Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

inital password for kerberos principals

Labels:
avatar
author-rank ramin
Explorer

Created ‎03-16-2018 03:46 PM

I used Cloudera Manager to enable kerberos. I verified that all the principals for all hosts are created in my Kerberos database and all the keytabs are distributed to all the nodes. But when I try to authenticate using any of the principals, like hdfs, hbase, etc.. I get this: 

 

$ kinit hdfs/hostname

Password for hdfs/hostname@REALM:

kinit: Password incorrect while getting initial credentials

 

I don't remember the CM wizard asking me for a password for all the principals. (It just asked for cloudera-scm/admin principal in Kerberos so that it can create new principals)

 

Does anyone know what the initial password is for the newly-created principals? Or do I have to go and change the passwords for all and redistribute the keytab to all nodes?

 

Thank you.

13,436 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank bgooley author-rank
Master Guru

Created ‎03-16-2018 08:28 PM

@ramin,

 

I'm happy to help.  The problem now is that your /etc/krb5.conf is using a cache that Java is not able to access.

If you look at your klist output you see:

 

Ticket cache: KEYRING:persistent:0:krb_ccache_KK2INr6

 

By default, recent linux OSes have the "keyring" type of cache defined in /etc/krb5.conf.

While MIT Kerberos's kinit command recognizes the cache type, Java does not.   So, when you run hdfs dfs -ls /, java cannot find any Ticket Granting Ticket and you get the error.

 

To solve this, edit your /etc/krb5.conf and comment out the line with "default_ccache_name" in it.  Add a pount sign in front of it.  For example:

#default_ccache_name = KEYRING:persistent:%{uid}

 

 

This will allow the "kinit" command to store the credentials cache in the default /tmp directory location using the "FILE" type of cache.  Java can access this as it uses the same default type.

 

 

View solution in original post

13,409 Views
8 REPLIES 8

avatar
author-rank bgooley author-rank
Master Guru

Created ‎03-16-2018 04:26 PM

Hi @ramin,

 

When your hadoop service credentials are created, the password is randomized so you are not supposed to know what it is.

If you would like, you can create a user in your KDC with a principal "hdfs@REALM" so you can create the password.

 

Alternatively, you can kinit via an hdfs keytab like this (assuming you are on a namenode host)

 

kinit -kt /var/run/cloudera-scm-agent/process/`ls -lrt /var/run/cloudera-scm-agent/process/ | awk '{print $9}' |grep NAMENODE| tail -1`/hdfs.keytab hdfs/hostname@REALM

 

The keytab contains the password so you do not need to know it.  That is why you need to be very careful to protect access to any keytabs you create.

 

All that said, it is advisable to try to create users who are not "hdfs" and then either  make them superusers or give them the necessary permission to do what they need to do.  That way, actions they take can be reviewed via audit more readily.

 

 

13,428 Views
0 Kudos

avatar
author-rank ramin
Explorer

Created ‎03-16-2018 08:09 PM

@bgooley, thank you for responding. I did what you suggested, but I am still unable to authenticate against HDFS. See below.

 

[root@datanode01 process]# kinit -kt 226-hdfs-DATANODE/hdfs.keytab hdfs/datanode01.domain.com@REALM

[root@datanode01 process]# klist

Ticket cache: KEYRING:persistent:0:krb_ccache_KK2INr6

Default principal: hdfs/datanode01.domain.com@REALM

 

Valid starting       Expires              Service principal

03/16/2018 22:55:09  03/17/2018 22:55:09  krbtgt/REALM@REALM

[root@datanode01 process]# hdfs dfs -ls /

18/03/16 22:55:22 WARN security.UserGroupInformation: PriviledgedActionException as:root (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]

18/03/16 22:55:22 WARN ipc.Client: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]

18/03/16 22:55:22 WARN security.UserGroupInformation: PriviledgedActionException as:root (auth:KERBEROS) cause:java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]

ls: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]; Host Details : local host is: "datanode01.domain.com/10.0.0.5"; destination host is: "namenode01.domain.com":8020; 

Your help is greatly appreciated.

