Support Questions

Find answers, ask questions, and share your expertise

Enable kerberos in HDP 2.6.2: "Test kerberos Client " is handed

avatar
Contributor

Hi all,

i have installed hdp2.6.2 cluster on ubuntu16.04 servers, while enabling kerberos, it hanged on the step "Test Kerberos Client" as the picture showed.

I followed the guideline https://docs.hortonworks.com/HDPDocuments/Ambari-2.5.1.0/bk_ambari-security/content/optional_install... but seems stranged that when running "krb5_newrealm", it only asked me to enter the master key password, but NOT asked me to input the default

realms. then I edited the krb5.conf to add the realm manually( krb5conf.txt) and the command "kadmin -p admin/admin@ABC.COM" is tested successfully.

Any one had happened to encouter this and have any hints?

Thanks

40785-kerberos-hang.png


kerberos-hang-1.png
1 ACCEPTED SOLUTION

avatar
Master Mentor

@forest lin

The kdc.conf looks fine, but your initial and final krb5.conf don't look correct you forgot to add the entry in lowercase see below !. Please backup of your current krb5.conf on all the hosts and replace them with the below exactly as it is.

[libdefaults]
  renew_lifetime = 7d
  forwardable = true
  default_realm = ABC.COM
  ticket_lifetime = 24h
  dns_lookup_realm = false
  dns_lookup_kdc = false
  default_ccache_name = /tmp/krb5cc_%{uid}
  #default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
  #default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
[domain_realm]
  abc.com = ABC.COM
  .abc.com = ABC.COM
[logging]
  default = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
  kdc = FILE:/var/log/krb5kdc.log
[realms]
  ABC.COM = {
    admin_server = nn1-dev1-tbdp
    kdc = nn1-dev1-tbdp
  }

Did you re-run the below to correctly setup the KDC and KDC Admin hostnames

dpkg-reconfigure krb5-kdc

Can you also validate that the host entries on all the hosts are the same and include the KDC server host entry?

What the content of your kadm5.acl file?

On the KDC server can you paste the output of the below command. Please obscure the domain name

# kdestroy 
# kadmin.local 
Authenticating as principal root/admin@ABC.COM with password. 
kadmin.local: listprincs

After validating and changing the above restart the services

service krb5-kdc restart 
service krb5-admin-server restart

Don't forget to enable auto-restart of kdc and kadmin use appropriate ubuntu command

chkconfig krb5kdc on 
chkconfig kadmin on

Now try the Ambari--> Kerberos wizard again it should succeed

The logs are in these directories on the KDC and Clients

default = /var/log/krb5kdc.log 
admin_server = /var/log/kadmind.log 
kdc = /var/log/krb5kdc.log

Please revert

View solution in original post

3 REPLIES 3

avatar
Master Mentor

@forest lin


You need to change the REAL entry in your /etc/krb5.conf to be like below and distribute to all the nodes in the cluster

[domain_realm]
  abc.com = ABC.COM
  .abc.com = ABC.COM

Instead of

[domain_realm]        
ABC.COM = ABC.COM

You must validate that the other files kdc.conf,kadm5.acl are correct

avatar
Contributor

i tried the approach as @Geoffrey Shelton Okot adviced, but no luck.

The kdc.conf is kdcconf.txt, and the krb5.conf is changed to krb5conf-after-install-client.txt after the step "

Install Kerberos Client"

The nodes are VMs on the same physical server, and the command "kadmin -p admin/admin@ABC.COM" is successfully on all nodes.

Any hints? I can't find any output log for the step "

Test Kerberos Client" . Actually, can i skip it?

avatar
Master Mentor

@forest lin

The kdc.conf looks fine, but your initial and final krb5.conf don't look correct you forgot to add the entry in lowercase see below !. Please backup of your current krb5.conf on all the hosts and replace them with the below exactly as it is.

[libdefaults]
  renew_lifetime = 7d
  forwardable = true
  default_realm = ABC.COM
  ticket_lifetime = 24h
  dns_lookup_realm = false
  dns_lookup_kdc = false
  default_ccache_name = /tmp/krb5cc_%{uid}
  #default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
  #default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
[domain_realm]
  abc.com = ABC.COM
  .abc.com = ABC.COM
[logging]
  default = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
  kdc = FILE:/var/log/krb5kdc.log
[realms]
  ABC.COM = {
    admin_server = nn1-dev1-tbdp
    kdc = nn1-dev1-tbdp
  }

Did you re-run the below to correctly setup the KDC and KDC Admin hostnames

dpkg-reconfigure krb5-kdc

Can you also validate that the host entries on all the hosts are the same and include the KDC server host entry?

What the content of your kadm5.acl file?

On the KDC server can you paste the output of the below command. Please obscure the domain name

# kdestroy 
# kadmin.local 
Authenticating as principal root/admin@ABC.COM with password. 
kadmin.local: listprincs

After validating and changing the above restart the services

service krb5-kdc restart 
service krb5-admin-server restart

Don't forget to enable auto-restart of kdc and kadmin use appropriate ubuntu command

chkconfig krb5kdc on 
chkconfig kadmin on

Now try the Ambari--> Kerberos wizard again it should succeed

The logs are in these directories on the KDC and Clients

default = /var/log/krb5kdc.log 
admin_server = /var/log/kadmind.log 
kdc = /var/log/krb5kdc.log

Please revert