Support Questions

Find answers, ask questions, and share your expertise

Unable to configure kerberos using Cloudera Manager

avatar
Explorer

Unable to configure the kerberos from the Cloudera Manager

 

i have installed the packages as below:

 

#yum install krb5-libs krb5-server krb5-workstation -y

 

here kerberos got installed and i modfied /etc/krb5.conf fine accordingly, stared the both(krb5kdc.kadmin) services, created the KDC DB, created admin principle, granted the access as admin in kadm.acl fine  and verified  and  went well without any issue as below:

 

[root@cm krb5kdc]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin/admin@HADOOP.COM

Valid starting Expires Service principal
03/24/2018 10:29:34 03/25/2018 10:29:34 krbtgt/HADOOP.COM@HADOOP.COM
[root@cm krb5kdc]#

 

but while enabling kerberos from Cloudera manager after next clicks getting the error message as below attached, can you please help on thisker err.JPG

 

 

also i have seen some log from KDC server from krb5kdc.log file as server not found as below attached

ker err.JPG

 

 

Kindly help me here

 

Thanks

Balaji Vemula

2 ACCEPTED SOLUTIONS

avatar
Contributor

Hi, No need to give AD or LDAP integration.  This is just for enabling the kerberos for now.

 

Did you give the same encryption types used in your kdc.conf file and also in the cloudera manager enabling kerberos authentication wizard.  ? 

View solution in original post

avatar
Master Guru

@balajivsn,

 

The important error we see is that the "KDC has no support for encryption type..."

We see that the script output is attempting to use rc4-hmac, but the KDC you have does not contain a key with that encryption type for the user "admin/admin@HADOOP.COM"

 

In Cloudera Manager --> Settings --> Kerberos "Kerberos Encryption Types" field, make sure you choose only those encryption types supported by your KDC.

 

To see what encryption types are supported by your MIT KDC, you can try looking at your kdc.conf.  By default it is generally located in /var/kerberos/krb5kdc/

 

For more information, see "https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/kdc_conf.html"

 

You can also log into your KDC and run "getprinc <principal> to view the encryption types for that principal.

 

Once you have either created a key for that user with rc4-hmac or you have configured Cloudera Manager with the appropriate encryption types to align with what was created for your admin user, this should work.

 

Let us know if you hit any trouble or have questions.

View solution in original post

6 REPLIES 6

avatar
Contributor

Please refresh it or start from beginning.  Even I got once but after i open again after closing all windows, it worked fine.

 

Also, please let me know whether are you trying to configure kerberos from SCM or you have configured manually , added , the master principal and then just trying to enable kerberos through cloudera manager. 

 

From the 2nd error message, I guess, you missed the kdc server in your configuration. 

avatar
Explorer

i configured the kerberos manually as below and enabled kerberos from CM


$ yum install krb5-server krb5-libs krb5-workstation

Updated the krb5.conf with below config

default_realm = HADOOP.COM
[realms]
HADOOP.COM = {
kdc = cm.hadoop.com
admin_server = cm.hadoop.com
}
[domain_realm]
.hadoop.com = HADOOP.COM
hadoop.com = HADOOP.COM

and then installed kerberos libs and workstation pkgs areinstalled in all client machines and copied the krb5.conf file to all hosts

Used kdb5_util create -s to create a KDC database and it went well

next step created the principle
kadmin.local -q "addprinc admin/admin" and created successfully
then granted the access in /var/kerberos/krb5kdc/ file and started the both services krb5kdc,kadmin

then i have verified whether its working or not usint kinit

kinit root/admin@HADOOP.COM and it has got the TGT successfully


now i have logged into CM and from administartion option enabled the kerberos and getting the error as my first post

 

also one more doubt, do we require to configure AD or LDAP before enabling kerberos ??

 

Thanks

Balaji 

 

avatar
Contributor

Hi, No need to give AD or LDAP integration.  This is just for enabling the kerberos for now.

 

Did you give the same encryption types used in your kdc.conf file and also in the cloudera manager enabling kerberos authentication wizard.  ? 

avatar
Explorer

Thank you so much, issue is as you said encryption type, i added default one and issue got fixed

avatar
Master Guru

@balajivsn,

 

The important error we see is that the "KDC has no support for encryption type..."

We see that the script output is attempting to use rc4-hmac, but the KDC you have does not contain a key with that encryption type for the user "admin/admin@HADOOP.COM"

 

In Cloudera Manager --> Settings --> Kerberos "Kerberos Encryption Types" field, make sure you choose only those encryption types supported by your KDC.

 

To see what encryption types are supported by your MIT KDC, you can try looking at your kdc.conf.  By default it is generally located in /var/kerberos/krb5kdc/

 

For more information, see "https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/kdc_conf.html"

 

You can also log into your KDC and run "getprinc <principal> to view the encryption types for that principal.

 

Once you have either created a key for that user with rc4-hmac or you have configured Cloudera Manager with the appropriate encryption types to align with what was created for your admin user, this should work.

 

Let us know if you hit any trouble or have questions.

avatar
Explorer

Thank you!

 

kerberos configured successfully

 bue when i am trying to execute commands, i was not able work wiht my cluster as i am getting below error please help

 

 

[hdfs@cn1 ~]$ hdfs dfsadmin -safemode get
18/03/31 09:16:48 WARN security.UserGroupInformation: PriviledgedActionException as:hdfs (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
18/03/31 09:16:48 WARN ipc.Client: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
18/03/31 09:16:48 WARN security.UserGroupInformation: PriviledgedActionException as:hdfs (auth:KERBEROS) cause:java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
safemode: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]; Host Details : local host is: "cn1.hadoop.com/192.168.56.121"; destination host is: "cn1.hadoop.com":8020;

 

 

 

 

 

 

Thanks

Balaji Vemula