Member since
07-24-2017
19
Posts
3
Kudos Received
2
Solutions
My Accepted Solutions
Title | Views | Posted |
---|---|---|
6979 | 03-27-2018 08:48 AM | |
3011 | 09-09-2017 08:19 AM |
05-22-2018
08:44 PM
Hi Siraj, I did not find the solution for this. This was the issue with the manual setup. When I used cloudera package installation all worked fine.
... View more
04-06-2018
09:08 AM
@michalis I removed the salt :normal while enabling kerberos using cloudera manager and it imported the kdc successfully.. Thanks @bgooley and @michalis for the support and helping me to solve this tricky one.
... View more
04-06-2018
03:04 AM
@bgooley I have updated the script, can you please check as its still failing
... View more
04-03-2018
12:43 AM
Any solution pls..
... View more
04-02-2018
03:49 AM
Hi, any solution pls..
... View more
03-28-2018
09:54 AM
@bgooley Thanks a lot for reverting back to my queries . I tried with the solution you said by changing sleep=0 to sleep=1 but still get the same error message . /usr/share/cmf/bin/import_credentials.sh failed with exit code 1 and output of <<
+ export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ KEYTAB_OUT=/var/run/cloudera-scm-server/cmf4656589489540061286.keytab
+ USER=cloudera-scm/REDACTED@PRICLUSTER.COM
+ PASSWD=REDACTED
+ KVNO=1
+ SLEEP=1
+ RHEL_FILE=/etc/redhat-release
+ '[' -f /etc/redhat-release ']'
+ set +e
+ grep Tikanga /etc/redhat-release
+ '[' 1 -eq 0 ']'
+ '[' 1 -eq 0 ']'
+ '[' 1 -eq 0 ']'
+ set -e
+ '[' -z /etc/krb5.conf ']'
+ echo 'Using custom config path '\''/etc/krb5.conf'\'', contents below:'
+ cat /etc/krb5.conf
+ IFS=' '
+ read -a ENC_ARR
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cloudera-scm/REDACTED@PRICLUSTER.COM -k 1 -e aes256-cts:normal'
+ '[' 1 -eq 1 ']'
+ sleep 1
+ ktutil
addent: Bad encryption type while adding new entry
+ echo REDACTED
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cloudera-scm/REDACTED@PRICLUSTER.COM -k 1 -e aes128-cts:normal'
+ '[' 1 -eq 1 ']'
+ sleep 1
ktutil: Unknown request "REDACTED". Type "?" for a request list.
addent: Bad encryption type while adding new entry
+ echo REDACTED
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cloudera-scm/REDACTED@PRICLUSTER.COM -k 1 -e des3-hmac-sha1:normal'
+ '[' 1 -eq 1 ']'
+ sleep 1
ktutil: Unknown request "REDACTED". Type "?" for a request list.
addent: Bad encryption type while adding new entry
+ echo REDACTED
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cloudera-scm/REDACTED@PRICLUSTER.COM -k 1 -e des-hmac-sha1:normal'
+ '[' 1 -eq 1 ']'
+ sleep 1
ktutil: Unknown request "REDACTED". Type "?" for a request list.
addent: Bad encryption type while adding new entry
+ echo REDACTED
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cloudera-scm/REDACTED@PRICLUSTER.COM -k 1 -e des-cbc-crc:normal'
+ '[' 1 -eq 1 ']'
+ sleep 1
ktutil: Unknown request "REDACTED". Type "?" for a request list.
addent: Bad encryption type while adding new entry
+ echo REDACTED
+ echo 'wkt /var/run/cloudera-scm-server/cmf4656589489540061286.keytab'
ktutil: Unknown request "REDACTED". Type "?" for a request list.
