Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Failed to regenerate kerberos keytabs

avatar
Contributor

From ambari webui (Admin -> Kerberos -> Regenerate Keytabs) when i try to regenerate keytabs it fails on Create Principals step with the following error message

2021-07-22 17:39:06,690 - Failed to create principal, HTTP/cnode28.26f5de01-5e40-4d8a-98bd-a4353b7bf5e3.datalake@26F5DE01-5E40-4D8A-98BD-A4353B7BF5E3.DATALAKE - Failed to create service principal for HTTP/cnode28.26f5de01-5e40-4d8a-98bd-a4353b7bf5e3.datalake@26F5DE01-5E40-4D8A-98BD-A4353B7BF5E3.DATALAKE
STDOUT: 
STDERR: ipa: ERROR: service with name "HTTP/cnode28.26f5de01-5e40-4d8a-98bd-a4353b7bf5e3.datalake@26F5DE01-5E40-4D8A-98BD-A4353B7BF5E3.DATALAKE" already exists

Bellow ambari kerberos config:

authentication.kerberos.auth_to_local.rules=DEFAULT
authentication.kerberos.enabled=true
authentication.kerberos.spnego.keytab.file=/etc/security/keytabs/spnego.service.keytab
authentication.kerberos.spnego.principal=HTTP/enode6.26f5de01-5e40-4d8a-98bd-a4353b7bf5e3.datalake
authentication.kerberos.user.types=LDAP

Thanks in advance for your help

7 REPLIES 7

avatar
Master Collaborator

@enirys 

Follow the below steps on ambari db

1. Take ambari DB backup

2. Execute the below mentioned SQL commands on ambari DB 

 

# DELETE FROM ambari.kkp_mapping_service where kkp_id in (select kkp_id from ambari.kerberos_keytab_principal where principal_name = 'HTTP/cnode28.26f5de01-5e40-4d8a-98bd-a4353b7bf5e3.datalake@26F5DE01-5E40-4D8A-98BD-A4353B7BF5E3.DATALAKE');

# DELETE FROM kerberos_keytab_principal WHERE principal_name='HTTP/cnode28.26f5de01-5e40-4d8a-98bd-a4353b7bf5e3.datalake@26F5DE01-5E40-4D8A-98BD-A4353B7BF5E3.DATALAKE';

# DELETE FROM kerberos_principal WHERE principal_name='HTTP/cnode28.26f5de01-5e40-4d8a-98bd-a4353b7bf5e3.datalake@26F5DE01-5E40-4D8A-98BD-A4353B7BF5E3.DATALAKE';

 3. After executing above command restart ambari server and regenerate the keytabs

avatar
Contributor

Hi @Scharan 

thanks for your feedback, but i don't have kkp_mapping_service and kerberos_keytab_principal tables but only kerberos_principal and kerberos_principal_host

avatar
Master Collaborator

@enirys In Ambari 2.7.x below tables should exists whether your cluster is kerberized or not

 

Can you check and confirm does below table exists in Ambari DB

 

kerberos_descriptor
kerberos_keytab
kerberos_keytab_principal
kerberos_principal
key_value_store
kkp_mapping_service

 

avatar
Contributor

hi @Scharan 

My ambari version is 2.6.2.2

 

i have only these tables

kerberos_descriptor
kerberos_principal
key_value_store

 Other tables doesn't exists

kerberos_keytab
kerberos_keytab_principal
kkp_mapping_service

 

avatar
Master Collaborator

@enirys Free ipa with Ambari 2.6.x  is not supported, Free ipa is supported from Ambari 2.7.x onwards

 

 

avatar
Contributor

@Scharan 

 

I don't think the issue is related to ambari version, we have an integration cluster with similar configuration (Amabari 2.6.2.2 and freeipa) and keytab regeneration is working fine.

enirys_0-1627289021462.png

 

avatar
Expert Contributor

@enirys 

Can you once remove the problematic kerberos principal from FreeIPA and then try and regenerate the kerberos keytabs

       ipa-rmkeytab [ -p principal-name ] [ -k keytab-file ] [ -r realm ] [ -d ]