0

So as to enable access to Kerberized Hadoop from a MacBook, tried creating SPNEGO. Post copying the spnego keytab from KDC in Centos 7, doing a kinit failed with the following error:

$kinit -kt /etc/security/keytabs/spnego.service.keytab ambari-qa-tcluster@EXAMPLE.COM

kinit: krb5_init_creds_set_keytab: Failed to find ambari-qa-ambari-qa-tcluster@EXAMPLE.COM in keytab FILE:/etc/security/keytabs/smokeuser.headless.keytab (unknown enctype)

On Centos checked for the enctype using the following:

[root@vpimply1 ~]# klist -kte /etc/security/keytabs/smokeuser.headless.keytab
Keytab name: FILE:/etc/security/keytabs/smokeuser.headless.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 11/27/2018 21:48:00 ambari-qa-tcluster@EXAMPLE.COM (des-cbc-md5)
   2 11/27/2018 21:48:00 ambari-qa-tcluster@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
   2 11/27/2018 21:48:00 ambari-qa-tcluster@EXAMPLE.COM (arcfour-hmac)
   2 11/27/2018 21:48:00 ambari-qa-tcluster@EXAMPLE.COM (des3-cbc-sha1)
   2 11/27/2018 21:48:00 ambari-qa-tcluster@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
[root@vpimply1 ~]#

Tried creating the keytabs with specific enctype, but still hit up on the same error.

How to fix this "enctype" issue?

Federico Grandi
  • 6,785
  • 5
  • 30
  • 50
Venkat
  • 41
  • 1
  • 5

2 Answers2

4

After some struggle, I had set the KRB5 Tracing as follows in Macbook:

KRB5_TRACE=/dev/stdout

Post setting this, I could clearly see that the permissions on keytab wasn't correct. 

$ kinit -t /etc/security/keytabs/smokeuser.headless.keytab ambari-qa-vpimply@IMPLY.IO
2018-11-29T11:17:29 set-error: -1765328242: Reached end of credential caches
2018-11-29T11:17:29 set-error: -1765328243: Principal ambari-qa-vpimply@IMPLY.IO not found in any credential cache
2018-11-29T11:17:29 set-error: 13: keytab /etc/security/keytabs/smokeuser.headless.keytab access failed: Permission denied
2018-11-29T11:17:29 set-error: 13: Failed to find ambari-qa-vpimply@IMPLY.IO in keytab FILE:/etc/security/keytabs/smokeuser.headless.keytab (unknown enctype)
kinit: krb5_init_creds_set_keytab: Failed to find ambari-qa-vpimply@IMPLY.IO in keytab FILE:/etc/security/keytabs/smokeuser.headless.keytab (unknown enctype)

$ ls -alrt /etc/security/keytabs
total 24
-r--r-----  1 root                wheel  338 Nov 28 13:19 smokeuser.headless.keytab
drwxr-xr-x  5 root                wheel  160 Nov 28 17:16 .

After fixing the permissions to match the currently logged in user, the kinit worked fine! It wasn't anything to do with 'enctype'. Also recent MACOs doesn't need any packages to be installed - not even MIT Kerberos for the client to work good.

Venkat
  • 41
  • 1
  • 5
1

It helps to know that default installed kerberos on Mac won't work.

I solved it by installing it with Homebrew: brew install krb5

To avoid using the original binaries, one must also add these paths to the ~/.bashrc or ~/.zshrc file:

export PATH="/usr/local/opt/krb5/bin:$PATH"
export PATH="/usr/local/opt/krb5/sbin:$PATH"
Facundo Diaz
  • 11
  • 1
  • This saved Christmas and it wasn't even the holidays thank-you Note - depending on your processor type brew may install to a different location not where you'd usually expect it. – John Fantastico Mar 02 '23 at 15:28