+ chmod 600 /var/run/cloudera-scm-server/cmf4656589489540061286.keytab
chmod: cannot access `/var/run/cloudera-scm-server/cmf4656589489540061286.keytab': No such file or directory I have also shared the modified import_credentials.sh. cat /etc/redhat-release CentOS release 6.9 (Final) #!/usr/bin/env bash
# Copyright (c) 2014 Cloudera, Inc. All rights reserved.
set -e
set -x
# Explicitly add RHEL5/6 and SLES11/12 locations to path
export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:$PATH
KEYTAB_OUT=$1
USER=$2
PASSWD=$3
KVNO=$4
# Determine if sleep is needed before echoing password.
# This is needed on Centos/RHEL 5 where ktutil doesn't
# accept password from stdin.
SLEEP=1
RHEL_FILE=/etc/redhat-release
if [ -f $RHEL_FILE ]; then
set +e # Ignore errors in grep
grep Tikanga $RHEL_FILE
if [ $? -eq 0 ]; then
SLEEP=1
fi
if [ $SLEEP -eq 0 ]; then
grep 'CentOS release 5' $RHEL_FILE
if [ $? -eq 0 ]; then
SLEEP=1
fi
fi
if [ $SLEEP -eq 0 ]; then
grep 'Scientific Linux release 5' $RHEL_FILE
if [ $? -eq 0 ]; then
SLEEP=1
fi
fi
set -e
fi
if [ -z "$KRB5_CONFIG" ]; then
echo "Using system default krb5.conf path."
else
echo "Using custom config path '$KRB5_CONFIG', contents below:"
cat $KRB5_CONFIG
fi
# Export password to keytab
IFS=' ' read -a ENC_ARR <<< "$ENC_TYPES"
{
for ENC in "${ENC_ARR[@]}"
do
echo "addent -password -p $USER -k $KVNO -e $ENC"
if [ $SLEEP -eq 1 ]; then
sleep 1
fi
echo "$PASSWD"
done
echo "wkt $KEYTAB_OUT"
} | ktutil
chmod 600 $KEYTAB_OUT
# Do a kinit to validate that everything works
kinit -k -t $KEYTAB_OUT $USER
# If this is not AD admin account, return from here
if [ "$AD_ADMIN" != "true" ]; then
exit 0
fi
# With AD do a simple search to make sure everything works.
# Set properties needed for ldapsearch to work.
# Tell GSSAPI not to negotiate a security or privacy layer since
# AD doesn't support nested security or privacy layers
LDAP_CONF=`mktemp /tmp/cm_ldap.XXXXXXXX`
echo "TLS_REQCERT never" >> $LDAP_CONF
echo "sasl_secprops minssf=0,maxssf=0" >> $LDAP_CONF
export LDAPCONF=$LDAP_CONF
set +e # Allow failures to SASL so we can see if simple auth works
ldapsearch -LLL -H "$AD_SERVER" -b "$DOMAIN" "userPrincipalName=$USER"
if [ $? -ne 0 ]; then
echo "ldapsearch did not work with SASL authentication. Trying with simple authentication"
ldapsearch -LLL -H "$AD_SERVER" -b "$DOMAIN" -x -D $USER -w $PASSWD "userPrincipalName=$USER"
if [ $? -ne 0 ]; then
echo "Failed to do ldapsearch."
echo "Please make sure Active Directory configuration is correctly specified and LDAP over SSL is enabled."
exit 1
fi
# Simple authentication worked. Store the password in output file.
echo -n $PASSWD > $KEYTAB_OUT
fi
set -e
rm -f $LDAP_CONF
... View more
03-27-2018
12:15 PM
But even for centos or rhel6 needed it ?
... View more
03-27-2018
12:14 PM
Thanks. I tried sleep=1 in the past and it didn't work. But let me try again. 'll keep u updated.
... View more
03-27-2018
08:51 AM
Hi, anybody has any idea.. ?
... View more
03-27-2018
08:48 AM
1 Kudo
Hi, No need to give AD or LDAP integration. This is just for enabling the kerberos for now. Did you give the same encryption types used in your kdc.conf file and also in the cloudera manager enabling kerberos authentication wizard. ?
... View more