Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Ambari is not creating keytab files though it says it has created

Labels:
avatar
author-rank dgiri_india1989
Contributor

Created ‎10-03-2017 10:08 AM

Hi All,

I'm facing an issue while installing a new component to already kerberized cluster.

The installation happens successfully without any issues but services do not start due to unavailability of keytab file on that host where new component is installed.

After the installation I validated that new keytab files are not created in the designated location but ambari says it has created the keytabs and distributed to that host.

Ambari : 2.5.1

HDP : 2.6.1

7,922 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank dgiri_india1989
Contributor

Created ‎11-09-2017 03:01 PM

Apologies @nkumar for the delay in response.

The issue is related to Ambari which behaves differently after disabling and re-enabling the kerberos.

Issue got fixed after making changes to ambari with the help of Hortonworks Support using below REST calls.

curl -u test:test -H "X-Requested-By: ambari" -X POST http://ambari-server:8080/api/v1/clusters/MyClusterName/services/KERBEROS

curl -u test:test -H "X-Requested-By: ambari" -X POST http://ambari-server:8080/api/v1/clusters/MyClusterName/services/KERBEROS/components/KERBEROS_CLIENT

curl -s -u test:test http://ambari-server:8080/api/v1/hosts|grep host_name| sed -n 's/.*"host_name" : "\([^\"]*\)".*/\1/p'>hostcluster.txt

for i in `cat hostcluster.txt`; do curl -u test:test -H "X-Requested-By: ambari" -X POST http://ambari-server:8080/api/v1/clusters/MyClusterName/hosts/$i/host_components/KERBEROS_CLIENT; done

curl -u test:test -H 'X-Requested-By: ambari' -X PUT -d '{"HostRoles": {"state":"INSTALLED"}}' http://ambari-server:8080/api/v1/clusters/MyClusterName/host_components?HostRoles/state=INIT

curl -H "X-Requested-By:ambari" -u test:test -i -X PUT -d @./payload.json http://ambari-server:8080/api/v1/clusters/MyClusterName

View solution in original post

6,432 Views
0 Kudos
10 REPLIES 10

avatar
author-rank asirna
Super Guru

Created ‎10-03-2017 10:48 AM

Hi @D Giri,

Can you try re-generating the keytabs and check if it works.

Ambari=>Admin=>Kerberos => Regenerate keytabs

Thanks,

Aditya

6,088 Views
0 Kudos

avatar
author-rank dgiri_india1989
Contributor

Created ‎10-03-2017 12:33 PM

Yes I have regenerated but it didn't help. What i have seen is it didn't create new keytabs.

6,088 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created ‎10-03-2017 10:53 AM

@D Giri

HDP 2.6 has a new feature called Service Auto start see Ambaru UI-->admin-> Service Auto Start

Can you validate that the component status ? Or the Auto start Services status should be either enabled/disabled

Can you also check the KDC if the principals are createdCan you also check in the KDC 

# kadmin.local
kadmin.local: listprincs

Are you running Ambari as root if not then that user MUST authorization to write to /var/lib/ambari-server/tmp.

Please revert

6,088 Views
0 Kudos

avatar
author-rank dgiri_india1989
Contributor

Created ‎10-03-2017 12:42 PM

Thanks @Geoffrey Shelton Okot for the quick response.

Ambari is running as an user which has got sudo privileges. And auto-start services is enabled but only metrics-collector is enabled.

In the KDC i can see that it has created corresponding principals associated with the service and hostnames.

Only issue i have observed is it stopped creating keytab files and distribute it to the designated system which ambari reported successful.

I have carried out this activity some 9-10 times but all the time its ending up without creating keytab files.

6,088 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created ‎10-04-2017 06:47 PM

@D Giri

Did you by chance download the CSV file with the keytabs for manual creation?

There is an option to ONLY regenerate keytabs for missing hosts and components !!

Did you correctly key in the user/passowrd in the Ambari-Kerberos wizard? Could you briefly describe your cluster setup? Master/slave and where the KDC is installed?

Make sure the [realms] and [domain_realms] entries in /etc/krb5.conf is correct. Validate the contents of these 2 files /var/kerberos/krb5kdc/kdc.conf , /var/kerberos/krb5kdc/kadm5.acl

Can you share the contents of the above file don't forget to scramble site specific information

6,088 Views
0 Kudos

avatar
author-rank dgiri_india1989
Contributor

Created ‎10-06-2017 11:49 AM

Hi @Geoffrey Shelton Okot,

I have checked the content and everything looks good and we are using same krb config files across different clusters. I dont see any discrepencies with the kerberos.

6,088 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created ‎10-06-2017 01:05 PM

@D Giri

Can you descript your cluster setup (master, Slave and Edge nodes)

Okay what are the new components you are trying to install?

You could be checking for the keytabs on the wrong host, can you rerun the below command

# kadmin.local 
Authenticating as principal root/admin@REALM with password. 
kadmin.local: listprincs

All the principals created should be visible in the KD database. If the principal for the component is present take note of the host and try to locate the keytabs in the below location of that node

/etc/security/keytabs

Please let me know

6,088 Views
0 Kudos

avatar
author-rank narendrakumar author-rank
Contributor

Created ‎10-10-2017 10:20 AM

@D Giri,

Can you post the output of "ls /etc/security/keytabs" here. Along with the component that is part of cluster and fails to start ?

My suspect is that we should not put anything in "Principal Suffix" parameter filed when the keytab is created for any service. As, that adds cluster name into the keytab principle where as the service only looks by the username of respective service.

6,088 Views
0 Kudos

avatar
author-rank dgiri_india1989
Contributor

Created ‎11-09-2017 03:01 PM

Apologies @nkumar for the delay in response.

The issue is related to Ambari which behaves differently after disabling and re-enabling the kerberos.

Issue got fixed after making changes to ambari with the help of Hortonworks Support using below REST calls.

curl -u test:test -H "X-Requested-By: ambari" -X POST http://ambari-server:8080/api/v1/clusters/MyClusterName/services/KERBEROS

curl -u test:test -H "X-Requested-By: ambari" -X POST http://ambari-server:8080/api/v1/clusters/MyClusterName/services/KERBEROS/components/KERBEROS_CLIENT

curl -s -u test:test http://ambari-server:8080/api/v1/hosts|grep host_name| sed -n 's/.*"host_name" : "\([^\"]*\)".*/\1/p'>hostcluster.txt

for i in `cat hostcluster.txt`; do curl -u test:test -H "X-Requested-By: ambari" -X POST http://ambari-server:8080/api/v1/clusters/MyClusterName/hosts/$i/host_components/KERBEROS_CLIENT; done

curl -u test:test -H 'X-Requested-By: ambari' -X PUT -d '{"HostRoles": {"state":"INSTALLED"}}' http://ambari-server:8080/api/v1/clusters/MyClusterName/host_components?HostRoles/state=INIT

curl -H "X-Requested-By:ambari" -u test:test -i -X PUT -d @./payload.json http://ambari-server:8080/api/v1/clusters/MyClusterName

6,433 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements