kinit: Client's credentials have been revoked while getting initial credentials

kawad picture kawad · Nov 25, 2016 · Viewed 38.9k times · Source

I have hdp cluster configured with kerberos with AD. All HDP service accounts have principals and keytabs generated including spark.

I know service accounts will not have passwords and set to unexpire. Now while doing kinit -kt spark.keytab -p spark-PRINCIPAL I get the following error (see the title).

I read in MIT website it happens due to many unsuccessful login attempts or account expiry set in default policy in KDC.account can be unlocked using kadmin commands such as kadmin:modprinci spark/principal but I have cross checked with AD admin. He says we don't use kdc server to execute kadmin commands where as we use AD but says spark account is unlocked state when checked using AD UI.

My questions:

Is there any commands to unlock spark account in AD?

I have tired removing spark service and re install in my cluster which did regenerate new keytab or principal to avoid revoked error from AD. Saw if any spark local account causing this error.

AD admin has given me server details and password with limited privileges to do ldap search and delete commands. Can I use these privileges to unlock spark? And how to do this?

Answer

T-Heron picture T-Heron · Nov 26, 2016

The error you presented: "kinit: Clients credentials have been revoked while getting initial credentials" means the Active Directory account to which the keytab is related has been disabled, locked, expired, or deleted.

By default, one cannot unlock their own account in AD (unless they are Domain Administrator, Domain Account Operator, or a member of some other administratively privileged group). The AD admin would need to grant you these rights. Based on the problem description, it sounds entirely possible the AD admin is looking at the wrong account. For example if you run the command:

setspn -Q HTTP/somedomain.local

where "HTTP/somedomain.local" represents the SPN in this case, the output will reveal the name of the AD account tied to the SPN and keytab - your AD admin needs to look at that account and determine whether its been disabled, locked, expired, or deleted and take corrective action.