Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

Move Cloudera Management Services to another host in Kerberized cluster

Labels:
avatar
author-rank ivten
Contributor

Created on ‎10-06-2017 07:45 AM - edited ‎10-06-2017 07:48 AM

Hi,

 

I'm trying to move the Cloudera Management Services to another host following those steps: https://www.cloudera.com/documentation/enterprise/5-6-x/topics/cm_ag_restore_server.html

 

It all works fine until the point in which I have to start the new services (Activty Monitor, Host Manger, etc). 

When I try to start them they fail saying:

 

Command failed to run because this role has invalid configuration. Review and correct its configuration. First error: Role is missing Kerberos keytab. Go to the Kerberos Credentials page and click the Generate Missing Credentials button.

 

Then when I go to "Security", "Kerberos credentials" and click on "Generate Missing Credentials" I get 

/usr/share/cmf/bin/gen_credentials.sh failed with exit code 1 and output of <<
+ export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ CMF_REALM=EXAMPLE.NET
+ KEYTAB_OUT=/var/run/cloudera-scm-server/cmf3146936050096402809.keytab
+ PRINC=hdfs/hadoop-data04.example.net@EXAMPLE.NET
+ MAX_RENEW_LIFE=432000
+ KADMIN='kadmin -k -t /var/run/cloudera-scm-server/cmf5911913375869248594.keytab -p cloudera-scm@EXAMPLE.NET -r EXAMPLE.NET'
+ RENEW_ARG=
+ '[' 432000 -gt 0 ']'
+ RENEW_ARG='-maxrenewlife "432000 sec"'
+ '[' -z /etc/krb5.conf ']'
+ echo 'Using custom config path '\''/etc/krb5.conf'\'', contents below:'
+ cat /etc/krb5.conf
+ kadmin -k -t /var/run/cloudera-scm-server/cmf5911913375869248594.keytab -p cloudera-scm@EXAMPLE.NET -r EXAMPLE.NET -q 'addprinc -maxrenewlife "432000 sec" -randkey hdfs/hadoop-data04.example.net@EXAMPLE.NET'
kadmin: Database error! Required KADM5 principal missing while initializing kadmin interface

>>

 This is where I get stuck

 

I already clicked on the "Import Kerberos Account Manager Credentials" button and imported the credentials so that the cloudera-scm user can access the AD and recreate kerberos principals.

 

Maybe there is a extra step when moving CM to another host if the cluster is using kerberos?

4,228 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank ivten
Contributor

Created on ‎10-09-2017 02:47 AM - edited ‎10-09-2017 02:49 AM

hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login
4,191 Views
0 Kudos
2 REPLIES 2

avatar
author-rank bgooley author-rank
Master Guru

Created ‎10-06-2017 03:52 PM

@ivten,

 

The error you are getting is regarding "kadmin" which is an MIT Kerberos client command for the MIT KDC.

However, you mention "cloudera-scm user can access the AD and recreate kerberos principals."

 

If you are using Active Directory for a KDC, that means that you seem to have a misconfiguration where your Kerberos KDC is set to "MIT"

 

In Cloudera Manager, go to "Administration --> Settings" and click "Kerberos" on the left under the CATEGORY section.

On the right, make sure you have "KDC Type" set to "Active Directory" if you are using Active Directory for your KDC.

Save your change and try importing credentials and generating missing credentials.

 

 

4,207 Views
0 Kudos

avatar
author-rank ivten
Contributor

Created on ‎10-09-2017 02:47 AM - edited ‎10-09-2017 02:49 AM

hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login
4,192 Views
0 Kudos
webinar banner
Announcements
Community Announcements
CommunityOverCode Asia 2024 will be held in Hangzhou from Ju...
What's New @ Cloudera
Apache Flink is Now Generally Available in the Cloudera Stre...
Product Announcements
[ANNOUNCE] Cloudera Data Services 1.5.4 on Private Cloud Rel...
What's New @ Cloudera
Run your Apache NiFi and Apache Kafka workloads on Kubernete...
What's New @ Cloudera
Cloudera DataFlow now powers GenAI pipelines and supports ch...
View More Announcements
meetups banner