Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Ambari Web ui Kerberos HTTP error

Labels:
avatar
author-rank sunilreddykallu
Contributor

Created ‎10-06-2017 03:12 PM

Hi

I am getting this error almost in all services installed can someone help us

Connection failed to http://hostname:50070 (Execution of '/usr/bin/kinit -c /var/lib/ambari-agent/tmp/curl_krb_cache/web_alert_ambari-qa_cc_196393db8ad8461dac739b8ea56294c7 -kt /etc/security/keytabs/spnego.service.keytab HTTP/hostname@RELAY.COM > /dev/null' returned 1. kinit: Keytab contains no suitable keys for HTTP/hostname@RELAY.COM while getting initial credentials)
2,526 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank Shelton
Master Mentor

Created ‎10-06-2017 05:20 PM

@Sam Red

There could be a couple of reasons here.

First make sure the KDC and Kadmin is running assuming you are on RHEL/Centos7

Check the current status these 2 deamons should be running

# systemctl status krb5kdc.service
# systemctl status kadmin.service

If they are not running please, enable them so at next reboot they autostart

# systemctl enable kadmin.service
# systemctl enable krb5kdc.service

Start the services

# systemctl start krb5kdc.service 
# systemctl start kadmin.service

As the root user check that the principals are in the KDC database

# kadmin.local 
Authenticating as principal root/admin@RELAY.COM with password. 
kadmin.local: listprincs


First forcefully expire the current kerberos credentials, log on as user hdfs or whatever 

# kdestroy

Validate that no credentials are cached 

# klist
klist: No credentials cache found (filename: /tmp/krb5cc_0)

To see what keytab entries in that keytab file, use klist 

# klist -kte  /etc/security/keytabs/spnego.service.keytab
Keytab name: FILE:/etc/security/keytabs/spnego.service.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   1 08/24/2017 15:42:23 HTTP/hostname@RELAY.COM (aes256-cts-hmac-sha1-96)
   1 08/24/2017 15:42:23 HTTP/hostname@RELAY.COM (des-cbc-md5)
   1 08/24/2017 15:42:23 HTTP/hostname@RELAY.COM (arcfour-hmac)
   1 08/24/2017 15:42:23 HTTP/hostname@RELAY.COM (aes128-cts-hmac-sha1-96)
   1 08/24/2017 15:42:23 HTTP/hostname@RELAY.COM (des3-cbc-sha1)

The grab a valid kerberos using the info above 

# kinit -kt /etc/security/keytabs/spnego.service.keytab  HTTP/hostname@RELAY.COM

Now retry

View solution in original post

2,208 Views
0 Kudos
3 REPLIES 3

avatar
author-rank rlevas
Guru

Created ‎10-06-2017 03:25 PM

is "hostname" in HTTP/hostname@RELAY.COM, literally "hostname" or did you replace that for the purposes of this query?

2,208 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created ‎10-06-2017 05:20 PM

@Sam Red

There could be a couple of reasons here.

First make sure the KDC and Kadmin is running assuming you are on RHEL/Centos7

Check the current status these 2 deamons should be running

# systemctl status krb5kdc.service
# systemctl status kadmin.service

If they are not running please, enable them so at next reboot they autostart

# systemctl enable kadmin.service
# systemctl enable krb5kdc.service

Start the services

# systemctl start krb5kdc.service 
# systemctl start kadmin.service

As the root user check that the principals are in the KDC database

# kadmin.local 
Authenticating as principal root/admin@RELAY.COM with password. 
kadmin.local: listprincs


First forcefully expire the current kerberos credentials, log on as user hdfs or whatever 

# kdestroy

Validate that no credentials are cached 

# klist
klist: No credentials cache found (filename: /tmp/krb5cc_0)

To see what keytab entries in that keytab file, use klist 

# klist -kte  /etc/security/keytabs/spnego.service.keytab
Keytab name: FILE:/etc/security/keytabs/spnego.service.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   1 08/24/2017 15:42:23 HTTP/hostname@RELAY.COM (aes256-cts-hmac-sha1-96)
   1 08/24/2017 15:42:23 HTTP/hostname@RELAY.COM (des-cbc-md5)
   1 08/24/2017 15:42:23 HTTP/hostname@RELAY.COM (arcfour-hmac)
   1 08/24/2017 15:42:23 HTTP/hostname@RELAY.COM (aes128-cts-hmac-sha1-96)
   1 08/24/2017 15:42:23 HTTP/hostname@RELAY.COM (des3-cbc-sha1)

The grab a valid kerberos using the info above 

# kinit -kt /etc/security/keytabs/spnego.service.keytab  HTTP/hostname@RELAY.COM

Now retry

2,209 Views
0 Kudos

avatar
author-rank sunilreddykallu
Contributor

Created ‎10-06-2017 06:22 PM

@Geoffrey Shelton Okot Thank you

2,208 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera DataFlow 2.9 now supports building GenAI pipelines ...
What's New @ Cloudera
Accelerate Data Scientist Productivity with Cloudera Copilot...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
Community Announcements
October 2024 Community Highlights
What's New @ Cloudera
Accelerate Your AI with the Cloudera AI Inference Service wi...
View More Announcements