Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

problem generating keytab with HTTP SPN

avatar
Rising Star

hello cloudera community,

 

we are trying to create a keytab with the main one:

 

"HTTP/hostname@DOMAIN.LOCAL"

 

with the command:

 

ktpass -princ HTTP/hostname@DOMAIN.LOCAL -mapuser livy-http -crypto ALL -ptype KRB5_NT_PRINCIPAL -pass password2022 -target domain.local -out c:\temp\livy-http.keytab

 

but I try to validate the ticket with this keytab returns the error:

 

Exception: krb_error 24 Pre-authentication information was invalid (24) Pre-authentication information was invalid

 

KrbException: Pre-authentication information was invalid (24)
at sun.security.krb5.KrbAsRep.<init>(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)
at sun.security.krb5.internal.tools.Kinit.<init>(Unknown Source)
at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(Unknown Source)
at sun.security.krb5.internal.ASRep.init(Unknown Source)
at sun.security.krb5.internal.ASRep.<init>(Unknown Source)
... 5 more

 

yagoaparecidoti_0-1661193823116.png

 

this user "livy-http" is already created in AD and with the SPN "HTTP/hostname@DOMAIN.LOCAL" attached to it

 

what are we doing wrong?

20 REPLIES 20

avatar
Rising Star

hi @araujo 

 

the userPrincipalName of user livy is:

 

livy/hostname_livy_server@DOMAIN.LOCAL

 

yagoaparecidoti_6-1663249727294.png

 

the userPrincipalName of the livy-http user is:

 

livy-http@DOMAIN.LOCAL

 

yagoaparecidoti_5-1663249640672.png

 

running the command "kinit livy":

 

yagoaparecidoti_0-1663248966717.png

 

running the command "kinit livy-http":

 

yagoaparecidoti_1-1663249040580.png

 

running the "kinit" command with the keytab created for user livy:

 

yagoaparecidoti_2-1663249232292.png

 

running the command "kinit" with the keytab created for the user livy-http:

 

yagoaparecidoti_3-1663249303452.png

 

we've been facing this problem for months, we haven't found the solution yet.