Support Questions
Find answers, ask questions, and share your expertise

Unable to create Kerberos Credentials with Cloudera Custom Retrieval Script

Hello Community,


We just migrated hour Hadoop nodes to Redhat Identity Management (RHIM) recently. Now, we want to enable Kerberos on our CDH5.5 with Redhat IPA by using Cloudera custom script to create all pricipals and distribute keytabs accordingly. The script is located on /etc/cloudera-scm-server on CM host and owned by cloudera-scm user. Here is the error log message:


2016-11-17 11:29:51,736 ERROR unable to create credential for role 68 due to:/etc/cloudera-scm-server/ failed with exit code 1 and output of <<

SASL Bind failed Can't contact LDAP server (-1) !



What are we missing on OS and CDH configuration point of view?








Rising Star

Hello Silaphet,


Could you please share with us the ldapsearch command what you are using in your script? Please try to use the fully qualified server name and '-Y GSSAPI' with ldapsearch.



Hi Gabor,


We made a typo with Custom Script. We were able to get all principals created in the RHIM. Now, new issue is we can't start CDH because we can't locate KDC. Currently, all dns lookups are disabled.

Here is example of zookeeper.




Nov 21, 1:07:37.468 PMERRORorg.apache.zookeeper.server.quorum.QuorumPeerMain

Unexpected exception, exiting abnormally Could not configure server because SASL configuration did not allow the  ZooKeeper server to authenticate itself properly: Cannot locate KDC

at org.apache.zookeeper.server.ServerCnxnFactory.configureSaslLogin(

at org.apache.zookeeper.server.NIOServerCnxnFactory.configure(

at org.apache.zookeeper.server.quorum.QuorumPeerMain.runFromConfig(

at org.apache.zookeeper.server.quorum.QuorumPeerMain.initializeAndRun(

at org.apache.zookeeper.server.quorum.QuorumPeerMain.main(


Do you happen to have any suggestions where to check?





Rising Star



Please check the kerberos configuration files.


Example /etc/krb5.conf:


default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

kdc =
admin_server =
default_domain =

[domain_realm] = EXAMPLE.COM = EXAMPLE.COM


Example KDC configuration file /var/kerberos/krb5kdc/kdc.conf


kdc_ports = 88
kdc_tcp_ports = 88

max_renewable_life = 7d 0h 0m 0s
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
default_principal_flags = +renewable





After correcting a few parameters on configuration files and we were able to address the issue.


Another quick question, is there any info avaialble step by step on disabling Kerberos? We wanted to remove MIT kerberos then enable it with Redhat IPA.




Rising Star



Sorry for the delay response. Currently, kerberos is using CLOUDERA Realm and all serices are using principals from local KDC. The goal is to generate new pricipals from IPA and have all services using new principals. Also, we want to replace current realm with new realm from IPA. 


What is correct step process of this migration work?