Member since
05-29-2019
1
Post
0
Kudos Received
0
Solutions
11-28-2022
06:47 AM
Hello, We are using AD for Kerberos. When we try to Generate missing credentials, we are getting error "ERROR GenerateCredentials-0:com.cloudera.cmf.security.GenerateCredentialsCommand: unable to create credential for role 785 due to:/opt/cloudera/cm/bin/gen_credentials_ad.sh failed with exit code 19 and output" "SASL/GSSAPI authentication started SASL username: user@domain SASL SSF: 0 ldap_add: Constraint violation (19) additional info: 000021C7: AtrErr: DSID-03200E7F, #1: 0: 000021C7: DSID-03200E7F, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90303 (servicePrincipalName)" We got to know that there was a bug in Microsoft AD patch of November 2021 and Cloudera have a KB article with some suggestions to fix this. We have tried all of those options like disabling SPN on AD, Import Credentials with AD administration user account, removing from domain and generating missing credentials...but we get the same error every time. It tried to create HTTP principal everytime and fails to do so. anyone faced this error and have a solution? Can someone please help with this? Sharing the Microsoft bug article and Cloudera KB article below for reference. Also sharing the full error message. CLOUDERA: https://my.cloudera.com/knowledge/TSB-2021-544--Microsoft-AD-November-2021-Security-Update?id=334373 Microsoft: https://support.microsoft.com/en-us/topic/kb5008382-verification-of-uniqueness-for-user-principal-name-service-principal-name-and-the-service-principal-name-alias-cve-2021-42282-4651b175-290c-4e59-8fcb-e4e5cd0cdb29 ERROR MSG: /opt/cloudera/cm/bin/gen_credentials_ad.sh failed with exit code 19 and output of << + export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin + PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin + KEYTAB_OUT=/var/run/cloudera-scm-server/cmf8118737478853575492.keytab + PRINC=HTTP/hostname@domain + USER=cdhr_xxx + PASSWD=REDACTED + DELETE_ON_REGENERATE=true + SET_ENCRYPTION_TYPES=false + ENC_TYPES_MASK=4 + USERACCOUNTCONTROL=45373 + ACCOUNTEXPIRES=0 + OBJECTCLASSES='objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user ' + DIST_NAME=CN=cdhr_xx,OU=xxx,OU=xxx,OU=xx,OU=xxx,DC=xxx,DC=xxx,DC=xxx + '[' -z /etc/krb5.conf ']' + echo 'Using custom config path '\''/etc/krb5.conf'\'', contents below:' + cat /etc/krb5.conf + SIMPLE_PWD_STR= + '[' '' = '' ']' + kinit -k -t /var/run/cloudera-scm-server/cmf369146187832524361.keytab user@domain ++ mktemp /tmp/cm_ldap.XXXXXXXX + LDAP_CONF=/tmp/cm_ldap.qKndHBEl + echo 'TLS_REQCERT never' + echo 'sasl_secprops minssf=0,maxssf=0' + export LDAPCONF=/tmp/cm_ldap.qKndHBEl + LDAPCONF=/tmp/cm_ldap.qKndHBEl ++ ldapsearch -LLL -H ldaps://hostname:636 -b OU=xxx,OU=xxx,OU=xx,OU=xxx,DC=xxx,DC=xxx,DC=xxx userPrincipalName=HTTP/hostname@domain SASL/GSSAPI authentication started SASL username: user@domain SASL SSF: 0 + PRINC_SEARCH= ++ echo '' ++ sed -n '1 {h; $ !d}; $ {x; s/\n //g; p}; /^ / {H; d}; /^ /! {x; s/\n //g; p}' + RESULTS_UNWRAPPED= + echo $'\342\200\234\342\200\235' + set +e + echo + grep -q userPrincipalName + '[' 1 -eq 0 ']' + set -e + '[' false = true ']' + ldapmodify -H ldaps://hostname:636 ++ echo 'objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user ' ++ sed /str/d ++ echo HTTP/hostname@domain ++ sed -e 's/\@domain//g' ++ echo -n '"REDACTED"' ++ iconv -f UTF8 -t UTF16LE ++ base64 -w 0 SASL/GSSAPI authentication started SASL username: user@domain SASL SSF: 0 ldap_add: Constraint violation (19) additional info: 000021C7: AtrErr: DSID-03200E7F, #1: 0: 000021C7: DSID-03200E7F, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90303 (servicePrincipalName) Thanks
... View more
Labels:
- Labels:
-
Cloudera Manager