Support Questions

vzlatkin · ‎01-13-2016

I am trying to enable Kerberos on an HDP 2.3.2 Sandbox using FreeIPA on a standalone VM. After stopping all of the HDP services the Kerberos wizard has a "prepare" task and that task is failing with this error message:

13 Jan 2016 04:56:25,610  WARN [Server Action Executor Worker 495] ServerActionExecutor:479 - Task #495 failed to complete execution due to thrown exception: java.lang.IllegalArgumentException:Attempted to add a rule for a principal with no realm: ambari-qa
java.lang.IllegalArgumentException: Attempted to add a rule for a principal with no realm: ambari-qa
        at org.apache.ambari.server.controller.AuthToLocalBuilder.addRule(AuthToLocalBuilder.java:147)
        at org.apache.ambari.server.controller.KerberosHelperImpl.addIdentities(KerberosHelperImpl.java:1671)
        at org.apache.ambari.server.controller.KerberosHelperImpl.setAuthToLocalRules(KerberosHelperImpl.java:403)
        at org.apache.ambari.server.serveraction.kerberos.PrepareKerberosIdentitiesServerAction.processAuthToLocalRules(PrepareKerberosIdentitiesServerAction.java:177)
        at org.apache.ambari.server.serveraction.kerberos.PrepareEnableKerberosServerAction.execute(PrepareEnableKerberosServerAction.java:82)
        at org.apache.ambari.server.serveraction.ServerActionExecutor$Worker.execute(ServerActionExecutor.java:537)
        at org.apache.ambari.server.serveraction.ServerActionExecutor$Worker.run(ServerActionExecutor.java:474)
        at java.lang.Thread.run(Thread.java:745)

ambari-qa was not mentioned in the CSV file that the wizard generated, but after seeing the above error I created a service for it, but I'm still getting the same error.

Added service "ambari-qa/sandbox.hortonworks.com@HORTONWORKS.COM"
-----------------------------------------------------------------
  Principal: ambari-qa/sandbox.hortonworks.com@HORTONWORKS.COM
  Managed by: sandbox.hortonworks.com

What does the error message mean and what can I do to resolve it?

rlevas · ‎01-13-2016

It seems like something may be wrong with the Kerberos Descriptor. Did you edit any of the principal names on the Configure Identities page of the Enable Kerberos Wizard or did you not set the realm name on the Configure Kerberos page of the Enable Kerberos Wizard?

Can you post or attach the response to

http://AMBARI_SERVER:8080/api/v1/clusters/CLUSTER_NAME/artifacts/kerberos_descriptor

Replacing AMBARI_SERVER with the hostname of your Ambari server
Replace CLUSTER_NAME with the name of your cluster

View solution in original post

rlevas · ‎01-13-2016

It seems like something may be wrong with the Kerberos Descriptor. Did you edit any of the principal names on the Configure Identities page of the Enable Kerberos Wizard or did you not set the realm name on the Configure Kerberos page of the Enable Kerberos Wizard?

Can you post or attach the response to

http://AMBARI_SERVER:8080/api/v1/clusters/CLUSTER_NAME/artifacts/kerberos_descriptor

Replacing AMBARI_SERVER with the hostname of your Ambari server
Replace CLUSTER_NAME with the name of your cluster

vzlatkin · ‎01-13-2016

Yes, I changed the identities as specified here. Realm was filled in during the first step of the Enable Kerberos Wizard.

The output of from the URL is very long, so I won't post it here. There is no mention of ambari-qa, and realm is a filled in property. Is there anything specific that I should investigate?

rlevas · ‎01-13-2016

Your issue is with the smoke user principal, on line 29 of the Kerberos Descriptor you posted:

  "value" : "${cluster-env/smokeuser}",

It should be:

  "value" : "${cluster-env/smokeuser}@${realm}",

vzlatkin · ‎01-13-2016

That worked!

Support Questions

Error: Attempted to add a rule for a principal with no realm: ambari-qa