Support Questions

Find answers, ask questions, and share your expertise

Ambari is not distributing Keytabs for any new services installation (Enabled & Disabled Kerberos multiple times)

avatar

Hi,

 

We are trying to install Ranger KMS using Ambari. Our Cluster is Kerberos enabled & disabled multiple times using Ambari Kerberos Automated Wizard. Right now, Kerberos is enabled. 

Ranger KMS Installation is failing due to failure to distribute Keytab file by Ambari although it generates it in the Ambari server side, also principal generated successfully in AD KDC. Also noticed that Ambari shows Kerberos has been manually installed on the cluster, although we used Ambari Kerberos Wizard always.  

 

Ambari Server logs shared below along with screenshot of manual message mention above. Any idea on how to resolve this issue ? @dvillarreal @dgiri_india1989 

 

2021-07-10 16:14:58,119 INFO [Server Action Executor Worker 73541] CreateKeytabFilesServerAction:193 - Creating keytab file for rangerkms/{FULLY_QUALIFIED_DOMAIN_NAME}@MTNIRANCELL.IR on host {FULLY_QUALIFIED_DOMAIN_NAME}
2021-07-10 16:14:58,137 INFO [Server Action Executor Worker 73541] CreateKeytabFilesServerAction:252 - Successfully created keytab file for rangerkms/{FULLY_QUALIFIED_DOMAIN_NAME}@MTNIRANCELL.IR at /var/lib/ambari-server/data/tmp/.ambari_1625917470341-0.d/{FULLY_QUALIFIED_DOMAIN_NAME}/78235da43a7af6b2b8c061e49f5777df4f71251151a10e8baeccaf0eacc65b79
2021-07-10 16:14:58,213 INFO [Server Action Executor Worker 73541] CreateKeytabFilesServerAction:193 - Creating keytab file for HTTP/{FULLY_QUALIFIED_DOMAIN_NAME}@MTNIRANCELL.IR on host {FULLY_QUALIFIED_DOMAIN_NAME}
2021-07-10 16:14:58,224 INFO [Server Action Executor Worker 73541] KerberosServerAction:479 - Processing identities completed.

2021-07-10 16:15:39,174 ERROR [Server Action Executor Worker 73542] FinalizeKerberosServerAction:119 - Failed to update the owner of the keytab file at /etc/security/keytabs/rangerkms.service.keytab to kms: chown: cannot access ‘/etc/security/keytabs/rangerkms.service.keytab’: No such file or directory

2021-07-10 16:15:39,174 INFO [Server Action Executor Worker 73542] FinalizeKerberosServerAction:128 - Updated the group of the keytab file at /etc/security/keytabs/rangerkms.service.keytab to null
2021-07-10 16:15:39,181 ERROR [Server Action Executor Worker 73542] FinalizeKerberosServerAction:150 - Failed to update the access mode of the keytab file at /etc/security/keytabs/rangerkms.service.keytab to owner:'r' and group:'null': chmod: cannot access ‘/etc/security/keytabs/rangerkms.service.keytab’: No such file or directory

 

avinashmv442_0-1627213770950.png

 

Came across similar issue reported by other member, but not sure what payload.json file to be used to get rid of this situation. Yet to get response in another thread. https://community.cloudera.com/t5/Support-Questions/Ambari-is-not-creating-keytab-files-though-it-sa... 

3 REPLIES 3

avatar
Expert Contributor

@avinashmv442 

 

Can you check if user - keyadmin (or any custom user) configured in the KMS repository is added to proxy properties in the custom kms-site.xml file.

avatar

@jAnshula 

 

Thanks. Will check & update on this. 

avatar

Hi @jAnshula

 

Yes, below proxyuser properties added in Custom KMS-Site. keyadmin user only configured in KMS Repository. 

 

hadoop.kms.proxyuser.keyadmin.groups=*
hadoop.kms.proxyuser.keyadmin.hosts=*
hadoop.kms.proxyuser.keyadmin.users=*