Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

problem generating keytab with HTTP SPN

avatar
author-rank yagoaparecidoti
Expert Contributor

Created ‎08-22-2022 11:44 AM

hello cloudera community,

 

we are trying to create a keytab with the main one:

 

"HTTP/hostname@DOMAIN.LOCAL"

 

with the command:

 

ktpass -princ HTTP/hostname@DOMAIN.LOCAL -mapuser livy-http -crypto ALL -ptype KRB5_NT_PRINCIPAL -pass password2022 -target domain.local -out c:\temp\livy-http.keytab

 

but I try to validate the ticket with this keytab returns the error:

 

Exception: krb_error 24 Pre-authentication information was invalid (24) Pre-authentication information was invalid

 

KrbException: Pre-authentication information was invalid (24)
at sun.security.krb5.KrbAsRep.<init>(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)
at sun.security.krb5.internal.tools.Kinit.<init>(Unknown Source)
at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(Unknown Source)
at sun.security.krb5.internal.ASRep.init(Unknown Source)
at sun.security.krb5.internal.ASRep.<init>(Unknown Source)
... 5 more

 

yagoaparecidoti_0-1661193823116.png

 

this user "livy-http" is already created in AD and with the SPN "HTTP/hostname@DOMAIN.LOCAL" attached to it

 

what are we doing wrong?

9,445 Views
0 Kudos
20 REPLIES 20

avatar
JQUIROS author-rank
Cloudera Employee

Created ‎08-22-2022 12:28 PM

Hi sir,
This command is probably better to be evaluated in an AD forum, It is a power shell command in the AD server. Based on the stack trace you are getting, the pre-authentication is failing. Normally, this may happen because the account is enabled with pre-auth or you are using a cipher that requires pre-auth [0]

We can try to create by using only legacy ciphers:

##########################################
# How to Create a keytab from client application
##########################################

# Step 1: Type ktutil to enter prompt:
ktutil

# Step 2: At the ktutil prompt, add the authentication command below:
ktutil:  add_entry -password -p livy-http@DOMAIN.LOCAL-k 1 -e arcfour-hmac-md5

# Step 3: Type password
Password for livy-http@DOMAIN.LOCAL:

# Step 4: Create Keytab file at ktutil prompt:
# ktutil:  <command below to create keytab file>
wkt livy-http.keytab

# Step 5: Type quit to exit
quit

# Step 6: Verify Keytab Works Using kinit:
/usr/bin/kinit -V -kt livy-http.keytab livy-http@DOMAIN.LOCAL

[0] refer to the box checks "Do not required Kerberos Preauthentication":  https://docs.informatica.com/data-integration/powercenter/10-2/security-guide/kerberos-authenticatio...

7,119 Views
0 Kudos

avatar
author-rank yagoaparecidoti
Expert Contributor

Created ‎08-22-2022 12:36 PM

hi@JQUIROS ,

 

should "kutil" command be run on cluster host or AD host?

7,117 Views
0 Kudos

avatar
author-rank yagoaparecidoti
Expert Contributor

Created ‎08-22-2022 12:43 PM

hi @JQUIROS 

 

if create another keytab with the SPN below:

 

"livy-http/hostname@DOMAIN.LOCAL"

 

works, no problems.

 

the problem is when using HTTP

7,116 Views
0 Kudos

avatar
JQUIROS author-rank
Cloudera Employee

Created ‎08-22-2022 12:47 PM

In regards to your first question, it is on the cluster host.

For your second, We only create the keytab against the service SPN ("livy-http/hostname@DOMAIN.LOCAL"), what is the business purpose to create the keytab with HTTP principals? The service is authenticating against Service Principals, not HTTP.

7,091 Views
0 Kudos

avatar
author-rank yagoaparecidoti
Expert Contributor

Created ‎08-22-2022 12:51 PM

hi @JQUIROS 

 

we need to create the HTTP SPN keytab to use in the Livy service, as described in the link below:

 

https://enterprise-docs.anaconda.com/en/latest/admin/advanced/config-livy-server.html 

 

in the link above, kadmin was used, but we don't have kadmin but AD.

7,090 Views
0 Kudos

avatar
JQUIROS author-rank
Cloudera Employee

Created ‎08-22-2022 05:09 PM

ktpass might be purely AD, might be worth it to open an AD case if that is the only option.

Otherwise, Could you please try to create the keytab with the following ktutil commands:
add_entry -password -p HTTP@FQDN_DOMAIN.LO -k 1 -e arcfour-hmac-md5

7,062 Views
0 Kudos

avatar
author-rank yagoaparecidoti
Expert Contributor

Created ‎08-23-2022 08:06 AM

hi @JQUIROS 

 

using the ktutil command it was possible to create the principal:

 

HTTP/hostname@DOMAIN.LOCAL

 

how to export keytab now?

 

7,042 Views
0 Kudos

avatar
author-rank yagoaparecidoti
Expert Contributor

Created ‎08-23-2022 08:13 AM

hi @JQUIROS 

 

we were able to export the keytab with the command:

 

write_kt http.keytab

 

but when validating the ticket with the command:

 

kinit -kt http.keytab HTTP/hostnamae@DOMAIN.LOCAL

 

got the same error:

 

kinit: Preauthentication failed while getting initial credentials

7,041 Views
0 Kudos

avatar
JQUIROS author-rank
Cloudera Employee

Created ‎08-23-2022 08:58 AM

Hi @yagoaparecidoti,
The error is coming directly from the Active Directory KDC, please limit the keytab to RC4 HMAC as commented earlier. Scroll up on the first post.
Then, try to kinit by using the trace to understand the issue better:

KRB5_TRACE=/dev/stdout kinit -kt http.keytab HTTP/hostnamae@DOMAIN.LOCAL

7,018 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements