Created on 10-06-2017 07:45 AM - edited 10-06-2017 07:48 AM
Hi,
I'm trying to move the Cloudera Management Services to another host following those steps: https://www.cloudera.com/documentation/enterprise/5-6-x/topics/cm_ag_restore_server.html
It all works fine until the point in which I have to start the new services (Activty Monitor, Host Manger, etc).
When I try to start them they fail saying:
Command failed to run because this role has invalid configuration. Review and correct its configuration. First error: Role is missing Kerberos keytab. Go to the Kerberos Credentials page and click the Generate Missing Credentials button.
Then when I go to "Security", "Kerberos credentials" and click on "Generate Missing Credentials" I get
/usr/share/cmf/bin/gen_credentials.sh failed with exit code 1 and output of << + export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin + PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin + CMF_REALM=EXAMPLE.NET + KEYTAB_OUT=/var/run/cloudera-scm-server/cmf3146936050096402809.keytab + PRINC=hdfs/hadoop-data04.example.net@EXAMPLE.NET + MAX_RENEW_LIFE=432000 + KADMIN='kadmin -k -t /var/run/cloudera-scm-server/cmf5911913375869248594.keytab -p cloudera-scm@EXAMPLE.NET -r EXAMPLE.NET' + RENEW_ARG= + '[' 432000 -gt 0 ']' + RENEW_ARG='-maxrenewlife "432000 sec"' + '[' -z /etc/krb5.conf ']' + echo 'Using custom config path '\''/etc/krb5.conf'\'', contents below:' + cat /etc/krb5.conf + kadmin -k -t /var/run/cloudera-scm-server/cmf5911913375869248594.keytab -p cloudera-scm@EXAMPLE.NET -r EXAMPLE.NET -q 'addprinc -maxrenewlife "432000 sec" -randkey hdfs/hadoop-data04.example.net@EXAMPLE.NET' kadmin: Database error! Required KADM5 principal missing while initializing kadmin interface >>
This is where I get stuck
I already clicked on the "Import Kerberos Account Manager Credentials" button and imported the credentials so that the cloudera-scm user can access the AD and recreate kerberos principals.
Maybe there is a extra step when moving CM to another host if the cluster is using kerberos?
Created on 10-09-2017 02:47 AM - edited 10-09-2017 02:49 AM
Want to get a detailed solution you have to login/registered on the community
Register/LoginCreated 10-06-2017 03:52 PM
The error you are getting is regarding "kadmin" which is an MIT Kerberos client command for the MIT KDC.
However, you mention "cloudera-scm user can access the AD and recreate kerberos principals."
If you are using Active Directory for a KDC, that means that you seem to have a misconfiguration where your Kerberos KDC is set to "MIT"
In Cloudera Manager, go to "Administration --> Settings" and click "Kerberos" on the left under the CATEGORY section.
On the right, make sure you have "KDC Type" set to "Active Directory" if you are using Active Directory for your KDC.
Save your change and try importing credentials and generating missing credentials.
Created on 10-09-2017 02:47 AM - edited 10-09-2017 02:49 AM
Want to get a detailed solution you have to login/registered on the community
Register/Login