Support Questions

Find answers, ask questions, and share your expertise
Announcements
Welcome to the upgraded Community! Read this blog to see What’s New!

Ambari createKeytabFileCommand with IPA does not use encryption_types

avatar
New Contributor

Hello -


I have ambari version: 2.6.2.2-1 with IPA version: 4.6.4.

Issue I am facing is when ambari pulls the keytab file for each host after creating the principle (step 2 of the enable kerberos) it does not take into account the encryption types field used. It pulls all the encryptions from the IPA server but the IPA server only supports: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96.


Looking at the code: https://github.com/apache/ambari/blob/c17ecd1b2d5e41e66533266c9f4d5880ef5bd948/ambari-server/src/mai...

String[] createKeytabFileCommand = (StringUtils.isEmpty(encryptionTypeSpec))
        ? new String[]{executableIpaGetKeytab, "-s", getAdminServerHost(true), "-p", principal, "-k", keytabFileDestinationPath}
        : new String[]{executableIpaGetKeytab, "-s", getAdminServerHost(true), "-e", encryptionTypeSpec, "-p", principal, "-k", keytabFileDestinationPath};

It should add -e value with what was put in the box but it does not. Executing the below command works and generates the desired encryptions:

ipa-getkeytab -p devops-val01@DEVOPS.MTL -k /etc/security/keytabs/kerberos.service_check.new.keytab -e aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96

Tried turning debug on ambari-agent did not show anything new.


Any idea how i can debug this further?


Thanks


Oleg

1 ACCEPTED SOLUTION

avatar

@Oleg Tarassov, You are not looking at the correct source code version for Ambari 2.6.2.2. I believe that you want to look at https://github.com/apache/ambari/blob/release-2.6.2/ambari-server/src/main/java/org/apache/ambari/se....

According to this, the encryption types are not considered when exporting keytab files from IPA. This has been fixed in Ambari 2.7.0 and above. See https://issues.apache.org/jira/browse/AMBARI-22293.


View solution in original post

1 REPLY 1

avatar

@Oleg Tarassov, You are not looking at the correct source code version for Ambari 2.6.2.2. I believe that you want to look at https://github.com/apache/ambari/blob/release-2.6.2/ambari-server/src/main/java/org/apache/ambari/se....

According to this, the encryption types are not considered when exporting keytab files from IPA. This has been fixed in Ambari 2.7.0 and above. See https://issues.apache.org/jira/browse/AMBARI-22293.


Labels