Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

kinit: KDC has no support for encryption type while getting initial credentials

avatar
Explorer

i am getting below error when i tried to enbale kerberos using Cloudera Manager after setting up kdc server and admin principal.

 

 

Enable Kerberos for Cluster 1

 
 
 
 
Import KDC Account Manager Credentials Command Status   Failed   Jul 28, 1:33:43 PM   5.02s 
/usr/share/cmf/bin/import_credentials.sh failed with exit code 1 and output of <<
+ export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ KEYTAB_OUT=/var/run/cloudera-scm-server/cmf7587283748839759414.keytab
+ USER=admin/admin@HADOOP.COM
+ PASSWD=REDACTED
+ KVNO=1
+ SLEEP=0
+ RHEL_FILE=/etc/redhat-release
+ '[' -f /etc/redhat-release ']'
+ set +e
+ grep Tikanga /etc/redhat-release
+ '[' 1 -eq 0 ']'
+ '[' 0 -eq 0 ']'
+ grep 'CentOS release 5' /etc/redhat-release
+ '[' 1 -eq 0 ']'
+ '[' 0 -eq 0 ']'
+ grep 'Scientific Linux release 5' /etc/redhat-release
+ '[' 1 -eq 0 ']'
+ set -e
+ '[' -z /var/run/cloudera-scm-server/krb52763805900583239514.conf ']'
+ echo 'Using custom config path '\''/var/run/cloudera-scm-server/krb52763805900583239514.conf'\'', contents below:'
+ cat /var/run/cloudera-scm-server/krb52763805900583239514.conf
+ IFS=' '
+ read -a ENC_ARR
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p admin/admin@HADOOP.COM -k 1 -e rc4-hmac'
+ ktutil
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ echo 'wkt /var/run/cloudera-scm-server/cmf7587283748839759414.keytab'
+ chmod 600 /var/run/cloudera-scm-server/cmf7587283748839759414.keytab
+ kinit -k -t /var/run/cloudera-scm-server/cmf7587283748839759414.keytab admin/admin@HADOOP.COM
kinit: KDC has no support for encryption type while getting initial credentials

>>
3 REPLIES 3

avatar
Explorer

i followed this blog but didint work.

 

 

https://michlstechblog.info/blog/linux-kerberos-authentification-against-windows-active-directory/#m...

 

https://community.cloudera.com/t5/Cloudera-Manager-Installation/Import-KDC-Account-Manager-Credentia...

 

https://community.cloudera.com/t5/Cloudera-Manager-Installation/Enabling-Keberos-for-cluster-fails-w...

 

nothing worked for me.

 

 my krb5.conf file

 

[root@aa1 singhkabir880]# cat /etc/krb5.conf#

 

Configuration snippets may be placed in this directory as wellincludedir /etc/krb5.conf.d/

 

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

 

[libdefaults]

 

dns_lookup_realm = false

ticket_lifetime = 24h

renew_lifetime = 7d

forwardable = true

rdns = false

default_realm = HADOOP.COM

default_ccache_name = KEYRING:persistent:%{uid}

default_tgs_enctypes = rc4-hmac

default_tkt_enctypes = rc4-hmac

permitted_enctypes = rc4-hmac

 

[realms]

HADOOP.COM = {

kdc = aa1.c.true-shore-210608.internal

admin_server = aa1.c.true-shore-210608.internal

supported_enctypes = rc4-hmac

}

[domain_realm]

.hadoop.com = HADOOP.COM

hadoop.com = HADOOP.COM

[root@aa1 singhkabir880]#

 

 

Kindly suggest how to move further.

 

Thanks

avatar
Explorer

any suggestions on this??

avatar
Expert Contributor

Hello @prabhat10 , 

Try this - 

 

  • Backup your /etc/krb5.conf on all the hosts 
  • Verify the encryption types supported from your Kerberos server (If MIT - Check "supported_enctypes" in /var/kerberos/krb5kdc/)
  • Check the "Kerberos Encryption Types" under  CM > Administration > Security > Kerberos Credentials > Configuration. Include the encryption types supported by your KDC. 
  • Enable "Manage krb5.conf through Cloudera Manager" from the same configuration page. 
  • Select "Deploy Kerberos client configuration" from the drop-down near your cluster. 
  • Once deployed, verify if the krb5.conf on the agent nodes have the encryption types included as mentioned in CM. 
  • If CM server is running on stale kerberos configuration, copy the krb5.conf from one of the agent nodes to CM server.
  • Regenerate the principals from CM. (If this is success, you should be able to restart CM and CDH services).