Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Unable to configure kerberos using Cloudera Manager

Labels:
avatar
author-rank balajivsn
Explorer

Created on ‎03-25-2018 09:19 AM - last edited on ‎03-26-2018 06:21 AM by Community Manager Community Manager

Unable to configure the kerberos from the Cloudera Manager

 

i have installed the packages as below:

 

#yum install krb5-libs krb5-server krb5-workstation -y

 

here kerberos got installed and i modfied /etc/krb5.conf fine accordingly, stared the both(krb5kdc.kadmin) services, created the KDC DB, created admin principle, granted the access as admin in kadm.acl fine  and verified  and  went well without any issue as below:

 

[root@cm krb5kdc]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin/admin@HADOOP.COM

Valid starting Expires Service principal
03/24/2018 10:29:34 03/25/2018 10:29:34 krbtgt/HADOOP.COM@HADOOP.COM
[root@cm krb5kdc]#

 

but while enabling kerberos from Cloudera manager after next clicks getting the error message as below attached, can you please help on thisker err.JPG

 

 

also i have seen some log from KDC server from krb5kdc.log file as server not found as below attached

ker err.JPG

 

 

Kindly help me here

 

Thanks

Balaji Vemula

7,252 Views
0 Kudos
2 ACCEPTED SOLUTIONS

avatar
author-rank sandy05
Contributor

Created ‎03-27-2018 08:48 AM

Hi, No need to give AD or LDAP integration.  This is just for enabling the kerberos for now.

 

Did you give the same encryption types used in your kdc.conf file and also in the cloudera manager enabling kerberos authentication wizard.  ? 

View solution in original post

7,193 Views

avatar
author-rank bgooley author-rank
Master Guru

Created ‎03-27-2018 08:49 AM

@balajivsn,

 

The important error we see is that the "KDC has no support for encryption type..."

We see that the script output is attempting to use rc4-hmac, but the KDC you have does not contain a key with that encryption type for the user "admin/admin@HADOOP.COM"

 

In Cloudera Manager --> Settings --> Kerberos "Kerberos Encryption Types" field, make sure you choose only those encryption types supported by your KDC.

 

To see what encryption types are supported by your MIT KDC, you can try looking at your kdc.conf.  By default it is generally located in /var/kerberos/krb5kdc/

 

For more information, see "https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/kdc_conf.html"

 

You can also log into your KDC and run "getprinc <principal> to view the encryption types for that principal.

 

Once you have either created a key for that user with rc4-hmac or you have configured Cloudera Manager with the appropriate encryption types to align with what was created for your admin user, this should work.

 

Let us know if you hit any trouble or have questions.

View solution in original post

7,192 Views
6 REPLIES 6

avatar
author-rank sandy05
Contributor

Created on ‎03-26-2018 12:18 AM - edited ‎03-26-2018 12:21 AM

Please refresh it or start from beginning.  Even I got once but after i open again after closing all windows, it worked fine.

 

Also, please let me know whether are you trying to configure kerberos from SCM or you have configured manually , added , the master principal and then just trying to enable kerberos through cloudera manager. 

 

From the 2nd error message, I guess, you missed the kdc server in your configuration. 

7,231 Views
0 Kudos

avatar
author-rank balajivsn
Explorer

Created ‎03-27-2018 06:14 AM

i configured the kerberos manually as below and enabled kerberos from CM


$ yum install krb5-server krb5-libs krb5-workstation

Updated the krb5.conf with below config

default_realm = HADOOP.COM
[realms]
HADOOP.COM = {
kdc = cm.hadoop.com
admin_server = cm.hadoop.com
}
[domain_realm]
.hadoop.com = HADOOP.COM
hadoop.com = HADOOP.COM

and then installed kerberos libs and workstation pkgs areinstalled in all client machines and copied the krb5.conf file to all hosts

Used kdb5_util create -s to create a KDC database and it went well

next step created the principle
kadmin.local -q "addprinc admin/admin" and created successfully
then granted the access in /var/kerberos/krb5kdc/ file and started the both services krb5kdc,kadmin

then i have verified whether its working or not usint kinit

kinit root/admin@HADOOP.COM and it has got the TGT successfully


now i have logged into CM and from administartion option enabled the kerberos and getting the error as my first post

 

also one more doubt, do we require to configure AD or LDAP before enabling kerberos ??

 

Thanks

Balaji 

 

7,201 Views
0 Kudos

avatar
author-rank sandy05
Contributor

Created ‎03-27-2018 08:48 AM

Hi, No need to give AD or LDAP integration.  This is just for enabling the kerberos for now.

 

Did you give the same encryption types used in your kdc.conf file and also in the cloudera manager enabling kerberos authentication wizard.  ? 

7,194 Views

avatar
author-rank balajivsn
Explorer

Created ‎03-29-2018 06:18 AM

Thank you so much, issue is as you said encryption type, i added default one and issue got fixed

7,171 Views
0 Kudos

avatar
author-rank bgooley author-rank
Master Guru

Created ‎03-27-2018 08:49 AM

@balajivsn,

 

The important error we see is that the "KDC has no support for encryption type..."

We see that the script output is attempting to use rc4-hmac, but the KDC you have does not contain a key with that encryption type for the user "admin/admin@HADOOP.COM"

 

In Cloudera Manager --> Settings --> Kerberos "Kerberos Encryption Types" field, make sure you choose only those encryption types supported by your KDC.

 

To see what encryption types are supported by your MIT KDC, you can try looking at your kdc.conf.  By default it is generally located in /var/kerberos/krb5kdc/

 

For more information, see "https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/kdc_conf.html"

 

You can also log into your KDC and run "getprinc <principal> to view the encryption types for that principal.

 

Once you have either created a key for that user with rc4-hmac or you have configured Cloudera Manager with the appropriate encryption types to align with what was created for your admin user, this should work.

 

Let us know if you hit any trouble or have questions.

7,193 Views

avatar
author-rank balajivsn
Explorer

Created on ‎03-31-2018 09:40 PM - edited ‎03-31-2018 09:41 PM

Thank you!

 

kerberos configured successfully

 bue when i am trying to execute commands, i was not able work wiht my cluster as i am getting below error please help

 

 

[hdfs@cn1 ~]$ hdfs dfsadmin -safemode get
18/03/31 09:16:48 WARN security.UserGroupInformation: PriviledgedActionException as:hdfs (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
18/03/31 09:16:48 WARN ipc.Client: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
18/03/31 09:16:48 WARN security.UserGroupInformation: PriviledgedActionException as:hdfs (auth:KERBEROS) cause:java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
safemode: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]; Host Details : local host is: "cn1.hadoop.com/192.168.56.121"; destination host is: "cn1.hadoop.com":8020;

 

 

 

 

 

 

Thanks

Balaji Vemula

7,103 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements