Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

How to fix test Kerberos client?

avatar

Hello,

I'm trying to set up Kerberos automatically on my cluster, which is composed of 2 nodes (ambari-server and ambari-agent1).

I've installed KDC and KDC admin server on ambari-server.

I've followed this link https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.2/bk_security/content/_launching_the_kerberos..., the 2.Authentication and I'm stuck in Launching the kerberos Wizard (Automated Setup) when i tried to test kerberos client as shown in "error.png".

I attached the logs that can be related to this issue in "1_log.png" from /var/log/krb5kdc.log and in "2_log.png" from

/var/log/krb5.log.

My question are:

1- What does this prerequisite "Ambari server and all cluster hosts have network access to both the KDC and KDC admin hosts" mentioned as the first one in "prerequisites for kerberos.png" mean? What are the necessary steps to be done to ensure this

prerequisite?

2- Where can i find the default log attached to kerberos?

3- Is it possible that the test kerberos client is failed for ambari-server because I've installed on it both KDC and kerberos client?

4- How can i debug the errors mentioned in "1_log.png" and "2_log.png"?

I'm really stuck, I'll be grateful if you try to help me resolve this issue?


1-log.pngerror.png2-log.pngprerequisites-for-kerberos.png
1 ACCEPTED SOLUTION

avatar
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login
4 REPLIES 4

avatar
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login

avatar

@Robert Levas

Thank you for your reply. I've tried the test above and the result are attached in "test.png".

I've concluded that my admin account does not have the proper rights to create accounts.

I've edited my /var/kerberos/krb5kdc/kadm5.acl from

*/admin *

to

*/admin@ROSAFI.COM *

and I've restarted my krb5-admin -server and krb5-kdc.

From/var/log/ambari-server/ambari-server.log, i got this error as you have expected:

27 Oct 2017 15:42:45,206 ERROR [Server Action Executor Worker 2313] 
MITKerberosOperationHandler:207 - Failed to execute kadmin query: 
add_principal -pw "********"  sparkcluster-102717@ROSAFI.COM
STDOUT: Authenticating as principal admin/admin@ROSAFI.COM with password.
Password for admin/admin@ROSAFI.COM: 
Enter password for principal "sparkcluster-102717@ROSAFI.COM": 
Re-enter password for principal "sparkcluster-102717@ROSAFI.COM": 

STDERR: WARNING: no policy specified for sparkcluster-102717@ROSAFI.COM; defaulting to no policy
add_principal: Operation requires ``add'' privilege while creating "sparkcluster-102717@ROSAFI.COM".

So, for now my questions are:

1- How can i set the proper rights to my admin account?

2- What is the difference between "kadmin.local" and "kadmin -p admin/admin"?

Would you please help me to continue with resolving this issue?


test.png

avatar

kadmin.local is only available on the KDC server host. It is a utility that basically manages the KDC DB directly, which by passes the user set in the relative Kerberos ticket cache.

kadmin is a tool that comes with the Kerberos client suite, It connects to the kadmin service and uses the user's Kerberos ticket cache to determine who the acting user is and what privs they have. If the user does not have the appropriate privileges then the action will fail - as you see in your test.

For my (test) environment, I have it set so that any principal with "/admin" in the name can perform any administrative task. So using kadmin.local, I create a principal with the name "admin/admin" and set its password. Then I edit the /var/kerberos/krb5kdc/kadm5.acl file and set it as shown above:

*/admin@EXAMPLE.COM    *

Then, I restart the kadmind and krb5kdc services. After that, I can manage the KDC using

kadmin -p admin/admin

I uploaded install-kdc-sh.txt. This is the script I use when installing a KDC in my test environment on Centos6

avatar

@Robert Levas

Thank you for your detailed explanation. With these details, i've resolved my issue. It was a problem in my kadm5.acl.