Support Questions

Find answers, ask questions, and share your expertise

Unable to register Impalad: Caused by: KrbException: Identifier doesn't match expected value

avatar
Explorer

Hello,

 

We are facing issues regarding KDC,  on CDP HBase and Impalad wont start and here below the logs:

 

The Keytab file is generating kerberos ticket correctly  (using the command line kinit) and the service Keytabs have been regenerated several times but still the same issue.

 

This issue is blocking: Impala, HBase and Yarn Nodemanagers

 

Caused by: KrbException: Server not found in Kerberos database (7) - LOOKING_UP_SERVER
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:73)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:226)
at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:237)
at sun.security.krb5.internal.CredentialsUtil.serviceCredsSingle(CredentialsUtil.java:477)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:340)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:314)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:169)
at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:490)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:695)
... 36 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65)
at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55)

 

1 ACCEPTED SOLUTION

avatar
Master Collaborator

Hi,

 

The error message you provided, "Server not found in Kerberos database (7) - LOOKING_UP_SERVER," is indicating an issue with the Kerberos authentication process. This error usually occurs when the Kerberos client is unable to find the server's principal in the Kerberos database.

 

Below is the article to troubleshoot kerberos related issues:

https://community.cloudera.com/t5/Customer/Troubleshooting-Kerberos-Related-Issues-Common-Errors-and...

 

> Please check if Ensure that DNS is correctly configured for both the client and the server. The client should be able to resolve the hostname of the server to the correct IP address.

> Make sure the clocks of the client, server, and KDC are synchronized. Time differences beyond the tolerance set in Kerberos configuration can cause authentication failures.

> Ensure that the Key Distribution Center (KDC) is reachable and operational.

> Verify that the krb5.conf file on the client machine is correctly configured with the appropriate realms, KDCs, and other Kerberos settings.

 

 

Regards,

Chethan YM

 

View solution in original post

4 REPLIES 4

avatar
Super Collaborator

Did you make any changes at the KDC end prior to seeing this issue? Are there any other services hosted on this node that are working fine?

avatar
Master Collaborator

Hi,

 

The error message you provided, "Server not found in Kerberos database (7) - LOOKING_UP_SERVER," is indicating an issue with the Kerberos authentication process. This error usually occurs when the Kerberos client is unable to find the server's principal in the Kerberos database.

 

Below is the article to troubleshoot kerberos related issues:

https://community.cloudera.com/t5/Customer/Troubleshooting-Kerberos-Related-Issues-Common-Errors-and...

 

> Please check if Ensure that DNS is correctly configured for both the client and the server. The client should be able to resolve the hostname of the server to the correct IP address.

> Make sure the clocks of the client, server, and KDC are synchronized. Time differences beyond the tolerance set in Kerberos configuration can cause authentication failures.

> Ensure that the Key Distribution Center (KDC) is reachable and operational.

> Verify that the krb5.conf file on the client machine is correctly configured with the appropriate realms, KDCs, and other Kerberos settings.

 

 

Regards,

Chethan YM

 

avatar
Explorer

Hi Chethan

Well yes actually the issue was related to the DNS, actually the DNS was correctly configured and it was resolving the hostname but it seems that the reverse resolution was not working and it was blocking point.

When I declared the hostnames in the /etc/hosts it worked normally.

Regards

avatar
Community Manager

@Yasine,  I'm happy to see you resolved your issue. Please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future.



Regards,

Vidya Sargur,
Community Manager


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community: