Support Questions

enirys · ‎07-23-2021

From ambari webui (Admin -> Kerberos -> Regenerate Keytabs) when i try to regenerate keytabs it fails on Create Principals step with the following error message

2021-07-22 17:39:06,690 - Failed to create principal, HTTP/cnode28.26f5de01-5e40-4d8a-98bd-a4353b7bf5e3.datalake@26F5DE01-5E40-4D8A-98BD-A4353B7BF5E3.DATALAKE - Failed to create service principal for HTTP/cnode28.26f5de01-5e40-4d8a-98bd-a4353b7bf5e3.datalake@26F5DE01-5E40-4D8A-98BD-A4353B7BF5E3.DATALAKE
STDOUT: 
STDERR: ipa: ERROR: service with name "HTTP/cnode28.26f5de01-5e40-4d8a-98bd-a4353b7bf5e3.datalake@26F5DE01-5E40-4D8A-98BD-A4353B7BF5E3.DATALAKE" already exists

Bellow ambari kerberos config:

authentication.kerberos.auth_to_local.rules=DEFAULT
authentication.kerberos.enabled=true
authentication.kerberos.spnego.keytab.file=/etc/security/keytabs/spnego.service.keytab
authentication.kerberos.spnego.principal=HTTP/enode6.26f5de01-5e40-4d8a-98bd-a4353b7bf5e3.datalake
authentication.kerberos.user.types=LDAP

Thanks in advance for your help

Scharan · ‎07-23-2021

@enirys

Follow the below steps on ambari db

1. Take ambari DB backup

2. Execute the below mentioned SQL commands on ambari DB

# DELETE FROM ambari.kkp_mapping_service where kkp_id in (select kkp_id from ambari.kerberos_keytab_principal where principal_name = 'HTTP/cnode28.26f5de01-5e40-4d8a-98bd-a4353b7bf5e3.datalake@26F5DE01-5E40-4D8A-98BD-A4353B7BF5E3.DATALAKE');

# DELETE FROM kerberos_keytab_principal WHERE principal_name='HTTP/cnode28.26f5de01-5e40-4d8a-98bd-a4353b7bf5e3.datalake@26F5DE01-5E40-4D8A-98BD-A4353B7BF5E3.DATALAKE';

# DELETE FROM kerberos_principal WHERE principal_name='HTTP/cnode28.26f5de01-5e40-4d8a-98bd-a4353b7bf5e3.datalake@26F5DE01-5E40-4D8A-98BD-A4353B7BF5E3.DATALAKE';

3. After executing above command restart ambari server and regenerate the keytabs

enirys · ‎07-23-2021

Hi @Scharan

thanks for your feedback, but i don't have kkp_mapping_service and kerberos_keytab_principal tables but only kerberos_principal and kerberos_principal_host

Scharan · ‎07-23-2021

@enirys In Ambari 2.7.x below tables should exists whether your cluster is kerberized or not

Can you check and confirm does below table exists in Ambari DB

kerberos_descriptor
kerberos_keytab
kerberos_keytab_principal
kerberos_principal
key_value_store
kkp_mapping_service

enirys · ‎07-24-2021

hi @Scharan

My ambari version is 2.6.2.2

i have only these tables

kerberos_descriptor
kerberos_principal
key_value_store

Other tables doesn't exists

kerberos_keytab
kerberos_keytab_principal
kkp_mapping_service

Scharan · ‎07-24-2021

@enirys Free ipa with Ambari 2.6.x is not supported, Free ipa is supported from Ambari 2.7.x onwards

enirys · ‎07-26-2021

@Scharan

I don't think the issue is related to ambari version, we have an integration cluster with similar configuration (Amabari 2.6.2.2 and freeipa) and keytab regeneration is working fine.

jAnshula · ‎07-26-2021

@enirys

Can you once remove the problematic kerberos principal from FreeIPA and then try and regenerate the kerberos keytabs

       ipa-rmkeytab [ -p principal-name ] [ -k keytab-file ] [ -r realm ] [ -d ]

Cloudera Community

Support Questions

Failed to regenerate kerberos keytabs