hello cloudera community,
we are trying to create a keytab with the main one:
"HTTP/hostname@DOMAIN.LOCAL"
with the command:
ktpass -princ HTTP/hostname@DOMAIN.LOCAL -mapuser livy-http -crypto ALL -ptype KRB5_NT_PRINCIPAL -pass password2022 -target domain.local -out c:\temp\livy-http.keytab
but I try to validate the ticket with this keytab returns the error:
Exception: krb_error 24 Pre-authentication information was invalid (24) Pre-authentication information was invalid
KrbException: Pre-authentication information was invalid (24)
at sun.security.krb5.KrbAsRep.<init>(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)
at sun.security.krb5.internal.tools.Kinit.<init>(Unknown Source)
at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(Unknown Source)
at sun.security.krb5.internal.ASRep.init(Unknown Source)
at sun.security.krb5.internal.ASRep.<init>(Unknown Source)
... 5 more
this user "livy-http" is already created in AD and with the SPN "HTTP/hostname@DOMAIN.LOCAL" attached to it
what are we doing wrong?
hi @araujo
the userPrincipalName of user livy is:
livy/hostname_livy_server@DOMAIN.LOCAL
the userPrincipalName of the livy-http user is:
running the command "kinit livy":
running the command "kinit livy-http":
running the "kinit" command with the keytab created for user livy:
running the command "kinit" with the keytab created for the user livy-http:
we've been facing this problem for months, we haven't found the solution yet.
