Header Shadow Image

«
»

preauth (encrypted_timestamp) verify failure: Preauthentication failed

Getting this?

Aug 25 08:18:51 idmipa03.mws.mds.xyz krb5kdc[6704](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed
Aug 25 08:18:51 idmipa03.mws.mds.xyz krb5kdc[6704](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.140: PREAUTH_FAILED: hue/cm-r01en01.mws.mds.xyz@MWS.MDS.XYZ for krbtgt/MWS.MDS.XYZ@MWS.MDS.XYZ, Preauthentication failed

Check the principal vs the keytab you're using for the same service:

kadmin.local:  getprinc hue/cm-r01en01.mws.mds.xyz@MWS.MDS.XYZ
Principal: hue/cm-r01en01.mws.mds.xyz@MWS.MDS.XYZ
Expiration date: [never]
Last password change: Sun Aug 25 01:14:37 EDT 2019
Password expiration date: [never]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 90 days 00:00:00
Last modified: Sun Aug 25 01:14:37 EDT 2019 (hue/cm-r01en01.mws.mds.xyz@MWS.MDS.XYZ)
Last successful authentication: [never]
Last failed authentication: Sun Aug 25 08:37:15 EDT 2019
Failed password attempts: 31362
Number of keys: 2
Key: vno 22, aes256-cts-hmac-sha1-96:special
Key: vno 22, aes128-cts-hmac-sha1-96:special
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
kadmin.local:

Now check the keytab for the same service:

[root@cm-r01en01 ~]# klist -kte /var/run/cloudera-scm-agent/process/1151-hue-KT_RENEWER/hue.keytab
Keytab name: FILE:/var/run/cloudera-scm-agent/process/1151-hue-KT_RENEWER/hue.keytab
KVNO Timestamp           Principal
—- ——————- ——————————————————
  18 08/25/2019 00:46:12 hue/cm-r01en01.mws.mds.xyz@MWS.MDS.XYZ (aes256-cts-hmac-sha1-96)
  18 08/25/2019 00:46:12 hue/cm-r01en01.mws.mds.xyz@MWS.MDS.XYZ (aes128-cts-hmac-sha1-96)
  18 08/25/2019 00:46:12 hue/cm-r01en01.mws.mds.xyz@MWS.MDS.XYZ (aes256-cts-hmac-sha384-192)
  18 08/25/2019 00:46:12 hue/cm-r01en01.mws.mds.xyz@MWS.MDS.XYZ (aes128-cts-hmac-sha256-128)
  18 08/25/2019 00:46:12 hue/cm-r01en01.mws.mds.xyz@MWS.MDS.XYZ (des3-cbc-sha1)
  18 08/25/2019 00:46:12 hue/cm-r01en01.mws.mds.xyz@MWS.MDS.XYZ (arcfour-hmac)
[root@cm-r01en01 ~]#

To resolve this, go to Cloudera Manager and regenerate the credentials.  New principal looked like this:

kadmin.local:  getprinc hue/cm-r01en01.mws.mds.xyz@MWS.MDS.XYZ
Principal: hue/cm-r01en01.mws.mds.xyz@MWS.MDS.XYZ
Expiration date: [never]
Last password change: Sun Aug 25 08:38:34 EDT 2019
Password expiration date: [never]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 90 days 00:00:00
Last modified: Sun Aug 25 08:38:34 EDT 2019 (hue/cm-r01en01.mws.mds.xyz@MWS.MDS.XYZ)
Last successful authentication: [never]
Last failed authentication: Sun Aug 25 08:37:15 EDT 2019
Failed password attempts: 31362
Number of keys: 6
Key: vno 23, aes256-cts-hmac-sha1-96
Key: vno 23, aes128-cts-hmac-sha1-96
Key: vno 23, des3-cbc-sha1
Key: vno 23, arcfour-hmac
Key: vno 23, camellia128-cts-cmac
Key: vno 23, camellia256-cts-cmac
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
kadmin.local:

