Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

spnego.keytab gets corrupted

Labels:
avatar
author-rank Abhi
Explorer

Created on ‎06-05-2018 06:14 PM - edited ‎09-16-2022 06:18 AM

We have a requirement to add two principals to a keytab file and one of them is the HTTP principal.

When i regenerate the keytabs through ambari and run the following command i get a valid ticket

kinit -kt /etc/security/keytabs/spnego.service.keytab HTTP/hdp26.xyz.com@xyz.COM

Now i need to add the HTTP principal to a user keytab so i run the following commands

kadmin.local -q "ktadd -k /etc/security/keytabs/user_name.keytab HTTP/hdp26.xyz.com@xyz.COM"

After i add the principal run the kinit using spnego.service.keytab (below command) i get an error saying "kinit: Password incorrect while getting initial credentials". Could anyone help me why the spnego keytab gets corrupted if i add a principal to a different keytab?

"kinit -kt /etc/security/keytabs/spnego.service.keytab HTTP/hdp26.xyz.com@xyz.COM"

Thanks in advance!!

3,421 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank ManuelCalvo author-rank
Expert Contributor

Created ‎06-05-2018 08:34 PM

This is because kvno has changed for that principal in kerberos database after you create a new keytab for the same principal. You can confirm the same by doing:

kadmin.local: get_principal <principal_name> the kvno is different than the one in spnego.service.keytab (by doing klist -kte <keytab>)

The thing that I suggest in this scenario is to "cp spnego.service.keytab user.name.keytab" Then you can provide permissions to that keytab accordingly.

Hope this helps.

View solution in original post

3,118 Views
4 REPLIES 4

avatar
author-rank ManuelCalvo author-rank
Expert Contributor

Created ‎06-05-2018 08:34 PM

This is because kvno has changed for that principal in kerberos database after you create a new keytab for the same principal. You can confirm the same by doing:

kadmin.local: get_principal <principal_name> the kvno is different than the one in spnego.service.keytab (by doing klist -kte <keytab>)

The thing that I suggest in this scenario is to "cp spnego.service.keytab user.name.keytab" Then you can provide permissions to that keytab accordingly.

Hope this helps.

3,119 Views

avatar
author-rank Abhi
Explorer

Created ‎06-06-2018 08:22 PM

Thanks for the solution.Its working good so far.

3,118 Views
0 Kudos

avatar
author-rank rlevas
Guru

Created ‎06-06-2018 09:21 PM

@infa elance

The issue is as described by @mrodriguez; however, the real solution is to use the -norandkey option to the ktadd function. This way the key for the principal you want add to the keytab file will not be updated. 

kadmin.local -q "ktadd -norandkey -k /etc/security/keytabs/user_name.keytab HTTP/hdp26.xyz.com@xyz.COM"

I assume this is a better option since you may want to have the keytab entry for some user's principal in that file as well.

Note: the -norandkey option is only available when using kadmin.local. It is not an option for the general kadmin utility.

Another option is to use the ktuil utility to read in multiple keytab files and write out a new one. See https://web.mit.edu/kerberos/krb5-1.12/doc/admin/admin_commands/ktutil.html.

3,118 Views
0 Kudos

avatar
author-rank Abhi
Explorer

Created ‎06-07-2018 03:06 PM

Thanks Robert!! I will try the -norandkey next time.

3,118 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements