Unable to generate keytab from within Cloudera Manager

Unable to generate keytab from within Cloudera Manager

When generating credentials through Cloudera Manager, sometimes Cloudera Manager will return you the following error:
/usr/share/cmf/bin/gen_credentials_ad.sh failed with exit code 53 and
output of <<
+ export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/sbin:/usr/sbin:/bin:/usr/bin
+ PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/sbin:/usr/sbin:/bin:/usr/bin
+ KEYTAB_OUT=/var/run/cloudera-scm-server/cmf2781839247630884630.keytab
+ PRINC=sqoop2/@REALM.COM
+ USER=kaupocSuFoZIOIDa
+ PASSWD=REDACTED
+ DIST_NAME=CN=kaupocSuFoZIOIDa,OU=Cloudera,OU=ServersUnix,OU=IT,OU=Basel,OU=AdminUnits,DC=emea,DC=XXXX,DC=com
+ '[' -z /etc/krb5-cdh.conf ']'
+ echo 'Using custom config path '\''/etc/krb5-cdh.conf'\'', contents below:'
+ cat /etc/krb5-cdh.conf
+ SIMPLE_PWD_STR=
+ '[' '' = '' ']'
+ kinit -k -t /var/run/cloudera-scm-server/cmf5575611164358256388.keytab
cdhad@REALM.COM
++ mktemp /tmp/cm_ldap.XXXXXXXX
+ LDAP_CONF=/tmp/cm_ldap.XRbR8Zco
+ echo 'TLS_REQCERT never'
+ echo 'sasl_secprops minssf=0,maxssf=0'
+ export LDAPCONF=/tmp/cm_ldap.XRbR8Zco
+ LDAPCONF=/tmp/cm_ldap.XRbR8Zco
++ ldapsearch -LLL -H ldaps://:636 -b
OU=Cloudera,OU=ServersUnix,OU=IT,OU=Basel,OU=AdminUnits,DC=emea,DC=xxxx,DC=com
userPrincipalName=sqoop2/@REALM.COM
SASL/GSSAPI authentication started
SASL username: cdhad@REALM
SASL SSF: 0
+ PRINC_SEARCH=
+ set +e
+ echo
+ grep -q userPrincipalName
+ '[' 1 -eq 0 ']'
+ set -e
+ ldapmodify -H ldaps://:636
++ echo sqoop2/@REALM.COM
++ sed -e 's/\@REALM.COM//g'
++ echo -n '"REDACTED"'
++ iconv -f UTF8 -t UTF16LE
++ base64 -w 0
SASL/GSSAPI authentication started
SASL username: cdhad@REALM.COMSASL SSF: 0
ldap_add: Server is unwilling to perform (53)
additional info: 0000052D: SvcErr: DSID-031A1248, problem 5003
(WILL_NOT_PERFORM), data 0
Generate credentials in Cloudera Manager failed with the following errors:

/usr/share/cmf/bin/gen_credentials_ad.sh failed with exit code 53 and
output of <<
+ export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/sbin:/usr/sbin:/bin:/usr/bin
+ PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/sbin:/usr/sbin:/bin:/usr/bin
+ KEYTAB_OUT=/var/run/cloudera-scm-server/cmf2781839247630884630.keytab
+ PRINC=sqoop2/host@REALM.COM
+ USER=kaupocSuFoZIOIDa
+ PASSWD=REDACTED
+ DIST_NAME=CN=kaupocSuFoZIOIDa,OU=Cloudera,OU=ServersUnix,OU=IT,OU=Basel,OU=AdminUnits,DC=emea,DC=xxxx,DC=com
+ '[' -z /etc/krb5-cdh.conf ']'
+ echo 'Using custom config path '\''/etc/krb5-cdh.conf'\'', contents below:'
+ cat /etc/krb5-cdh.conf
+ SIMPLE_PWD_STR=
+ '[' '' = '' ']'
+ kinit -k -t /var/run/cloudera-scm-server/cmf5575611164358256388.keytab
cdhad@REALM.COM
++ mktemp /tmp/cm_ldap.XXXXXXXX
+ LDAP_CONF=/tmp/cm_ldap.XRbR8Zco
+ echo 'TLS_REQCERT never'
+ echo 'sasl_secprops minssf=0,maxssf=0'
+ export LDAPCONF=/tmp/cm_ldap.XRbR8Zco
+ LDAPCONF=/tmp/cm_ldap.XRbR8Zco
++ ldapsearch -LLL -H ldaps://host:636 -b
OU=Cloudera,OU=ServersUnix,OU=IT,OU=Basel,OU=AdminUnits,DC=emea,DC=xxxx,DC=com
userPrincipalName=sqoop2/@REALM.COM
SASL/GSSAPI authentication started
SASL username: cdhad@REALM.COM
SASL SSF: 0
+ PRINC_SEARCH=
+ set +e
+ echo
+ grep -q userPrincipalName
+ '[' 1 -eq 0 ']'
+ set -e
+ ldapmodify -H ldaps://:636
++ echo sqoop2/@REALM.COM
++ sed -e 's/\@REALM.COM//g'
++ echo -n '"REDACTED"'
++ iconv -f UTF8 -t UTF16LE
++ base64 -w 0
SASL/GSSAPI authentication started
SASL username: cdhad@REALM.COMSASL SSF: 0
ldap_add: Server is unwilling to perform (53)
additional info: 0000052D: SvcErr: DSID-031A1248, problem 5003
(WILL_NOT_PERFORM), data 0
If you see the similar error and you know that you have AD enabled for your cluster, then you have landed on the right place. This is likely caused by a bug in Cloudera Manager that it does not allow users to change the complexity of the password generated if AD server has password complexity restrictions setup, and Cloudera Manager’s request will be rejected. To fix this issue is simple, but requires changing some source code in Cloudera Manager, follow the steps below:
  1. Backup file /usr/share/cmf/bin/gen_credentials_ad.sh first on CM host
  2. Add this line to /usr/share/cmf/bin/gen_credentials_ad.sh on line number 15:
    PASSWD="$PASSWD-"
    
    after line:
    PASSWD=$4
    
    Basically this adds a hyphen to CM generated passwords.
  3. Run Generate Credentials again to see if this helps
If same error still happens, go back to step 2 and try different variations for the password:
PASSWD="ABC=$PASSWD" # prepends "ABC=" to generated password.
The idea is to meet the criteria of AD password requirement. This issue is likely fixed already in Cloudera Manager’s source code to support more flexibility when generating passwords, but it won’t be release until CM5.8 at least.

Leave a Reply

Your email address will not be published.

My new Snowflake Blog is now live. I will not be updating this blog anymore but will continue with new contents in the Snowflake world!