Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Accumulo 1.6 package - kerberos error

avatar
Contributor
Hi,<br><br>Having a few problems with Kerberos and the Accumulo 1.6 package installation in CDH5.2. Wondering if anyone can advise.<br><br>When I try and start any of the services, I get a Kerberos error - the one that usually indicates that you're using the wrong principal name for the keytab.<br><br>To try and diagnose this I've tracked down the configuration files in /var/run. The keytab that's been distributed correctly initialises with kinit. I've noticed that the accumulo-site.xml has the principal name set as:<br>accumulo/_HOST.domain.local@DOMAIN.LOCAL<br><br>whereas all other *-site.xml files have the principal set as:<br>service/_HOST@DOMAIN.LOCAL<br><br>i.e. without the .doman.local following the _HOST placeholder. Is this likely the source of my error or do I need to look elsewhere?<br><br>I'm not entirely clear how the placeholder values get replaced - it looks like the file is regenerated everytime the service starts up. It looks like it might be controlled by the script in the ACCUMULO16 CM extension at:<br><a target="_blank" href="https://github.com/cloudera/cm_csds/blob/master/ACCUMULO16/src/scripts/accumulo.sh">https://github.c... in advance.<br><br>
2 ACCEPTED SOLUTIONS

avatar
Cloudera Employee

Checkout lines 84 and 85 in accumulo.sh script. It replaces the hostname in the accumulo principal by _HOST. The script finds out the name of the host by running "hostname". Does that command return the full hostname on your hosts?

View solution in original post

avatar
Contributor

Ah, this got me on the right track.  I've switched the 'hostname' command for 'hostname -f', redeployed the CSD jar and it works now.

 

I think I'm a bit confused about how this works then.  CM deploys a fresh config, it supplies the principal name to this initialisation script (presumably it's got the right one, as CM is aware of the keytabs it's distributing).  That principal is regexed to remove the hostname and replace it with the template value of _HOST.  Accumulo starts and replaces _HOST with the principal again.

 

I guess the problem here is that 'hostname' returns an unqualified hostname whereas CM knows the server running the service by is FQDN.

 

Maybe I'm missing something, but it seems like all the switching of hostnames an template values is what's causing the problem here.

 

Thanks for pointing me in the right direction.

View solution in original post

3 REPLIES 3

avatar
Contributor
That didn't work so well... so much for posting from an iPad. 😞

Will try again, otherwise I'll post from my laptop later.
<pre>
Hi,

Having a few problems with Kerberos and the Accumulo 1.6 package installation in CDH5.2. Wondering if anyone can advise.

When I try and start any of the services, I get a Kerberos error - the one that usually indicates that you're using the wrong principal name for the keytab.

To try and diagnose this I've tracked down the configuration files in /var/run. The keytab that's been distributed correctly initialises with kinit. I've noticed that the accumulo-site.xml has the principal name set as:
accumulo/_HOST.domain.local@DOMAIN.LOCAL

whereas all other *-site.xml files have the principal set as:
service/_HOST@DOMAIN.LOCAL

i.e. without the .doman.local following the _HOST placeholder. Is this likely the source of my error or do I need to look elsewhere?

I'm not entirely clear how the placeholder values get replaced - it looks like the file is regenerated everytime the service starts up. It looks like it might be controlled by the script in the ACCUMULO16 CM extension at:
https://github.com/cloudera/cm_csds/blob/master/ACCUMULO16/src/scripts/accumulo.sh

Thanks in advance.



</pre>

avatar
Cloudera Employee

Checkout lines 84 and 85 in accumulo.sh script. It replaces the hostname in the accumulo principal by _HOST. The script finds out the name of the host by running "hostname". Does that command return the full hostname on your hosts?

avatar
Contributor

Ah, this got me on the right track.  I've switched the 'hostname' command for 'hostname -f', redeployed the CSD jar and it works now.

 

I think I'm a bit confused about how this works then.  CM deploys a fresh config, it supplies the principal name to this initialisation script (presumably it's got the right one, as CM is aware of the keytabs it's distributing).  That principal is regexed to remove the hostname and replace it with the template value of _HOST.  Accumulo starts and replaces _HOST with the principal again.

 

I guess the problem here is that 'hostname' returns an unqualified hostname whereas CM knows the server running the service by is FQDN.

 

Maybe I'm missing something, but it seems like all the switching of hostnames an template values is what's causing the problem here.

 

Thanks for pointing me in the right direction.