Support Questions

nbalaji-elangov · ‎08-22-2017

The sandbox services are working fine after kerberos setup. I am able to obtain tickets on the VM. The problem is currently with the obtaining a ticket on local mac to authenticate various UI's. I am using a headless keytab to obtain ticket on local mac.

Error while obtaining ticket on local mac,


HW:Downloads nbalaji-elangovan$ env KRB5_TRACE=/dev/stdout kinit -kt /Users/nbalaji-elangovan/Downloads/storm.headless.keytab storm-sandbox@EXAMPLE.COM

2017-08-22T09:29:28 set-error: -1765328242: Reached end of credential caches

2017-08-22T09:29:28 set-error: -1765328243: Principal storm-sandbox@EXAMPLE.COM not found in any credential cache

2017-08-22T09:29:28 set-error: -1765328234: Encryption type des-cbc-md5-deprecated not supported

2017-08-22T09:29:28 Adding PA mech: ENCRYPTED_CHALLENGE

2017-08-22T09:29:28 Adding PA mech: ENCRYPTED_TIMESTAMP

2017-08-22T09:29:28 krb5_get_init_creds: loop 1

2017-08-22T09:29:28 KDC sent 0 patypes

2017-08-22T09:29:28 fast disabled, not doing any fast wrapping

2017-08-22T09:29:28 Trying to find service kdc for realm EXAMPLE.COM flags 0

2017-08-22T09:29:28 configuration file for realm EXAMPLE.COM found

2017-08-22T09:29:28 submissing new requests to new host

2017-08-22T09:29:28 connecting to host: udp ::1:kerberos (sandbox-hdf.hortonworks.com) tid: 00000001

2017-08-22T09:29:28 Queuing host in future (in 3s), its the 2 address on the same name: udp 127.0.0.1:kerberos (sandbox-hdf.hortonworks.com) tid: 00000002

2017-08-22T09:29:28 writing packet: udp ::1:kerberos (sandbox-hdf.hortonworks.com) tid: 00000001

2017-08-22T09:29:28 reading packet: udp ::1:kerberos (sandbox-hdf.hortonworks.com) tid: 00000001

2017-08-22T09:29:28 host completed: udp ::1:kerberos (sandbox-hdf.hortonworks.com) tid: 00000001

2017-08-22T09:29:28 set-error: -1765328378: Client  unknown

2017-08-22T09:29:28 krb5_sendto_context EXAMPLE.COM done: 0 hosts 1 packets 1 wc: 0.067794 nr: 0.001019 kh: 0.000823 tid: 00000002

2017-08-22T09:29:28 krb5_get_init_creds: loop 2

2017-08-22T09:29:28 krb5_get_init_creds: processing input

2017-08-22T09:29:28 krb5_get_init_creds: got an KRB-ERROR from KDC

2017-08-22T09:29:28 set-error: -1765328378: Client (storm-sandbox@EXAMPLE.COM) unknown

2017-08-22T09:29:28 krb5_get_init_creds: KRB-ERROR -1765328378/Client (storm-sandbox@EXAMPLE.COM) unknown

kinit: krb5_get_init_creds: Client (storm-sandbox@EXAMPLE.COM) unknown

krb5.conf on local mac,

HW:Downloads nbalaji-elangovan$ cat /etc/krb5.conf




[libdefaults]

  renew_lifetime = 7d

  forwardable = true

  default_realm = EXAMPLE.COM

  ticket_lifetime = 24h

  dns_lookup_realm = false

  dns_lookup_kdc = false

  default_ccache_name = /tmp/krb5cc_%{uid}

  #default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5

  #default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5




[logging]

  default = FILE:/var/log/krb5kdc.log

  admin_server = FILE:/var/log/kadmind.log

  kdc = FILE:/var/log/krb5kdc.log




[realms]

  EXAMPLE.COM = {

    admin_server = sandbox-hdf.hortonworks.com

    kdc = sandbox-hdf.hortonworks.com

  }

/etc/hosts file on local mac,

HW:Downloads nbalaji-elangovan$ cat /etc/hosts

##

# Host Database

#

# localhost is used to configure the loopback interface

# when the system is booting.  Do not change this entry.

##

127.0.0.1	localhost

#127.0.0.1	sandbox.hortonworks.com

255.255.255.255	broadcasthost

::1             localhost

127.0.0.1   localhost   sandbox-hdf.hortonworks.com

#172.17.0.2	sandbox-hdf.hortonworks.com




## vagrant-hostmanager-start id: e133f37a-cb74-4747-9f85-151944869ced

#192.168.66.121	node1




## vagrant-hostmanager-end

bkosaraju · ‎08-22-2017

hi @nbalaji-elangovan,

can you please check for ports 88,749 are able to listen, looks your routing rules(for v-box) or hosts entries(for Mac) need some correction.

nbalaji-elangov · ‎08-22-2017

krb5kdc requires 88 port only and it is open. I dont do kadmin stuff, so I didnt check on 749. It looks like a network problem between local and VM to me as well.

Shelton · ‎08-22-2017

@nbalaji-elangovan

That's very NORMAL your MacBook is not part of the cluster.

Did you install a Kerberos client and do you have a krb5.conf file in your MacBook in /etc ?

Did you create a (MacBook) host principal in the KDC server and generated a keytab ?

Please revert!

nbalaji-elangov · ‎08-22-2017

I have tested my mac laptop in kerberized client clusters, so it is not kerberos client on local mac. krb5.conf is copied from kdc server. I copied the storm headless keytab from sandbox to my local.

aquilodran · ‎10-10-2018

Hi, were you able to find out the issue?

jknulst · ‎10-12-2018

This is complex

I believe your problem is you need to forward the traffic to/from the KDC to your Mac. You can do this by SSH tunnelling.

That alone is not enough though since SSH port forwarding is only fit for TCP traffic and KDC traffic is UDP.

Cloudera Community

Support Questions

Unable to Kinit on local mac with MIT KDC running on HDF 3.0.1 sandbox VM