Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Ambari Web ui Kerberos HTTP error

avatar
Contributor

Hi

I am getting this error almost in all services installed can someone help us

Connection failed to http://hostname:50070 (Execution of '/usr/bin/kinit -c /var/lib/ambari-agent/tmp/curl_krb_cache/web_alert_ambari-qa_cc_196393db8ad8461dac739b8ea56294c7 -kt /etc/security/keytabs/spnego.service.keytab HTTP/hostname@RELAY.COM > /dev/null' returned 1. kinit: Keytab contains no suitable keys for HTTP/hostname@RELAY.COM while getting initial credentials)
1 ACCEPTED SOLUTION

avatar
Master Mentor

@Sam Red

There could be a couple of reasons here.

First make sure the KDC and Kadmin is running assuming you are on RHEL/Centos7

Check the current status these 2 deamons should be running

# systemctl status krb5kdc.service
# systemctl status kadmin.service 

If they are not running please, enable them so at next reboot they autostart

# systemctl enable kadmin.service
# systemctl enable krb5kdc.service

Start the services

# systemctl start krb5kdc.service 
# systemctl start kadmin.service

As the root user check that the principals are in the KDC database

# kadmin.local 
Authenticating as principal root/admin@RELAY.COM with password. 
kadmin.local: listprincs


First forcefully expire the current kerberos credentials, log on as user hdfs or whatever

# kdestroy 

Validate that no credentials are cached

# klist
klist: No credentials cache found (filename: /tmp/krb5cc_0) 

To see what keytab entries in that keytab file, use klist

# klist -kte  /etc/security/keytabs/spnego.service.keytab
Keytab name: FILE:/etc/security/keytabs/spnego.service.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   1 08/24/2017 15:42:23 HTTP/hostname@RELAY.COM (aes256-cts-hmac-sha1-96)
   1 08/24/2017 15:42:23 HTTP/hostname@RELAY.COM (des-cbc-md5)
   1 08/24/2017 15:42:23 HTTP/hostname@RELAY.COM (arcfour-hmac)
   1 08/24/2017 15:42:23 HTTP/hostname@RELAY.COM (aes128-cts-hmac-sha1-96)
   1 08/24/2017 15:42:23 HTTP/hostname@RELAY.COM (des3-cbc-sha1)

The grab a valid kerberos using the info above

# kinit -kt /etc/security/keytabs/spnego.service.keytab  HTTP/hostname@RELAY.COM 

Now retry

View solution in original post

3 REPLIES 3

avatar

is "hostname" in HTTP/hostname@RELAY.COM, literally "hostname" or did you replace that for the purposes of this query?

avatar
Master Mentor

@Sam Red

There could be a couple of reasons here.

First make sure the KDC and Kadmin is running assuming you are on RHEL/Centos7

Check the current status these 2 deamons should be running

# systemctl status krb5kdc.service
# systemctl status kadmin.service 

If they are not running please, enable them so at next reboot they autostart

# systemctl enable kadmin.service
# systemctl enable krb5kdc.service

Start the services

# systemctl start krb5kdc.service 
# systemctl start kadmin.service

As the root user check that the principals are in the KDC database

# kadmin.local 
Authenticating as principal root/admin@RELAY.COM with password. 
kadmin.local: listprincs


First forcefully expire the current kerberos credentials, log on as user hdfs or whatever

# kdestroy 

Validate that no credentials are cached

# klist
klist: No credentials cache found (filename: /tmp/krb5cc_0) 

To see what keytab entries in that keytab file, use klist

# klist -kte  /etc/security/keytabs/spnego.service.keytab
Keytab name: FILE:/etc/security/keytabs/spnego.service.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   1 08/24/2017 15:42:23 HTTP/hostname@RELAY.COM (aes256-cts-hmac-sha1-96)
   1 08/24/2017 15:42:23 HTTP/hostname@RELAY.COM (des-cbc-md5)
   1 08/24/2017 15:42:23 HTTP/hostname@RELAY.COM (arcfour-hmac)
   1 08/24/2017 15:42:23 HTTP/hostname@RELAY.COM (aes128-cts-hmac-sha1-96)
   1 08/24/2017 15:42:23 HTTP/hostname@RELAY.COM (des3-cbc-sha1)

The grab a valid kerberos using the info above

# kinit -kt /etc/security/keytabs/spnego.service.keytab  HTTP/hostname@RELAY.COM 

Now retry

avatar
Contributor