Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Ambari createKeytabFileCommand with IPA does not use encryption_types

Labels:
avatar
author-rank oleg_tarassov
New Member

Created on ‎03-14-2019 01:36 AM - edited ‎09-16-2022 07:13 AM

Hello -


I have ambari version: 2.6.2.2-1 with IPA version: 4.6.4.

Issue I am facing is when ambari pulls the keytab file for each host after creating the principle (step 2 of the enable kerberos) it does not take into account the encryption types field used. It pulls all the encryptions from the IPA server but the IPA server only supports: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96.


Looking at the code: https://github.com/apache/ambari/blob/c17ecd1b2d5e41e66533266c9f4d5880ef5bd948/ambari-server/src/mai...

String[] createKeytabFileCommand = (StringUtils.isEmpty(encryptionTypeSpec))
        ? new String[]{executableIpaGetKeytab, "-s", getAdminServerHost(true), "-p", principal, "-k", keytabFileDestinationPath}
        : new String[]{executableIpaGetKeytab, "-s", getAdminServerHost(true), "-e", encryptionTypeSpec, "-p", principal, "-k", keytabFileDestinationPath};

It should add -e value with what was put in the box but it does not. Executing the below command works and generates the desired encryptions:

ipa-getkeytab -p devops-val01@DEVOPS.MTL -k /etc/security/keytabs/kerberos.service_check.new.keytab -e aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96

Tried turning debug on ambari-agent did not show anything new.


Any idea how i can debug this further?


Thanks


Oleg

1,564 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank rlevas
Guru

Created ‎03-14-2019 01:00 PM

@Oleg Tarassov, You are not looking at the correct source code version for Ambari 2.6.2.2. I believe that you want to look at https://github.com/apache/ambari/blob/release-2.6.2/ambari-server/src/main/java/org/apache/ambari/se....

According to this, the encryption types are not considered when exporting keytab files from IPA. This has been fixed in Ambari 2.7.0 and above. See https://issues.apache.org/jira/browse/AMBARI-22293.


View solution in original post

1,514 Views
1 REPLY 1

avatar
author-rank rlevas
Guru

Created ‎03-14-2019 01:00 PM

@Oleg Tarassov, You are not looking at the correct source code version for Ambari 2.6.2.2. I believe that you want to look at https://github.com/apache/ambari/blob/release-2.6.2/ambari-server/src/main/java/org/apache/ambari/se....

According to this, the encryption types are not considered when exporting keytab files from IPA. This has been fixed in Ambari 2.7.0 and above. See https://issues.apache.org/jira/browse/AMBARI-22293.


1,515 Views
Announcements
What's New @ Cloudera
Announcing availability of Spark 3.5 on Cloudera Unified Run...
What's New @ Cloudera
Cloudera Operational Database supports Security-Enhanced Lin...
What's New @ Cloudera
Cloudera Operational Database supports creating AWS Graviton...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.15 for Cloudera 7....
Community Announcements
April 2025 Cloudera Customer Advisory: Cloudera’s response t...
View More Announcements