Pivotal Knowledge Base

Follow

kinit on RHEL 6.x fails with keytab file generated on RHEL 7.x

Environment

Product Version
Pivotal HD 3.0.x
OS RHEL 6.x and 7.x

Symptom

When attempting to enable security of Pivotal HD 3.0.x cluster, kinit fails with an error message “Bad encryption type while getting initial credentials”.

Error Message:

[root@admin temp]# kinit -kt hdfs.service.keytab hdfs/hdm1.hadoop.local@PIVOTAL.IO
kinit: Bad encryption type while getting initial credentials

Cause

The KDC server is running on RHEL 7.x host, which has different recognition of encryption types in keytab file.

RCA

Following is an example of content of one keytab file on RHEL 7.x

Keytab name: FILE:hdfs.service.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
2 11/18/2015 14:43:41 hdfs/hdm1.hadoop.local@PIVOTAL.IO (aes256-cts-hmac-sha1-96)
2 11/18/2015 14:43:41 hdfs/hdm1.hadoop.local@PIVOTAL.IO (aes128-cts-hmac-sha1-96)
2 11/18/2015 14:43:41 hdfs/hdm1.hadoop.local@PIVOTAL.IO (des3-cbc-sha1)
2 11/18/2015 14:43:41 hdfs/hdm1.hadoop.local@PIVOTAL.IO (arcfour-hmac)
2 11/18/2015 14:43:41 hdfs/hdm1.hadoop.local@PIVOTAL.IO (camellia256-cts-cmac)
2 11/18/2015 14:43:41 hdfs/hdm1.hadoop.local@PIVOTAL.IO (camellia128-cts-cmac)
2 11/18/2015 14:43:41 hdfs/hdm1.hadoop.local@PIVOTAL.IO (des-hmac-sha1)
2 11/18/2015 14:43:41 hdfs/hdm1.hadoop.local@PIVOTAL.IO (des-cbc-md5)

And content of same keytab file on RHEL 6.x

Keytab name: FILE:hdfs.service.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
2 11/18/15 01:43:41 hdfs/hdm1.hadoop.local@PIVOTAL.IO (aes256-cts-hmac-sha1-96)
2 11/18/15 01:43:41 hdfs/hdm1.hadoop.local@PIVOTAL.IO (aes128-cts-hmac-sha1-96)
2 11/18/15 01:43:41 hdfs/hdm1.hadoop.local@PIVOTAL.IO (des3-cbc-sha1)
2 11/18/15 01:43:41 hdfs/hdm1.hadoop.local@PIVOTAL.IO (arcfour-hmac)
2 11/18/15 01:43:41 hdfs/hdm1.hadoop.local@PIVOTAL.IO (etype 26)
2 11/18/15 01:43:41 hdfs/hdm1.hadoop.local@PIVOTAL.IO (etype 25)
2 11/18/15 01:43:41 hdfs/hdm1.hadoop.local@PIVOTAL.IO (des-hmac-sha1)
2 11/18/15 01:43:41 hdfs/hdm1.hadoop.local@PIVOTAL.IO (des-cbc-md5)

As shown in RED lines two encryption types have different names in RHEL 6.x and 7.x systems. This makes the KDC server fail to recognize those 2 encryption types in kinit request from RHEL 6.x host.

Resolution

Setup KDC server on a RHEL 6.x system and generate the keytab files again.

If KDC server on RHEL 7.x system has to be used, then one workaround is to delete those 2 encryption types with conflicting names from the keytab file on Kerberos client-side (RHEL 6.x system in this case).

Try the following steps to delete entries from the keytab file:

1. Identify order of entries to be deleted in the keytab file. They are fifth and sixth in the above example.

2. Use "ktutil" tool to delete entries as shown below. Note the one with larger order number must go first, which is '6' in the example.

[root@admin temp]# ktutil
ktutil: rkt /root/temp/hdfs.service.keytab
ktutil: delent 6
ktutil: delent 5
ktutil: wkt /root/temp/hdfs.service.keytab.new
ktutil: quit

3. Run "klist" to verify entries are deleted successfully

[root@admin temp]# klist -ekt hdfs.service.keytab.new
Keytab name: FILE:hdfs.service.keytab.new
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
2 11/18/15 01:51:52 hdfs/hdm1.hadoop.local@PIVOTAL.IO (aes256-cts-hmac-sha1-96)
2 11/18/15 01:51:52 hdfs/hdm1.hadoop.local@PIVOTAL.IO (aes128-cts-hmac-sha1-96)
2 11/18/15 01:51:52 hdfs/hdm1.hadoop.local@PIVOTAL.IO (des3-cbc-sha1)
2 11/18/15 01:51:52 hdfs/hdm1.hadoop.local@PIVOTAL.IO (arcfour-hmac)
2 11/18/15 01:51:52 hdfs/hdm1.hadoop.local@PIVOTAL.IO (des-hmac-sha1)
2 11/18/15 01:51:52 hdfs/hdm1.hadoop.local@PIVOTAL.IO (des-cbc-md5)

4. Run "kinit" with the new keytab file to get Kerberos ticket

Additional Information

Refer to the Pivotal HD Documentation for more information about how to generate the keytab file and use the kinit to get Kerberos ticket.

Comments

Powered by Zendesk