Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Unable to create Kerberos Credentials with Cloudera Custom Retrieval Script

Unable to create Kerberos Credentials with Cloudera Custom Retrieval Script

Hello Community,

 

We just migrated hour Hadoop nodes to Redhat Identity Management (RHIM) recently. Now, we want to enable Kerberos on our CDH5.5 with Redhat IPA by using Cloudera custom script to create all pricipals and distribute keytabs accordingly. The script is located on /etc/cloudera-scm-server on CM host and owned by cloudera-scm user. Here is the error log message:

=======

2016-11-17 11:29:51,736 ERROR GenerateCredentials-0:com.cloudera.cmf.security.GenerateCredentialsCommand: unable to create credential for role 68 due to:/etc/cloudera-scm-server/gen_credentials_ipa.sh failed with exit code 1 and output of <<

SASL Bind failed Can't contact LDAP server (-1) !

======

 

What are we missing on OS and CDH configuration point of view?

 

Thanks,

Silaphet

 

 

 

6 REPLIES 6

Re: Unable to create Kerberos Credentials with Cloudera Custom Retrieval Script

Rising Star

Hello Silaphet,

 

Could you please share with us the ldapsearch command what you are using in your script? Please try to use the fully qualified server name and '-Y GSSAPI' with ldapsearch.

 

Gabor

Re: Unable to create Kerberos Credentials with Cloudera Custom Retrieval Script

Hi Gabor,

 

We made a typo with Custom Script. We were able to get all principals created in the RHIM. Now, new issue is we can't start CDH because we can't locate KDC. Currently, all dns lookups are disabled.

Here is example of zookeeper.

 

 

 

Nov 21, 1:07:37.468 PMERRORorg.apache.zookeeper.server.quorum.QuorumPeerMain

Unexpected exception, exiting abnormally

java.io.IOException: Could not configure server because SASL configuration did not allow the  ZooKeeper server to authenticate itself properly: javax.security.auth.login.LoginException: Cannot locate KDC

at org.apache.zookeeper.server.ServerCnxnFactory.configureSaslLogin(ServerCnxnFactory.java:207)

at org.apache.zookeeper.server.NIOServerCnxnFactory.configure(NIOServerCnxnFactory.java:87)

at org.apache.zookeeper.server.quorum.QuorumPeerMain.runFromConfig(QuorumPeerMain.java:135)

at org.apache.zookeeper.server.quorum.QuorumPeerMain.initializeAndRun(QuorumPeerMain.java:116)

at org.apache.zookeeper.server.quorum.QuorumPeerMain.main(QuorumPeerMain.java:79)

 

Do you happen to have any suggestions where to check?

 

 

Thanks,

Silaphet

Re: Unable to create Kerberos Credentials with Cloudera Custom Retrieval Script

Rising Star

Hello,

 

Please check the kerberos configuration files.

 

Example /etc/krb5.conf:

 

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

[realms]
EXAMPLE.COM = {
kdc = kdc1.example.com:88
admin_server = kdc1.example.com:749
default_domain = example.com
}

[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

 

Example KDC configuration file /var/kerberos/krb5kdc/kdc.conf

 

[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88

[realms]
EXAMPLE.COM = {
max_renewable_life = 7d 0h 0m 0s
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
default_principal_flags = +renewable
}

 

Gabor

Re: Unable to create Kerberos Credentials with Cloudera Custom Retrieval Script

Hi, 

 

After correcting a few parameters on configuration files and we were able to address the issue.

 

Another quick question, is there any info avaialble step by step on disabling Kerberos? We wanted to remove MIT kerberos then enable it with Redhat IPA.

 

Thanks,

Silaphet

Highlighted

Re: Unable to create Kerberos Credentials with Cloudera Custom Retrieval Script

Rising Star

Re: Unable to create Kerberos Credentials with Cloudera Custom Retrieval Script

Hi,

 

Sorry for the delay response. Currently, kerberos is using CLOUDERA Realm and all serices are using principals from local KDC. The goal is to generate new pricipals from IPA and have all services using new principals. Also, we want to replace current realm with new realm from IPA. 

 

What is correct step process of this migration work?

 

Thanks,

Silaphet