Archives of Support Questions (Read Only)

xpelive · ‎09-06-2017

I'd like enable kerberos for hdp2.6.1 on ubuntu16.04 and i follow below guideline

https://docs.hortonworks.com/HDPDocuments/Ambari-2.5.1.0/bk_ambari-security/content/optional_install...

https://docs.hortonworks.com/HDPDocuments/Ambari-2.5.1.0/bk_ambari-security/content/enabling_kerbero...

After install kerberos client in all hosts, it failed in the Test kerberos step with:

add_principal: Insufficient access to lock database while creating "[email protected]"

I have trid to disable selinux (ref http://manpages.ubuntu.com/manpages/xenial/man8/kerberos_selinux.8.html) but no luck.

i also tried to login kdc with kadmin -p admin/[email protected] then run "addprinc [email protected]" , it prompted with the same error.

Would anyone encouter this and having any solution or hints?

Thanks a ton.

Forest

Shelton · ‎09-06-2017

@forest lin

There are a couple of things that might have gone wrong.

How many nodes in your cluster? 
Have you successfully enabled it through the Ambari wizard? 
Did you copy the krb5.conf from the KC to all hosts? 
Make sure your KDC is up and running ensure autostart on OS reboot is enabled.

I noticed you used REALM in lowercase 🙂

kadmin -p admin/[email protected] it should be kadmin -p admin/[email protected]

Can you copy and paste the contents following config files. Remember to mask sensitive info ONLY

krb5.conf 
kadm5.acl 
kdc.conf

Can you log on to the KDC using see below or sudo option where applicable

# kadmin.local 
# sudo kadmin.local 
Authenticating as principal admin/[email protected] with password. 
kadmin.local: addprinc [email protected] 
WARNING: no policy specified for [email protected]; defaulting to no policy 
Enter password for principal "[email protected]": 
Re-enter password for principal "[email protected]": {Master_KDC_password} 
Principal "[email protected]" created

Type q to quit kadmin.

Create a keytab in the current directory for the test3 user (use appropriate command)

# sudo ktutil 
# ktutil ktutil: addent -password -p [email protected] -k 1 -e RC4-HMAC 
Password for [email protected]: 
ktutil: wkt test3.keytab 
ktutil: q

Copy the keytab to test3 user home directory and change the permissions

# chown test3:test3 test3.keytab

Test the validity of the keytab against the principal created earlier on

# klist -kt /etc/security/keytabs/test3.keytab 
Keytab name: FILE:/etc/security/keytabs/test3.keytab 
KVNO                       Timestamp                      Principal 
----------------------------------------------------------------------------- 
1                       07/18/2017 10:46:27               [email protected]

Grab a Kerberos ticket note the concatenation of keytab/principal

# kinit -kt /etc/security/keytabs/test3.keytab [email protected]

Check if the above command gives a valid Kerberos ticket

# klist 
Ticket cache: FILE:/tmp/krb5cc_0 
Default principal: [email protected] 
Valid starting 	              Expires                        Service principal 
07/18/2017 10:53:48           07/19/2017 10:53:48            krbtgt/[email protected]

All is set if need be repeat the above for all users you intend to create

Please revert

View solution in original post

Shelton · ‎09-06-2017