 

13,412 Views
0 Kudos

avatar
author-rank bgooley author-rank
Master Guru

Created ‎03-16-2018 08:28 PM

@ramin,

 

I'm happy to help.  The problem now is that your /etc/krb5.conf is using a cache that Java is not able to access.

If you look at your klist output you see:

 

Ticket cache: KEYRING:persistent:0:krb_ccache_KK2INr6

 

By default, recent linux OSes have the "keyring" type of cache defined in /etc/krb5.conf.

While MIT Kerberos's kinit command recognizes the cache type, Java does not.   So, when you run hdfs dfs -ls /, java cannot find any Ticket Granting Ticket and you get the error.

 

To solve this, edit your /etc/krb5.conf and comment out the line with "default_ccache_name" in it.  Add a pount sign in front of it.  For example:

#default_ccache_name = KEYRING:persistent:%{uid}

 

 

This will allow the "kinit" command to store the credentials cache in the default /tmp directory location using the "FILE" type of cache.  Java can access this as it uses the same default type.

 

 

13,410 Views

avatar
author-rank ramin
Explorer

Created ‎03-17-2018 07:40 AM

Thank you! That was indeed the problem. You rock!

13,382 Views
0 Kudos

avatar
author-rank sanjeev
New Contributor

Created ‎09-06-2018 11:51 PM

Hello Guys,

 

i facing same proble too. I am able to list down the file from hdfs

 

[s_hadoop@inggnvcdera1 ~]$ hadoop fs -ls /
Found 5 items
drwxr-xr-x   - hdfs  supergroup          0 2018-08-20 13:40 /externaltableslocation
drwx------   - hbase hbase               0 2018-09-05 14:54 /hbase
drwxrwxr-x   - solr  solr                0 2018-06-21 22:06 /solr
drwxrwxrwt   - hdfs  supergroup          0 2018-08-09 16:44 /tmp
drwxr-xr-x   - hdfs  supergroup          0 2018-08-20 16:45 /user

 

but when i try to delete the i am getting error as below

 

[root@inggnvcdera1 etc]# sudo -u hdfs hadoop fs -rm /externaltableslocation/servicenow_proactivesla_extb/part-m-00000
18/09/07 12:16:56 WARN security.UserGroupInformation: PriviledgedActionException as:hdfs (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
18/09/07 12:16:56 WARN ipc.Client: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
18/09/07 12:16:56 WARN security.UserGroupInformation: PriviledgedActionException as:hdfs (auth:KERBEROS) cause:java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
rm: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]; Host Details : local host is: "inggnvcdera1.******.com/10.202.42.106"; destination host is: "inggnvcdera1.******.com":8020;

 

Kindly guide me where i am doning mistake

i am not able to find default_cache_** in my krb5.conf file that can i comment

root@inggnvcdera1 etc]# cat /etc/krb5.conf
[libdefaults]
default_realm = GLOBAL.******.NET
dns_lookup_kdc = false
dns_lookup_realm = false
ticket_lifetime = 86400
renew_lifetime = 604800
forwardable = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
udp_preference_limit = 1
kdc_timeout = 3000
[realms]
GLOBAL.******.NET = {
kdc = inggnvcdera1.******.com
admin_server = inggnvcdera1.******.com
}
[domain_realm]

 

any help will really appreciated.

 

 

 

12,095 Views
0 Kudos

avatar
author-rank patrish
New Contributor

Created ‎11-20-2018 09:02 AM

issue has been resolved with fix. Thanks

11,433 Views
0 Kudos

avatar
author-rank cloud123user
Explorer

Created on ‎11-10-2019 11:07 AM - edited ‎11-10-2019 11:07 AM

I have been debugging this issue and was not able to find the solution. Thanks so much for your solution here @bgooley Really appreciate it!!

 

By commenting the default cache name in krb.conf file I was able to perform the secure cluster commands.

Thank you so much!!

 

9,046 Views
0 Kudos

avatar
author-rank bgooley author-rank
Master Guru

Created ‎11-12-2019 12:23 PM

@cloud123user, Thanks for the kind feedback.  I am glad that the solution worked for you!

9,000 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements