Support Questions
Find answers, ask questions, and share your expertise

FreeIPA and HDP2.6

I am trying to Secure an HDP 2.6 install with Free IPA. I am using the experimental feature under Ambari.

https://community.hortonworks.com/articles/59645/ambari-24-kerberos-with-freeipa.html

I am running into issue where a test principal is being created. I changed the password policy in IPA to set the Max life and Min life to 0 in the global_policy.

44389-screen-shot-2017-12-11-at-95541-am.png

On Ambari Server Logs I see the below exception

==============================================================================================

11 Dec 2017 17:44:23,020 WARN [Server Action Executor Worker 315] IPAKerberosOperationHandler:310 - demo-121117 is not in lowercase. FreeIPA does not recognize user principals that are not entirely in lowercase. This can lead to issues with kinit and keytabs. Make sure users are in lowercase

11 Dec 2017 17:44:29,865 ERROR [Server Action Executor Worker 315] CreatePrincipalsServerAction:299 - Failed to create principal, demo-121117@US-WEST-1.COMPUTE.INTERNAL - Unexpected response from kinit while trying to password for demo-121117 got:

org.apache.ambari.server.serveraction.kerberos.KerberosOperationException: Unexpected response from kinit while trying to password for demo-121117 got:

at org.apache.ambari.server.serveraction.kerberos.IPAKerberosOperationHandler.updatePassword(IPAKerberosOperationHandler.java:575)

at org.apache.ambari.server.serveraction.kerberos.IPAKerberosOperationHandler.createPrincipal(IPAKerberosOperationHandler.java:337)

at org.apache.ambari.server.serveraction.kerberos.CreatePrincipalsServerAction.createPrincipal(CreatePrincipalsServerAction.java:258)

at org.apache.ambari.server.serveraction.kerberos.CreatePrincipalsServerAction.processIdentity(CreatePrincipalsServerAction.java:161)

at org.apache.ambari.server.serveraction.kerberos.KerberosServerAction.processRecord(KerberosServerAction.java:538)

at org.apache.ambari.server.serveraction.kerberos.KerberosServerAction.processIdentities(KerberosServerAction.java:420)

at org.apache.ambari.server.serveraction.kerberos.CreatePrincipalsServerAction.execute(CreatePrincipalsServerAction.java:91)

at org.apache.ambari.server.serveraction.ServerActionExecutor$Worker.execute(ServerActionExecutor.java:516)

at org.apache.ambari.server.serveraction.ServerActionExecutor$Worker.run(ServerActionExecutor.java:453)

at java.lang.Thread.run(Thread.java:745)

============================================================================================

I am looking at what should be the settings in IPA to resolve this issue. Thanks for all the help.

15 REPLIES 15

@Shivaji Dutta

The warning message is a bug in the FreeIPA integration implementation. I found and fixed the issue for when FreeIPA is officially supported by Ambari (Ambari, version 3.0.0). The issue is that there are characters that are not letters (a-z) in the cluster name. The logic implemented by the original contributor of the code used the _wrong_ method to determine if the cluster name will create an issue. The check is supposed to determine if there are any uppercase characters in the cluster name, but the call also fails if there are characters that are not letters.

The failure does not appear to be related to the case warning. It is unclear what is causing the exception. Maybe there is a bug related to updating the password for a user principal. Can you try to remove the account for demo-121117@US-WEST-1.COMPUTE.INTERNAL from the IPA server and try again? If there are any other accounts in the IPA server where the principal name will collide with what Ambari will be creating, you should remove them as well.

Thanks for the response. I have removed the user couple of times and retried and there still seems to be an error.

The error seems to be how password is tested and the password policy in IPA. The principal does get created by Ambari in IPA, it seems how it tests the Password is stopping from progressing.

Today when I do a kinit with a new user from command line, it will ask for a password change when I do a Kinit for the first time. I am unsure how to get around it.

Would you have any idea if the password policy is correct? Do we need to do anything else for it?

It seems like your maximum lifetime value may be incorrect. It is possible that some version of IPA interprets 0 as unlimited (see https://community.hortonworks.com/questions/66660/kerberos-with-freeipa-password-expired.html), however it seems like you need to set value that is greater than 0. Maybe something really large to simulate an unlimited length of time... maybe 3650 (for 10 years)?

BTW, what version of FreeIPA are you using? Ambari really only supports later versions of FreeIPA 4.x.

@Robert Levas - The IPA version is

VERSION: 4.5.0, API_VERSION: 2.228

@Robert Levas I hav put a youtube link with a recording of the error.

FreeIPA Video link (Youtube link showing the issue)

@Shivaji Dutta

Did you happen to set kerberos-env/set_password_expiry? The default value is false. Setting it to true may change how Ambari behaves.

@Shivaji Dutta

Lets try to take Ambari out of the equation. Can you open up a shell on a host where the FreeIPA client has been setup. Kinit as the administrator user and then run the following commands (I am not quite sure why it was implemented this way, but this is what the code does):

ipa user-add demo-123456 --principal demo-123456@US-WEST-1.COMPUTE.INTERNAL --first demo-123456 --last demo-123456 --setattr userPassword=Hadoop1234
ipa user-mod demo-123456 --random

From the output of the previous, command, grab the "Random password" value. For example:

---------------------------
Modified user "demo-123456"
---------------------------
  User login: demo-123456
  First name: demo-123456
  Last name: demo-123456
  ...
Random password: 5Wu+z&x0c!sQQxK!4s,KY3
...

The value you need to get is "5Wu+z&x0c!sQQxK!4s,KY3"

Note: If there are multiple line-items with the word "password" in them, I would be interested to know.

Once you get the generated password value execute:

kinit -c /tmp/demo-123456.cache demo-123456

At the "Password for demo-123456@US-WEST-1.COMPUTE.INTERNAL:" prompt, enter/paste the password from above. In this case it will be "5Wu+z&x0c!sQQxK!4s,KY3" (no quotes)

At the "Enter new password:" prompt, enter "Hadoop1234" (no quotes).

At the "Enter it again:" prompt, enter "Hadoop1234" (no quotes).

The output should look like

$ kinit -c /tmp/demo-123456.cache demo-123456
Password for demo-123456@US-WEST-1.COMPUTE.INTERNAL:
Password expired.  You must change it now.
Enter new password:
Enter it again:
$

If it does not, than this is where the issue is. Looking at the supplied stack trace, the problem should be seen just after you enter that "Random password" value.

Maybe this will shed some light on the issue.

@Robert Levas - I am using FreeIPA

VERSION: 4.5.0, API_VERSION: 2.228

New Contributor

Hi I've got exactly the same problem on CentOS7, not on CentOS6. Did you found a solution? When I analysed the code of Ambari, I found that after sending the old password and trying to get another message we are experiencing problem with empty `data` var.

https://github.com/apache/ambari/blob/branch-2.4/ambari-server/src/main/java/org/apache/ambari/serve...

This line doesn't read anything. Might this be related to readline library?

Rising Star

I've got the exact same issue, after an IPA Patch this weekend I can longer generate keytabs. Also took down some other stuff yet the responses from kinit look correct.

@Shawn Weeks

I suggest that you open a new thread and post more information about your issue. Ambari version, logs, etc...

Rising Star

Since this is the #1 and only google hit for this issue we need to get whatever the answer is posted here. There is obviously some sort of undefined behavior with how Ambari is reading responses from IPA as the return does look correct.

@Shawn Weeks

What version of Ambari are you using. The warning message from the original description should be fixed in Ambari 2.7.0 and up. If you create a new thread (to not confuse this one), we can try to work out the issue.

Rising Star

@Robert Levas

Ambari 2.6.2, I have a ticket open for this but no one at Hortonworks has ever seen it before except for this post. Specifically my issue is the whole "trying to password for demo-121117 got:

at"

not the warning.Somehow the process interaction with kinit get's a bunch of null characters instead of the response it expected.

@Shawn Weeks
I have a ticket open for this but no one at Hortonworks has ever seen it before except for this post.

I do not see anything relevant from you in the JIRA system - https://issues.apache.org/jira/browse/AMBARI-14714?jql=project%20%3D%20AMBARI%20AND%20status%20%3D%2....

Where is the open ticket?

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.