kadmin.local:  getprinc hue/cm-r01en02.mws.mds.xyz@MWS.MDS.XYZ
Principal: hue/cm-r01en02.mws.mds.xyz@MWS.MDS.XYZ
Expiration date: [never]
Last password change: Sun Aug 25 08:38:17 EDT 2019
Password expiration date: [never]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 90 days 00:00:00
Last modified: Sun Aug 25 08:38:17 EDT 2019 (hue/cm-r01en02.mws.mds.xyz@MWS.MDS.XYZ)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 6
Key: vno 19, aes256-cts-hmac-sha1-96
Key: vno 19, aes128-cts-hmac-sha1-96
Key: vno 19, des3-cbc-sha1
Key: vno 19, arcfour-hmac
Key: vno 19, camellia128-cts-cmac
Key: vno 19, camellia256-cts-cmac
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
kadmin.local:

Comparing the above to the generated hue.keytab files shows a match:

[root@cm-r01en01 ~]# klist -kte /var/run/cloudera-scm-agent/process/1229-hue-KT_RENEWER/hue.keytab
Keytab name: FILE:/var/run/cloudera-scm-agent/process/1229-hue-KT_RENEWER/hue.keytab
KVNO Timestamp           Principal
—- ——————- ——————————————————
  23 08/25/2019 08:44:22 hue/cm-r01en01.mws.mds.xyz@MWS.MDS.XYZ (aes256-cts-hmac-sha1-96)
  23 08/25/2019 08:44:22 hue/cm-r01en01.mws.mds.xyz@MWS.MDS.XYZ (aes128-cts-hmac-sha1-96)
  23 08/25/2019 08:44:22 hue/cm-r01en01.mws.mds.xyz@MWS.MDS.XYZ (aes256-cts-hmac-sha384-192)
  23 08/25/2019 08:44:22 hue/cm-r01en01.mws.mds.xyz@MWS.MDS.XYZ (aes128-cts-hmac-sha256-128)
  23 08/25/2019 08:44:22 hue/cm-r01en01.mws.mds.xyz@MWS.MDS.XYZ (des3-cbc-sha1)
  23 08/25/2019 08:44:22 hue/cm-r01en01.mws.mds.xyz@MWS.MDS.XYZ (arcfour-hmac)
[root@cm-r01en01 ~]#

[root@cm-r01en02 ~]# klist -kte /var/run/cloudera-scm-agent/process/1228-hue-KT_RENEWER/hue.keytab
Keytab name: FILE:/var/run/cloudera-scm-agent/process/1228-hue-KT_RENEWER/hue.keytab
KVNO Timestamp           Principal
—- ——————- ——————————————————
  19 08/25/2019 08:44:22 hue/cm-r01en02.mws.mds.xyz@MWS.MDS.XYZ (aes256-cts-hmac-sha1-96)
  19 08/25/2019 08:44:22 hue/cm-r01en02.mws.mds.xyz@MWS.MDS.XYZ (aes128-cts-hmac-sha1-96)
  19 08/25/2019 08:44:22 hue/cm-r01en02.mws.mds.xyz@MWS.MDS.XYZ (aes256-cts-hmac-sha384-192)
  19 08/25/2019 08:44:22 hue/cm-r01en02.mws.mds.xyz@MWS.MDS.XYZ (aes128-cts-hmac-sha256-128)
  19 08/25/2019 08:44:22 hue/cm-r01en02.mws.mds.xyz@MWS.MDS.XYZ (des3-cbc-sha1)
  19 08/25/2019 08:44:22 hue/cm-r01en02.mws.mds.xyz@MWS.MDS.XYZ (arcfour-hmac)
[root@cm-r01en02 ~]#

And Hue is green.

Cheers,
TK

This entry was posted on Sunday, August 25th, 2019 at 8:42 am and is filed under NIX Posts. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

You must be logged in to post a comment.

     
  Copyright © 2003 - 2013 Tom Kacperski (microdevsys.com). All rights reserved.

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 Unported License