Troubleshooting Kerberos Security Issues
Typically, if Kerberos security is not working on your cluster, Hadoop will display generic messages about the cause of the problem. Here are some common problems and their solutions.
Issues with Generate Credentials
Cloudera Manager uses a command called Generate Credentials to create the accounts needed by CDH for enabling authentication using Kerberos. The command is triggered automatically when you are using the Kerberos Wizard or making changes to your cluster that will require new Kerberos principals.
When configuring Kerberos, if CDH services don't start, and on the Cloudera Manager Home page you see a validation error, Role is missing Kerberos keytab, it means the Generate Credentials command failed. To see the output of the command, navigate to the Home page and click the All Recent Commands tab.
Here are some common error messages:
Problems | Possible Causes | Solutions |
---|---|---|
With Active Directory | ||
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) |
The Domain Controller specified is incorrect or LDAPS has not been enabled for it. |
Verify the KDC configuration by going to the Cloudera Manager Admin Console and navigate to . Also check that LDAPS is enabled for Active Directory. |
ldap_add: Insufficient access (50) |
The Active Directory account you are using for Cloudera Manager does not have permissions to create other accounts. |
Use the Delegate Control wizard to grant permission to the Cloudera Manager account to create other accounts. You can also login to Active Directory as the Cloudera Manager user to check that it can create other accounts in your Organizational Unit. |
With MIT KDC | ||
kadmin: Cannot resolve network address for admin server in requested realm while initializing kadmin interface. |
The hostname for the KDC server is incorrect. |
Check the kdc field for your default realm in krb5.conf and make sure the hostname is correct. |
Other Kerberos-Related Issues
If the Generate Credentials command has succeeded, but CDH services fail to start, refer the following table for solutions to some other common Kerberos problems. You can also check the Server or Agent logs for any errors associated with keytab generation or information about the problems.
Problems | Possible Causes | Solutions |
---|---|---|
CDH services fail to start. |
Check that the encryption types are matched between your KDC and krb5.conf on all hosts. |
In particular, if you are using AES-256, follow the instructions at Step 2: If You are Using AES-256 Encryption, Install the JCE Policy File to deploy the JCE policy file on all hosts. |
Error in the CDH daemon logs:
13/01/15 17:44:48 DEBUG ipc.Client: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)] |
This error occurs because the ticket message is too large for the default UDP protocol. | Force Kerberos to use TCP instead of UDP
by adding the following parameter to [libdefaults] in the
krb5.conf file
on the client(s) where the problem is
occurring.[libdefaults] udp_preference_limit = 1 If you choose to manage krb5.conf through Cloudera Manager, this will automatically get added to krb5.conf. |
<< Mapping Kerberos Principals to Short Names | Known Kerberos Issues in Cloudera Manager >> | |