/usr/share/cmf/bin/gen_credentials_ad.sh failed with exit code 53 and output of << + export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/sbin:/usr/sbin:/bin:/usr/bin + PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/sbin:/usr/sbin:/bin:/usr/bin + KEYTAB_OUT=/var/run/cloudera-scm-server/cmf2781839247630884630.keytab + PRINC=sqoop2/If you see the similar error and you know that you have AD enabled for your cluster, then you have landed on the right place. This is likely caused by a bug in Cloudera Manager that it does not allow users to change the complexity of the password generated if AD server has password complexity restrictions setup, and Cloudera Manager’s request will be rejected. To fix this issue is simple, but requires changing some source code in Cloudera Manager, follow the steps below:@REALM.COM + USER=kaupocSuFoZIOIDa + PASSWD=REDACTED + DIST_NAME=CN=kaupocSuFoZIOIDa,OU=Cloudera,OU=ServersUnix,OU=IT,OU=Basel,OU=AdminUnits,DC=emea,DC=XXXX,DC=com + '[' -z /etc/krb5-cdh.conf ']' + echo 'Using custom config path '\''/etc/krb5-cdh.conf'\'', contents below:' + cat /etc/krb5-cdh.conf + SIMPLE_PWD_STR= + '[' '' = '' ']' + kinit -k -t /var/run/cloudera-scm-server/cmf5575611164358256388.keytab cdhad@REALM.COM ++ mktemp /tmp/cm_ldap.XXXXXXXX + LDAP_CONF=/tmp/cm_ldap.XRbR8Zco + echo 'TLS_REQCERT never' + echo 'sasl_secprops minssf=0,maxssf=0' + export LDAPCONF=/tmp/cm_ldap.XRbR8Zco + LDAPCONF=/tmp/cm_ldap.XRbR8Zco ++ ldapsearch -LLL -H ldaps:// :636 -b OU=Cloudera,OU=ServersUnix,OU=IT,OU=Basel,OU=AdminUnits,DC=emea,DC=xxxx,DC=com userPrincipalName=sqoop2/ @REALM.COM SASL/GSSAPI authentication started SASL username: [email protected] SASL SSF: 0 + PRINC_SEARCH= + set +e + echo + grep -q userPrincipalName + '[' 1 -eq 0 ']' + set -e + ldapmodify -H ldaps:// :636 ++ echo sqoop2/ @REALM.COM ++ sed -e 's/\@REALM.COM//g' ++ echo -n '"REDACTED"' ++ iconv -f UTF8 -t UTF16LE ++ base64 -w 0 SASL/GSSAPI authentication started SASL username: cdhad@REALM.COMSASL SSF: 0 ldap_add: Server is unwilling to perform (53) additional info: 0000052D: SvcErr: DSID-031A1248, problem 5003 (WILL_NOT_PERFORM), data 0 Generate credentials in Cloudera Manager failed with the following errors: /usr/share/cmf/bin/gen_credentials_ad.sh failed with exit code 53 and output of << + export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/sbin:/usr/sbin:/bin:/usr/bin + PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/sbin:/usr/sbin:/bin:/usr/bin + KEYTAB_OUT=/var/run/cloudera-scm-server/cmf2781839247630884630.keytab + PRINC=sqoop2/host@REALM.COM + USER=kaupocSuFoZIOIDa + PASSWD=REDACTED + DIST_NAME=CN=kaupocSuFoZIOIDa,OU=Cloudera,OU=ServersUnix,OU=IT,OU=Basel,OU=AdminUnits,DC=emea,DC=xxxx,DC=com + '[' -z /etc/krb5-cdh.conf ']' + echo 'Using custom config path '\''/etc/krb5-cdh.conf'\'', contents below:' + cat /etc/krb5-cdh.conf + SIMPLE_PWD_STR= + '[' '' = '' ']' + kinit -k -t /var/run/cloudera-scm-server/cmf5575611164358256388.keytab cdhad@REALM.COM ++ mktemp /tmp/cm_ldap.XXXXXXXX + LDAP_CONF=/tmp/cm_ldap.XRbR8Zco + echo 'TLS_REQCERT never' + echo 'sasl_secprops minssf=0,maxssf=0' + export LDAPCONF=/tmp/cm_ldap.XRbR8Zco + LDAPCONF=/tmp/cm_ldap.XRbR8Zco ++ ldapsearch -LLL -H ldaps://host:636 -b OU=Cloudera,OU=ServersUnix,OU=IT,OU=Basel,OU=AdminUnits,DC=emea,DC=xxxx,DC=com userPrincipalName=sqoop2/ @REALM.COM SASL/GSSAPI authentication started SASL username: cdhad@REALM.COM SASL SSF: 0 + PRINC_SEARCH= + set +e + echo + grep -q userPrincipalName + '[' 1 -eq 0 ']' + set -e + ldapmodify -H ldaps:// :636 ++ echo sqoop2/ @REALM.COM ++ sed -e 's/\@REALM.COM//g' ++ echo -n '"REDACTED"' ++ iconv -f UTF8 -t UTF16LE ++ base64 -w 0 SASL/GSSAPI authentication started SASL username: cdhad@REALM.COMSASL SSF: 0 ldap_add: Server is unwilling to perform (53) additional info: 0000052D: SvcErr: DSID-031A1248, problem 5003 (WILL_NOT_PERFORM), data 0
- Backup file /usr/share/cmf/bin/gen_credentials_ad.sh first on CM host
- Add this line to /usr/share/cmf/bin/gen_credentials_ad.sh on line number 15:
PASSWD="$PASSWD-"
after line:PASSWD=$4
Basically this adds a hyphen to CM generated passwords. - Run Generate Credentials again to see if this helps
PASSWD="ABC=$PASSWD" # prepends "ABC=" to generated password.The idea is to meet the criteria of AD password requirement. This issue is likely fixed already in Cloudera Manager’s source code to support more flexibility when generating passwords, but it won’t be release until CM5.8 at least.