About Karlodun

Karlodun · ‎06-20-2017

The Problem was in a misconfigured Kerberos encryption type.... Tested the ktutil, first time it did not work, because I misspelled the encryption type. Worked well with the right encryption. Tried to fix encryption type in Manager. Worked well! I deleted everything else and added aes128-cts-hmac-sha1-96 (as in the example from https://web.mit.edu/kerberos/krb5-1.13/doc/admin/admin_commands/ktutil.html) This config option should be defenitelly improved in cloudera manager! Aswell, as the error reporting! Hope this will be helpfull to somebody else too. the default encryption type (if not configured in kerberos *.conf files) is: aes256-cts-hmac-sha1-96 thus it should also become default encryption type in cloudera manager.

Karlodun · ‎06-19-2017

The keytab file is not created. Now to the suggeested steps: tried to do "wkt /var/run/cloudera-scm-server/cmf2740814926769956207.keytab" in ktutil - no errors, but no file there. Maybe the necesery data for the keytab is not generated? And thus no file is saved, bacause there is nothing to save? try adding 'add princ principal@realmn' Do you mean to add a principal from kadmin - add_principal? (there seems to be no such option in ktutil) If yes, which one? (cloudera/admin is already there) --> ank principal@IM? Or do you mean add_entry in ktutil? (No idea, yet, how to do this, and what I actually should add) Another question: there is a 'cloudera-scm' user account, however I cannot su to it.... thus I had to test things with root. Should I make cloudera-scm account usable and test from there? Thanks!

Karlodun · ‎06-18-2017

Found several 'similar' issues, but none did really fit our situation. usr/share/cmf/bin/import_credentials.sh failed with exit code 1 and output of << + export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin + PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin + KEYTAB_OUT=/var/run/cloudera-scm-server/cmf2740814926769956207.keytab + USER=cloudera/admin@IM + PASSWD=REDACTED + KVNO=1 + SLEEP=0 + RHEL_FILE=/etc/redhat-release + '[' -f /etc/redhat-release ']' + set +e + grep Tikanga /etc/redhat-release + '[' 1 -eq 0 ']' + '[' 0 -eq 0 ']' + grep 'CentOS release 5' /etc/redhat-release + '[' 1 -eq 0 ']' + '[' 0 -eq 0 ']' + grep 'Scientific Linux release 5' /etc/redhat-release + '[' 1 -eq 0 ']' + set -e + '[' -z /etc/krb5.conf ']' + echo 'Using custom config path '\''/etc/krb5.conf'\'', contents below:' + cat /etc/krb5.conf + IFS=' ' + read -a ENC_ARR + ktutil + echo 'wkt /var/run/cloudera-scm-server/cmf2740814926769956207.keytab' + chmod 600 /var/run/cloudera-scm-server/cmf2740814926769956207.keytab chmod: cannot access ‘/var/run/cloudera-scm-server/cmf2740814926769956207.keytab’: No such file or directory >> the actual krb5.conf (limited to important data) is: [libdefaults] ... default_realm = IM ... [realms] IM = { kdc = little-cerberos.im admin_server = little-cerberos.im default_domain = im } [domain_realm] .im = IM im = IM Kerberos server configs seem to be ok, since I can login with cloudera/admin@IM kadmin works well too, I can list and add principals. The error message does not actually "show" the real krb5.conf file, however there is also no error message, that the file is invalid (had this situation few hours ago for some unknown reason) OS is Centos 7, CDH 5.11 (test for 60 days), everything in VM, so that I can rollback if necessary. (not using our developer cluster/license)

Online	Offline
Last Visited	‎11-07-2017 09:08 AM

Member Since	‎06-18-2017 07:54 AM
Last Visited	‎11-07-2017 09:08 AM
Posts	3
Kudos received	1

Cloudera Community

Re: Enable Kerberos for Cluster - import_credentia...

Re: Enable Kerberos for Cluster - import_credentia...

Re: Enable Kerberos for Cluster - import_credentia...

Enable Kerberos for Cluster - import_credentials.s...