Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Enable Kerberos App Timeline Server Start Failed

Highlighted

Enable Kerberos App Timeline Server Start Failed

Contributor

Traceback (most recent call last):

  File "/var/lib/ambari-agent/cache/common-services/YARN/2.1.0.2.0/package/scripts/application_timeline_server.py", line 155, in <module>
    ApplicationTimelineServer().execute()
  File "/usr/lib/python2.6/site-packages/resource_management/libraries/script/script.py", line 280, in execute
    method(env)
  File "/var/lib/ambari-agent/cache/common-services/YARN/2.1.0.2.0/package/scripts/application_timeline_server.py", line 44, in start
    self.configure(env) # FOR SECURITY
  File "/var/lib/ambari-agent/cache/common-services/YARN/2.1.0.2.0/package/scripts/application_timeline_server.py", line 55, in configure
    yarn(name='apptimelineserver')
  File "/usr/lib/python2.6/site-packages/ambari_commons/os_family_impl.py", line 89, in thunk
    return fn(*args, **kwargs)
  File "/var/lib/ambari-agent/cache/common-services/YARN/2.1.0.2.0/package/scripts/yarn.py", line 337, in yarn
    mode=0755
  File "/usr/lib/python2.6/site-packages/resource_management/core/base.py", line 155, in __init__
    self.env.run()
  File "/usr/lib/python2.6/site-packages/resource_management/core/environment.py", line 160, in run
    self.run_action(resource, action)
  File "/usr/lib/python2.6/site-packages/resource_management/core/environment.py", line 124, in run_action
    provider_action()
  File "/usr/lib/python2.6/site-packages/resource_management/libraries/providers/hdfs_resource.py", line 459, in action_create_on_execute
    self.action_delayed("create")
  File "/usr/lib/python2.6/site-packages/resource_management/libraries/providers/hdfs_resource.py", line 456, in action_delayed
    self.get_hdfs_resource_executor().action_delayed(action_name, self)
  File "/usr/lib/python2.6/site-packages/resource_management/libraries/providers/hdfs_resource.py", line 247, in action_delayed
    self._assert_valid()
  File "/usr/lib/python2.6/site-packages/resource_management/libraries/providers/hdfs_resource.py", line 231, in _assert_valid
    self.target_status = self._get_file_status(target)
  File "/usr/lib/python2.6/site-packages/resource_management/libraries/providers/hdfs_resource.py", line 292, in _get_file_status
    list_status = self.util.run_command(target, 'GETFILESTATUS', method='GET', ignore_status_codes=['404'], assertable_result=False)
  File "/usr/lib/python2.6/site-packages/resource_management/libraries/providers/hdfs_resource.py", line 192, in run_command
    raise Fail(err_msg)
resource_management.core.exceptions.Fail: Execution of 'curl -sS -L -w '%{http_code}' -X GET --negotiate -u : 'http://bigdata013.example.com:50070/webhdfs/v1/ats/done?op=GETFILESTATUS&user.name=hdfs'' returned status_code=403. 
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<title>Error 403 GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)</title>
</head>
<body><h2>HTTP ERROR 403</h2>
<p>Problem accessing /webhdfs/v1/ats/done. Reason:
<pre>    GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)</pre></p><hr /><i><small>Powered by Jetty://</small></i><br/>                                                
<br/>                                                
<br/>                                                
<br/>                                                
<br/>                                                
<br/>                                                
<br/>                                                
<br/>                                                
<br/>                                                
<br/>                                                
<br/>                                                
<br/>                                                
<br/>                                                
<br/>                                                
<br/>                                                
<br/>                                                
<br/>                                                
<br/>                                                
<br/>                                                
<br/>                                                

</body>
</html>
9 REPLIES 9
Highlighted

Re: Enable Kerberos App Timeline Server Start Failed

Super Mentor

@Zhao Chaofeng

Are you using Sun JDK? If yes then you will have to install the JCE policies for encryption.

Please check the below link which says "Before enabling Kerberos in the cluster, you must deploy the Java Cryptography Extension (JCE) security policy files on the Ambari Server and on all hosts in the cluster."

: https://docs.hortonworks.com/HDPDocuments/Ambari-2.4.2.0/bk_ambari-security/content/installing_the_j...

Highlighted

Re: Enable Kerberos App Timeline Server Start Failed

Contributor

Yes, JCE is installed and this issue comes.

Highlighted

Re: Enable Kerberos App Timeline Server Start Failed

Super Mentor

@Zhao Chaofeng

Also can you please share the output of the following command "klist -e -k /etc/security/keytabs/hdfs.headless.keytab"

to see the encryption types used by the kerberos tickets?

# klist -e -k /etc/security/keytabs/hdfs.headless.keytab
Keytab name: FILE:/etc/security/keytabs/hdfs.headless.keytab
KVNO Principal
---- --------------------------------------------------------------------------
  4 hdfs-JoyCluster@EXAMPLE.COM (des3-cbc-sha1) 
  4 hdfs-JoyCluster@EXAMPLE.COM (arcfour-hmac) 
  4 hdfs-JoyCluster@EXAMPLE.COM (aes128-cts-hmac-sha1-96) 
  4 hdfs-JoyCluster@EXAMPLE.COM (des-cbc-md5) 
  4 hdfs-JoyCluster@EXAMPLE.COM (aes256-cts-hmac-sha1-96) 

- We should see (aes256-cts-hmac-sha1-96)

.

Highlighted

Re: Enable Kerberos App Timeline Server Start Failed

Contributor

OK, wait a moment. Thank you.

Highlighted

Re: Enable Kerberos App Timeline Server Start Failed

Contributor

Sorry, I reinstall the kerberos so it costs some time, but I encouter a question as follows:

2016-12-28 17:41:38,853 - Failed to create principal, hdpcluster-122816@EXAMPLE.COM - Failed to create service principal for hdpcluster-122816@EXAMPLE.COM
STDOUT: Authenticating as principal admin/admin@EXAMPLE.COM with password.
Password for admin/admin@EXAMPLE.COM: 
Enter password for principal "hdpcluster-122816@EXAMPLE.COM": 
Re-enter password for principal "hdpcluster-122816@EXAMPLE.COM": 

STDERR: WARNING: no policy specified for hdpcluster-122816@EXAMPLE.COM; defaulting to no policy
add_principal: Operation requires ``add'' privilege while creating "hdpcluster-122816@EXAMPLE.COM".
Highlighted

Re: Enable Kerberos App Timeline Server Start Failed

Super Mentor

@Zhao Chaofeng

After creating the admin principal as following :

kadmin.local -q "addprinc admin/admin"

- Have you added the * in the "/var/kerberos/krb5kdc/kadm5.acl" file as following:

*/admin@EXAMPLE.COM     *

- Then restart "kadmin"

  /etc/rc.d/init.d/kadmin restart

.

Highlighted

Re: Enable Kerberos App Timeline Server Start Failed

hey,did u able to able to resolve this issue?

Highlighted

Re: Enable Kerberos App Timeline Server Start Failed

Explorer

Hi @Zhao Chaofeng

I faced this problem too. Timeline API cannot access after enable kerberos. How to solved it? Thank you.

Highlighted

Re: Enable Kerberos App Timeline Server Start Failed

Hi @nur majid,

Its always better to have a new thread created along with screenshot of your issue and some logs .I see this thread is very old and inactive.

Don't have an account?
Coming from Hortonworks? Activate your account here