Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Unable to register Impalad: Caused by: KrbException: Identifier doesn't match expected value

avatar
author-rank Yasine
Explorer

Created ‎08-20-2023 11:36 AM

Hello,

 

We are facing issues regarding KDC,  on CDP HBase and Impalad wont start and here below the logs:

 

The Keytab file is generating kerberos ticket correctly  (using the command line kinit) and the service Keytabs have been regenerated several times but still the same issue.

 

This issue is blocking: Impala, HBase and Yarn Nodemanagers

 

Caused by: KrbException: Server not found in Kerberos database (7) - LOOKING_UP_SERVER
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:73)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:226)
at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:237)
at sun.security.krb5.internal.CredentialsUtil.serviceCredsSingle(CredentialsUtil.java:477)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:340)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:314)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:169)
at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:490)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:695)
... 36 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65)
at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55)

 

3,134 Views
0 Kudos
0
1 ACCEPTED SOLUTION

avatar
author-rank ChethanYM author-rank
Master Collaborator

Created ‎08-30-2023 06:03 AM

Hi,

 

The error message you provided, "Server not found in Kerberos database (7) - LOOKING_UP_SERVER," is indicating an issue with the Kerberos authentication process. This error usually occurs when the Kerberos client is unable to find the server's principal in the Kerberos database.

 

Below is the article to troubleshoot kerberos related issues:

https://community.cloudera.com/t5/Customer/Troubleshooting-Kerberos-Related-Issues-Common-Errors-and...

 

> Please check if Ensure that DNS is correctly configured for both the client and the server. The client should be able to resolve the hostname of the server to the correct IP address.

> Make sure the clocks of the client, server, and KDC are synchronized. Time differences beyond the tolerance set in Kerberos configuration can cause authentication failures.

> Ensure that the Key Distribution Center (KDC) is reachable and operational.

> Verify that the krb5.conf file on the client machine is correctly configured with the appropriate realms, KDCs, and other Kerberos settings.

 

 

Regards,

Chethan YM

 

View solution in original post

3,068 Views
0 Kudos
0
4 REPLIES 4

avatar
author-rank rki_ author-rank
Super Collaborator

Created ‎08-24-2023 04:57 AM

Did you make any changes at the KDC end prior to seeing this issue? Are there any other services hosted on this node that are working fine?

3,094 Views
0 Kudos

avatar
author-rank ChethanYM author-rank
Master Collaborator

Created ‎08-30-2023 06:03 AM

Hi,

 

The error message you provided, "Server not found in Kerberos database (7) - LOOKING_UP_SERVER," is indicating an issue with the Kerberos authentication process. This error usually occurs when the Kerberos client is unable to find the server's principal in the Kerberos database.

 

Below is the article to troubleshoot kerberos related issues:

https://community.cloudera.com/t5/Customer/Troubleshooting-Kerberos-Related-Issues-Common-Errors-and...

 

> Please check if Ensure that DNS is correctly configured for both the client and the server. The client should be able to resolve the hostname of the server to the correct IP address.

> Make sure the clocks of the client, server, and KDC are synchronized. Time differences beyond the tolerance set in Kerberos configuration can cause authentication failures.

> Ensure that the Key Distribution Center (KDC) is reachable and operational.

> Verify that the krb5.conf file on the client machine is correctly configured with the appropriate realms, KDCs, and other Kerberos settings.

 

 

Regards,

Chethan YM

 

3,069 Views
0 Kudos
0

avatar
author-rank Yasine
Explorer

Created ‎08-31-2023 09:10 AM

Hi Chethan

Well yes actually the issue was related to the DNS, actually the DNS was correctly configured and it was resolving the hostname but it seems that the reverse resolution was not working and it was blocking point.

When I declared the hostnames in the /etc/hosts it worked normally.

Regards

3,060 Views
0 Kudos

avatar
author-rank VidyaSargur author-rank
Community Manager

Created ‎08-31-2023 09:52 PM

@Yasine,  I'm happy to see you resolved your issue. Please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future.


Regards,

Vidya Sargur,
Community Manager

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:
3,054 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements