Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ambari createKeytabFileCommand with IPA does not use encryption_types

Solved Go to solution

Ambari createKeytabFileCommand with IPA does not use encryption_types

New Contributor

Hello -


I have ambari version: 2.6.2.2-1 with IPA version: 4.6.4.

Issue I am facing is when ambari pulls the keytab file for each host after creating the principle (step 2 of the enable kerberos) it does not take into account the encryption types field used. It pulls all the encryptions from the IPA server but the IPA server only supports: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96.


Looking at the code: https://github.com/apache/ambari/blob/c17ecd1b2d5e41e66533266c9f4d5880ef5bd948/ambari-server/src/mai...

String[] createKeytabFileCommand = (StringUtils.isEmpty(encryptionTypeSpec))
        ? new String[]{executableIpaGetKeytab, "-s", getAdminServerHost(true), "-p", principal, "-k", keytabFileDestinationPath}
        : new String[]{executableIpaGetKeytab, "-s", getAdminServerHost(true), "-e", encryptionTypeSpec, "-p", principal, "-k", keytabFileDestinationPath};

It should add -e value with what was put in the box but it does not. Executing the below command works and generates the desired encryptions:

ipa-getkeytab -p devops-val01@DEVOPS.MTL -k /etc/security/keytabs/kerberos.service_check.new.keytab -e aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96

Tried turning debug on ambari-agent did not show anything new.


Any idea how i can debug this further?


Thanks


Oleg

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Ambari createKeytabFileCommand with IPA does not use encryption_types

@Oleg Tarassov, You are not looking at the correct source code version for Ambari 2.6.2.2. I believe that you want to look at https://github.com/apache/ambari/blob/release-2.6.2/ambari-server/src/main/java/org/apache/ambari/se....

According to this, the encryption types are not considered when exporting keytab files from IPA. This has been fixed in Ambari 2.7.0 and above. See https://issues.apache.org/jira/browse/AMBARI-22293.


1 REPLY 1

Re: Ambari createKeytabFileCommand with IPA does not use encryption_types

@Oleg Tarassov, You are not looking at the correct source code version for Ambari 2.6.2.2. I believe that you want to look at https://github.com/apache/ambari/blob/release-2.6.2/ambari-server/src/main/java/org/apache/ambari/se....

According to this, the encryption types are not considered when exporting keytab files from IPA. This has been fixed in Ambari 2.7.0 and above. See https://issues.apache.org/jira/browse/AMBARI-22293.


Don't have an account?
Coming from Hortonworks? Activate your account here