kinit: Client's credentials have been revoked while getting initial credentials

hadoop apache-spark active-directory kerberos hortonworks-data-platform
51,116

Solution 1

Issue: kinit clients credentials have been revoked while getting initial credentials

The solution is very simple. Check the WMI account in active directory. The WMI or WMI_query account must have been locked out. Which triggers this error on.

Solution: unlock the WMI_query account in active directory. Refresh it few times. Issue resolved. Thanks Hamid Bhalli

Solution 2

Sometimes you might get this error when your user password has changed. It happened to me & first result from google brought me to this page but above solution didn't work.

Solution: Run

kdestroy

followed by

kinit

Solution 3

The error you presented: "kinit: Clients credentials have been revoked while getting initial credentials" means the Active Directory account to which the keytab is related has been disabled, locked, expired, or deleted.

By default, one cannot unlock their own account in AD (unless they are Domain Administrator, Domain Account Operator, or a member of some other administratively privileged group). The AD admin would need to grant you these rights. Based on the problem description, it sounds entirely possible the AD admin is looking at the wrong account. For example if you run the command:

setspn -Q HTTP/somedomain.local

where "HTTP/somedomain.local" represents the SPN in this case, the output will reveal the name of the AD account tied to the SPN and keytab - your AD admin needs to look at that account and determine whether its been disabled, locked, expired, or deleted and take corrective action.

Share:
51,116
Admin
Author by

Admin

Updated on January 28, 2022

Comments

  • Admin
    Admin over 2 years

    I have hdp cluster configured with kerberos with AD. All HDP service accounts have principals and keytabs generated including spark.

    I know service accounts will not have passwords and set to unexpire. Now while doing kinit -kt spark.keytab -p spark-PRINCIPAL I get the following error (see the title).

    I read in MIT website it happens due to many unsuccessful login attempts or account expiry set in default policy in KDC.account can be unlocked using kadmin commands such as kadmin:modprinci spark/principal but I have cross checked with AD admin. He says we don't use kdc server to execute kadmin commands where as we use AD but says spark account is unlocked state when checked using AD UI.

    My questions:

    Is there any commands to unlock spark account in AD?

    I have tired removing spark service and re install in my cluster which did regenerate new keytab or principal to avoid revoked error from AD. Saw if any spark local account causing this error.

    AD admin has given me server details and password with limited privileges to do ldap search and delete commands. Can I use these privileges to unlock spark? And how to do this?

  • Ravi OpenSource
    Ravi OpenSource over 3 years
    How to find the wmi account in active directory
  • tomh
    tomh over 2 years
    This answer has the benefit of the user being able to fix the issue on their own.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Spark submit to yarn as a another user
Spark SQL "Limit"
How to check yarn logs application id
Spark : multiple spark-submit in parallel
Hive query failed on Tez DAG did not succeed due to VERTEX_FAILURE
merge multiple small files in to few larger files in Spark
Does Spark Supports With Clause?
Submit Spark job on Yarn cluster
Apache Kerberos Authentication - Client didn't delegate us their credential
overwrite hive partitions using spark