Support Questions

prabhat10 · ‎07-28-2018

i am getting below error when i tried to enbale kerberos using Cloudera Manager after setting up kdc server and admin principal.

Enable Kerberos for Cluster 1

Import KDC Account Manager Credentials Command Status Failed Jul 28, 1:33:43 PM 5.02s

/usr/share/cmf/bin/import_credentials.sh failed with exit code 1 and output of <<
+ export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ KEYTAB_OUT=/var/run/cloudera-scm-server/cmf7587283748839759414.keytab
+ USER=admin/admin@HADOOP.COM
+ PASSWD=REDACTED
+ KVNO=1
+ SLEEP=0
+ RHEL_FILE=/etc/redhat-release
+ '[' -f /etc/redhat-release ']'
+ set +e
+ grep Tikanga /etc/redhat-release
+ '[' 1 -eq 0 ']'
+ '[' 0 -eq 0 ']'
+ grep 'CentOS release 5' /etc/redhat-release
+ '[' 1 -eq 0 ']'
+ '[' 0 -eq 0 ']'
+ grep 'Scientific Linux release 5' /etc/redhat-release
+ '[' 1 -eq 0 ']'
+ set -e
+ '[' -z /var/run/cloudera-scm-server/krb52763805900583239514.conf ']'
+ echo 'Using custom config path '\''/var/run/cloudera-scm-server/krb52763805900583239514.conf'\'', contents below:'
+ cat /var/run/cloudera-scm-server/krb52763805900583239514.conf
+ IFS=' '
+ read -a ENC_ARR
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p admin/admin@HADOOP.COM -k 1 -e rc4-hmac'
+ ktutil
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ echo 'wkt /var/run/cloudera-scm-server/cmf7587283748839759414.keytab'
+ chmod 600 /var/run/cloudera-scm-server/cmf7587283748839759414.keytab
+ kinit -k -t /var/run/cloudera-scm-server/cmf7587283748839759414.keytab admin/admin@HADOOP.COM
kinit: KDC has no support for encryption type while getting initial credentials

>>

prabhat10 · ‎07-28-2018

i followed this blog but didint work.

https://michlstechblog.info/blog/linux-kerberos-authentification-against-windows-active-directory/#m...

https://community.cloudera.com/t5/Cloudera-Manager-Installation/Import-KDC-Account-Manager-Credentia...

https://community.cloudera.com/t5/Cloudera-Manager-Installation/Enabling-Keberos-for-cluster-fails-w...

nothing worked for me.

my krb5.conf file

[root@aa1 singhkabir880]# cat /etc/krb5.conf#

Configuration snippets may be placed in this directory as wellincludedir /etc/krb5.conf.d/

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

[libdefaults]

dns_lookup_realm = false

ticket_lifetime = 24h

renew_lifetime = 7d

forwardable = true

rdns = false

default_realm = HADOOP.COM

default_ccache_name = KEYRING:persistent:%{uid}

default_tgs_enctypes = rc4-hmac

default_tkt_enctypes = rc4-hmac

permitted_enctypes = rc4-hmac

[realms]

HADOOP.COM = {

kdc = aa1.c.true-shore-210608.internal

admin_server = aa1.c.true-shore-210608.internal

supported_enctypes = rc4-hmac

}

[domain_realm]

.hadoop.com = HADOOP.COM

hadoop.com = HADOOP.COM

[root@aa1 singhkabir880]#

Kindly suggest how to move further.

Thanks

prabhat10 · ‎01-31-2019

any suggestions on this??

Sean464 · ‎12-17-2020

Hello @prabhat10 ,

Try this -

Backup your /etc/krb5.conf on all the hosts
Verify the encryption types supported from your Kerberos server (If MIT - Check "supported_enctypes" in /var/kerberos/krb5kdc/)
Check the "Kerberos Encryption Types" under CM > Administration > Security > Kerberos Credentials > Configuration. Include the encryption types supported by your KDC.
Enable "Manage krb5.conf through Cloudera Manager" from the same configuration page.
Select "Deploy Kerberos client configuration" from the drop-down near your cluster.
Once deployed, verify if the krb5.conf on the agent nodes have the encryption types included as mentioned in CM.
If CM server is running on stale kerberos configuration, copy the krb5.conf from one of the agent nodes to CM server.
Regenerate the principals from CM. (If this is success, you should be able to restart CM and CDH services).