Read the original for a better experience.
The profile
I installed MIT Kerberos Server on the Linux server and then enabled Kerberos initialization using the Web UI wizard on Cloudera Manager. The process failed to execute, and many Configuration Issues were found after the CLoudera Manager home page was refreshed, indicating that the Kerberos Credentials of various services were missing. Procedure
However, Generate Missing Credentials on the Web UI does not Generate Credential files smoothly. After viewing the log, it is found that the keytab required for executing scripts in the background does not exist. This keytab is used by each component of CDH Hadoop. These keytabs are generated by Kerberos user with admin privileges (via kadmin -q “addprinc… Command generation) to generate.
Here are the steps for troubleshooting errors.
Search for error-related logs
Enter Cloudera Manager (the environment version is V6.2.1) and go to Diagnostic –> Logs.
The credentials cannot be found, so the specified time range is narrowed down and the keyword search is specified.
The /opt/ Cloudera /cm/bin/gen_credentials.sh script fails to run on the server of Cloudera Manager The Kerberos credential required by service.
Where the script went wrong was that it did not successfully generate the keytab file.
Investigate the cause of the script error
Go to Cloudera Manager’s Server and look for this script.
cat /opt/cloudera/cm/bin/gen_credentials.sh
Copy the code
#! /usr/bin/env bash
# Copyright (c) 2011 Cloudera, Inc. All rights reserved.
set -e
set -x
# Explicitly add RHEL5/6, SLES11/12 locations to path
export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:$PATH
CMF_REALM=${CMF_PRINCIPAL##*\@}
KEYTAB_OUT=The $1
PRINC=$2
MAX_RENEW_LIFE=$3
KADMIN="kadmin -k -t $CMF_KEYTAB_FILE -p $CMF_PRINCIPAL -r $CMF_REALM"
RENEW_ARG=""
if [ $MAX_RENEW_LIFE -gt 0 ]; then
RENEW_ARG="-maxrenewlife \"$MAX_RENEW_LIFE sec\""
fi
if [ -z "$KRB5_CONFIG" ]; then
echo "Using system default krb5.conf path."
else
echo "Using custom config path '$KRB5_CONFIG', contents below:"
cat $KRB5_CONFIG
fi
$KADMIN -q "addprinc $RENEW_ARG -randkey $PRINC"
if [ $MAX_RENEW_LIFE -gt 0 ]; then
RENEW_LIFETIME=`$KADMIN -q "getprinc -terse $PRINC" | tail -1 | cut -f 12`
if [ $RENEW_LIFETIME -eq 0 ]; then
echo "Unable to set maxrenewlife"
exit 1
fi
fi
$KADMIN -q "xst -k $KEYTAB_OUT $PRINC"
chmod 600 $KEYTAB_OUT
Copy the code
As you can see from the script above, the Kerberros keytab for each Hadoop service will be generated using the same _file. The file is generated based on the Kerberos Account Manager Credentials I entered on the Cloudera Manager WebUI.
I tried re-entering the KDC Admin account information that I manually created on the KDC Server on Cloudera Manager’s Web-UI, but it still didn’t work.
Entry on web-UI: Cloudera Manager Home page — Administration — Security — Kerberos Credentials — Import Kerberos Account Manager Credentials.
To be sure, the KDC admin account information is correct.
Comparing the KDC Server configuration file with the normal KDC Server configuration file, the logging part is missing. The logging part is added.
The following is executed on the KDC Server’s server:
% cat /var/kerberos/krb5kdc/kdc.conf
Copy the code
[kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88 [realms] SHOUNENG.COM = { admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab # supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 max_renewable_life = 30m master_key_type = des3-hmac-sha1 acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words max_life = 30d max_renewable_life = 31d #removed supported_enctypes aes256-cts:normal and aes128-cts:normal supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 [logging] admin_server = FILE:/var/log/kdc_admin.log KDC = FILE:/var/log/kdc.logCopy the code
After logging is enabled, try again to create the Hadoop service credential and observe the KDC server log. The following error is found:
% sed -n '1, 50 p' /var/log/kdc_admin.log
Copy the code
Oct 15 23:41:13 host-10-17-100-90 kadmind[19124](info): setting up network... kadmind: setsockopt(10,IPV6_V6ONLY,1) worked kadmind: setsockopt(12,IPV6_V6ONLY,1) worked kadmind: setsockopt(14,IPV6_V6ONLY,1) worked Oct 15 23:41:13 host-10-17-100-90 kadmind[19124](info): set up 6 sockets Oct 15 23:41:13 host-10-17-100-90 kadmind[19124](Error): /var/kerberos/krb5kdc/kadm5.acl: syntax error at line 1 <*/[email protected]*... > Oct 15 23:41:13 host-10-17-100-90 kadmind[19125](info): Seeding random number generator Oct 15 23:41:13 host-10-17-100-90 kadmind[19125](info): starting Oct 15 23:42:24 host-10-17-100-90 kadmind[19125](Notice): Request: kadm5_init, root/[email protected], success, client=root/[email protected], service=kadmin/[email protected], addr = 10.17.101.160, vers = 4, flavor=6 Oct 15 23:42:29 host-10-17-100-90 kadmind[19125](Notice): Unauthorized request: kadm5_get_principals, *, client=root/[email protected], service=kadmin/[email protected], Addr =10.17.101.160 Oct 15 23:42:46 host-10-17-100-90 [19125](Notice): Unauthorized Request: kadm5_get_principals, *, client=root/[email protected], service=kadmin/[email protected], Addr =10.17.101.160 Oct 15 23:43:07 host-10-17-100-90 KadMIND [19125](Notice): Unauthorized Request: kadm5_get_policy, default, client=root/[email protected], service=kadmin/[email protected], Addr =10.17.101.160 Oct 15 23:43:07 host-10-17-100-90 KadMIND [19125](Notice): Unauthorized Request: kadm5_create_principal, [email protected], client=root/[email protected], Addr = 10.17.101.160 service=kadmin/[email protected]Copy the code
I see a syntax error:
kadmind[19124](Error): /var/kerberos/krb5kdc/kadm5.acl: syntax error at line 1 <*/[email protected]*... >Copy the code
*/[email protected]* should be changed to */[email protected]* (one space is missing).
After the modification, restart the KDC service and recreate the credentials successfully.