Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Ambari createKeytabFileCommand with IPA does not use encryption_types

avatar
New Contributor

Hello -


I have ambari version: 2.6.2.2-1 with IPA version: 4.6.4.

Issue I am facing is when ambari pulls the keytab file for each host after creating the principle (step 2 of the enable kerberos) it does not take into account the encryption types field used. It pulls all the encryptions from the IPA server but the IPA server only supports: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96.


Looking at the code: https://github.com/apache/ambari/blob/c17ecd1b2d5e41e66533266c9f4d5880ef5bd948/ambari-server/src/mai...

String[] createKeytabFileCommand = (StringUtils.isEmpty(encryptionTypeSpec))
        ? new String[]{executableIpaGetKeytab, "-s", getAdminServerHost(true), "-p", principal, "-k", keytabFileDestinationPath}
        : new String[]{executableIpaGetKeytab, "-s", getAdminServerHost(true), "-e", encryptionTypeSpec, "-p", principal, "-k", keytabFileDestinationPath};

It should add -e value with what was put in the box but it does not. Executing the below command works and generates the desired encryptions:

ipa-getkeytab -p devops-val01@DEVOPS.MTL -k /etc/security/keytabs/kerberos.service_check.new.keytab -e aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96

Tried turning debug on ambari-agent did not show anything new.


Any idea how i can debug this further?


Thanks


Oleg

1 ACCEPTED SOLUTION

avatar

@Oleg Tarassov, You are not looking at the correct source code version for Ambari 2.6.2.2. I believe that you want to look at https://github.com/apache/ambari/blob/release-2.6.2/ambari-server/src/main/java/org/apache/ambari/se....

According to this, the encryption types are not considered when exporting keytab files from IPA. This has been fixed in Ambari 2.7.0 and above. See https://issues.apache.org/jira/browse/AMBARI-22293.


View solution in original post

1 REPLY 1

avatar

@Oleg Tarassov, You are not looking at the correct source code version for Ambari 2.6.2.2. I believe that you want to look at https://github.com/apache/ambari/blob/release-2.6.2/ambari-server/src/main/java/org/apache/ambari/se....

According to this, the encryption types are not considered when exporting keytab files from IPA. This has been fixed in Ambari 2.7.0 and above. See https://issues.apache.org/jira/browse/AMBARI-22293.