88

[8962] 1645765308.654188: Resolving hostname kdc.example.com

[8962] 1645765308.654191: Sending DNS URI query for _kerberos.EXAMPLE.COM.

[8962] 1645765308.654192: No URI records found

[8962] 1645765308.654193: Sending DNS SRV query for _kerberos-master._udp.EXAMPLE.COM.

[8962] 1645765308.654194: Sending DNS SRV query for _kerberos-master._tcp.EXAMPLE.COM.

[8962] 1645765308.654195: No SRV records found

[8962] 1645765308.654196: Response was not from master KDC

[8962] 1645765308.654197: Received error from KDC: -1765328353/Decrypt integrity check failed

[8962] 1645765308.654198: Retrying AS request with master KDC

[8962] 1645765308.654199: Getting initial credentials for testuser@EXAMPLE.COM

[8962] 1645765308.654201: Sending unauthenticated request

[8962] 1645765308.654202: Sending request (181 bytes) to EXAMPLE.COM (master)

[8962] 1645765308.654203: Sending DNS URI query for _kerberos.EXAMPLE.COM.

[8962] 1645765308.654204: No URI records found

[8962] 1645765308.654205: Sending DNS SRV query for _kerberos-master._udp.EXAMPLE.COM.

[8962] 1645765308.654206: Sending DNS SRV query for _kerberos-master._tcp.EXAMPLE.COM.

[8962] 1645765308.654207: No SRV records found

kinit: Password incorrect while getting initial credentials

1,912 Views
0 Kudos
1 REPLY 1

avatar
author-rank GangWar author-rank
Master Guru

Created ‎03-02-2022 10:11 PM

  1. Stop CDH Services and Stop Cloudera Manager Management Services.
  2. Import the new kerberos account. You will need an admin account on the KDC for this:
    1. CM UI -> Administration -> Security -> Kerberos credentials -> "Import Kerberos Account Manager Credentials"
    2. Enter username and password
    3. Click Import button
  3. Re-generate missing principals if the previous step was successful
    1. CM UI -> Administration -> Security -> "Kerberos credentials"
    2. Click the button "Generate Missing Credentials"
  4. Wait until credentials have been generated
  5. Start Cloudera Manager Management Services
  6. Start CDH Services

Cheers!
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
1,870 Views
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements