Cloudera Community

Archives of Support Questions (Read Only)

This is an archived board for historical reference. Information and links may no longer be available or relevant
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
This board is archived and read-only for historical reference. To ask a new question, please post a new topic on the appropriate active board.
Solved Go to solution

Ambari Web ui Kerberos HTTP error

Labels:
avatar
author-rank sunilreddykallu
New Member

Created ‎10-06-2017 03:12 PM

Hi

I am getting this error almost in all services installed can someone help us

Connection failed to http://hostname:50070 (Execution of '/usr/bin/kinit -c /var/lib/ambari-agent/tmp/curl_krb_cache/web_alert_ambari-qa_cc_196393db8ad8461dac739b8ea56294c7 -kt /etc/security/keytabs/spnego.service.keytab HTTP/hostname@RELAY.COM > /dev/null' returned 1. kinit: Keytab contains no suitable keys for HTTP/hostname@RELAY.COM while getting initial credentials)
3,630 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank Shelton
Master Mentor

Created ‎10-06-2017 05:20 PM

@Sam Red

There could be a couple of reasons here.

First make sure the KDC and Kadmin is running assuming you are on RHEL/Centos7

Check the current status these 2 deamons should be running

# systemctl status krb5kdc.service
# systemctl status kadmin.service

If they are not running please, enable them so at next reboot they autostart

# systemctl enable kadmin.service
# systemctl enable krb5kdc.service

Start the services

# systemctl start krb5kdc.service 
# systemctl start kadmin.service

As the root user check that the principals are in the KDC database

# kadmin.local 
Authenticating as principal root/admin@RELAY.COM with password. 
kadmin.local: listprincs


First forcefully expire the current kerberos credentials, log on as user hdfs or whatever 

# kdestroy

Validate that no credentials are cached 

# klist
klist: No credentials cache found (filename: /tmp/krb5cc_0)

To see what keytab entries in that keytab file, use klist 

# klist -kte  /etc/security/keytabs/spnego.service.keytab
Keytab name: FILE:/etc/security/keytabs/spnego.service.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   1 08/24/2017 15:42:23 HTTP/hostname@RELAY.COM (aes256-cts-hmac-sha1-96)
   1 08/24/2017 15:42:23 HTTP/hostname@RELAY.COM (des-cbc-md5)
   1 08/24/2017 15:42:23 HTTP/hostname@RELAY.COM (arcfour-hmac)
   1 08/24/2017 15:42:23 HTTP/hostname@RELAY.COM (aes128-cts-hmac-sha1-96)
   1 08/24/2017 15:42:23 HTTP/hostname@RELAY.COM (des3-cbc-sha1)

The grab a valid kerberos using the info above 

# kinit -kt /etc/security/keytabs/spnego.service.keytab  HTTP/hostname@RELAY.COM

Now retry

View solution in original post

3,312 Views
0 Kudos
3 REPLIES 3

avatar
author-rank rlevas
Guru

Created ‎10-06-2017 03:25 PM

is "hostname" in HTTP/hostname@RELAY.COM, literally "hostname" or did you replace that for the purposes of this query?

3,312 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created ‎10-06-2017 05:20 PM

@Sam Red

There could be a couple of reasons here.

First make sure the KDC and Kadmin is running assuming you are on RHEL/Centos7

Check the current status these 2 deamons should be running

# systemctl status krb5kdc.service
# systemctl status kadmin.service

If they are not running please, enable them so at next reboot they autostart

# systemctl enable kadmin.service
# systemctl enable krb5kdc.service

Start the services

# systemctl start krb5kdc.service 
# systemctl start kadmin.service

As the root user check that the principals are in the KDC database

# kadmin.local 
Authenticating as principal root/admin@RELAY.COM with password. 
kadmin.local: listprincs


First forcefully expire the current kerberos credentials, log on as user hdfs or whatever 

# kdestroy

Validate that no credentials are cached 

# klist
klist: No credentials cache found (filename: /tmp/krb5cc_0)

To see what keytab entries in that keytab file, use klist 

# klist -kte  /etc/security/keytabs/spnego.service.keytab
Keytab name: FILE:/etc/security/keytabs/spnego.service.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   1 08/24/2017 15:42:23 HTTP/hostname@RELAY.COM (aes256-cts-hmac-sha1-96)
   1 08/24/2017 15:42:23 HTTP/hostname@RELAY.COM (des-cbc-md5)
   1 08/24/2017 15:42:23 HTTP/hostname@RELAY.COM (arcfour-hmac)
   1 08/24/2017 15:42:23 HTTP/hostname@RELAY.COM (aes128-cts-hmac-sha1-96)
   1 08/24/2017 15:42:23 HTTP/hostname@RELAY.COM (des3-cbc-sha1)

The grab a valid kerberos using the info above 

# kinit -kt /etc/security/keytabs/spnego.service.keytab  HTTP/hostname@RELAY.COM

Now retry

3,313 Views
0 Kudos

avatar
author-rank sunilreddykallu
New Member

Created ‎10-06-2017 06:22 PM

@Geoffrey Shelton Okot Thank you

3,312 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Real time Monitoring for 7.1.9+ and 7.2.18+ with Cl...
What's New @ Cloudera
Announcing Cloudera Streaming Analytics 1.17: Python UDFs, S...
Community Announcements
Content Update: Evolving Our Community Content for Better, A...
Community Announcements
Product Name Updates — Community Label Changes & Notificatio...
What's New @ Cloudera
Announcing Cloudera Data Lineage for Trino
View More Announcements