Support Questions

jsolis33 · ‎01-23-2017

I'm trying to enable kerberos on my Cloudera 5.8 cluster and ran into the following "insufficient access" going through the wizard.

Status: Failed Start Time: Jan 23, 3:26:43 PM Duration: 5.07s

/usr/share/cmf/bin/gen_credentials_ad.sh failed with exit code 50 and output of <<
+ export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ KEYTAB_OUT=/var/run/cloudera-scm-server/cmf5990940897847273712.keytab
+ PRINC=yarn/engrlab-130-080.engrlab.marklogic.com@MLTEST1.LOCAL
+ USER=xPAaqNlHqq
+ PASSWD=REDACTED
+ DELETE_ON_REGENERATE=false
+ SET_ENCRYPTION_TYPES=false
+ ENC_TYPES_MASK=4
+ USERACCOUNTCONTROL=66048
+ ACCOUNTEXPIRES=0
+ OBJECTCLASSES='objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
'
+ DIST_NAME=CN=xPAaqNlHqq,CN=hadoop,OU=Groups,DC=MLTEST1,DC=LOCAL
+ '[' -z /var/run/cloudera-scm-server/krb51250421695602393571.conf ']'
+ echo 'Using custom config path '\''/var/run/cloudera-scm-server/krb51250421695602393571.conf'\'', contents below:'
+ cat /var/run/cloudera-scm-server/krb51250421695602393571.conf
+ SIMPLE_PWD_STR=
+ '[' '' = '' ']'
+ kinit -k -t /var/run/cloudera-scm-server/cmf8263942222058960810.keytab jsolis@MLTEST1.LOCAL
++ mktemp /tmp/cm_ldap.XXXXXXXX
+ LDAP_CONF=/tmp/cm_ldap.DCb5BvSw
+ echo 'TLS_REQCERT     never'
+ echo 'sasl_secprops   minssf=0,maxssf=0'
+ export LDAPCONF=/tmp/cm_ldap.DCb5BvSw
+ LDAPCONF=/tmp/cm_ldap.DCb5BvSw
++ ldapsearch -LLL -H ldaps://srv-202-1-vm1.colo.marklogic.com:636 -b CN=hadoop,OU=Groups,DC=MLTEST1,DC=LOCAL userPrincipalName=yarn/engrlab-130-080.engrlab.marklogic.com@MLTEST1.LOCAL
SASL/GSSAPI authentication started
SASL username: jsolis@MLTEST1.LOCAL
SASL SSF: 0
+ PRINC_SEARCH=
+ set +e
+ echo
+ grep -q userPrincipalName
+ '[' 1 -eq 0 ']'
+ set -e
+ '[' false = true ']'
+ ldapmodify -H ldaps://srv-202-1-vm1.colo.marklogic.com:636
++ echo 'objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
'
++ sed /str/d
++ echo yarn/engrlab-130-080.engrlab.marklogic.com@MLTEST1.LOCAL
++ sed -e 's/\@MLTEST1.LOCAL//g'
++ echo -n '"REDACTED"'
++ iconv -f UTF8 -t UTF16LE
++ base64 -w 0
SASL/GSSAPI authentication started
SASL username: jsolis@MLTEST1.LOCAL
SASL SSF: 0
ldap_add: Insufficient access (50)
	additional info: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0


>>

If I go to Administration->Security->Status I get:

Cluster 1

Successfully enabled Kerberos.

Which is not really true because my cluster cannot start up.

If I go to Cluster->HDFS->Configuration I see errors like this:

Role is missing Kerberos keytab. Please run the Generate Missing Credentials command on the Kerberos Credentials tab of the Administration -> Security page.
Show 4 Similar Messages

Any ideas how to resolve this ?

Thanks.

chinumari · ‎01-24-2017

I remember this error some days back when I was trying to setup a 12 node cluster. As far as the solution, I disabled Kerberos from all services and ensured Kerberos is not enabled across cluster (The security page shows Kerberos disabled) and redo everything to enable Kerberos for Hadoop services. It started working after this. You can try your luck.

jsolis33 · ‎01-25-2017

thanks. I resolved the issue by giving full admin access to the user-id which I created on my LDAP server. That allowed my LDAP user to have all the privileges needed to create other permissions.

Support Questions

Role is missing Kerberos keytab