Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

spnego.keytab gets corrupted

Solved Go to solution

spnego.keytab gets corrupted

New Contributor

We have a requirement to add two principals to a keytab file and one of them is the HTTP principal.

When i regenerate the keytabs through ambari and run the following command i get a valid ticket

kinit -kt /etc/security/keytabs/spnego.service.keytab HTTP/hdp26.xyz.com@xyz.COM

Now i need to add the HTTP principal to a user keytab so i run the following commands

kadmin.local -q "ktadd -k /etc/security/keytabs/user_name.keytab HTTP/hdp26.xyz.com@xyz.COM"

After i add the principal run the kinit using spnego.service.keytab (below command) i get an error saying "kinit: Password incorrect while getting initial credentials". Could anyone help me why the spnego keytab gets corrupted if i add a principal to a different keytab?

"kinit -kt /etc/security/keytabs/spnego.service.keytab HTTP/hdp26.xyz.com@xyz.COM"

Thanks in advance!!

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: spnego.keytab gets corrupted

Contributor

This is because kvno has changed for that principal in kerberos database after you create a new keytab for the same principal. You can confirm the same by doing:

kadmin.local: get_principal <principal_name> the kvno is different than the one in spnego.service.keytab (by doing klist -kte <keytab>)

The thing that I suggest in this scenario is to "cp spnego.service.keytab user.name.keytab" Then you can provide permissions to that keytab accordingly.

Hope this helps.

4 REPLIES 4
Highlighted

Re: spnego.keytab gets corrupted

Contributor

This is because kvno has changed for that principal in kerberos database after you create a new keytab for the same principal. You can confirm the same by doing:

kadmin.local: get_principal <principal_name> the kvno is different than the one in spnego.service.keytab (by doing klist -kte <keytab>)

The thing that I suggest in this scenario is to "cp spnego.service.keytab user.name.keytab" Then you can provide permissions to that keytab accordingly.

Hope this helps.

Re: spnego.keytab gets corrupted

New Contributor

Thanks for the solution.Its working good so far.

Re: spnego.keytab gets corrupted

@infa elance

The issue is as described by @mrodriguez; however, the real solution is to use the -norandkey option to the ktadd function. This way the key for the principal you want add to the keytab file will not be updated.

kadmin.local -q "ktadd -norandkey -k /etc/security/keytabs/user_name.keytab HTTP/hdp26.xyz.com@xyz.COM"

I assume this is a better option since you may want to have the keytab entry for some user's principal in that file as well.

Note: the -norandkey option is only available when using kadmin.local. It is not an option for the general kadmin utility.

Another option is to use the ktuil utility to read in multiple keytab files and write out a new one. See https://web.mit.edu/kerberos/krb5-1.12/doc/admin/admin_commands/ktutil.html.

Re: spnego.keytab gets corrupted

New Contributor

Thanks Robert!! I will try the -norandkey next time.