Support Questions

kabadou_rawia · ‎10-30-2017

Hello,

I've installed kerberos on my cluster and it works correctly.

My question is how to check the utility of Kerberos in my cluster and how to test the authentication which is the principal goal of kerberos?

I'll be grateful if you help me to understand this issue.

jsensharma · ‎10-30-2017

@raouia

Please try to perform any HDFS operation like listing a directory without having a kerberos ticket and it should fail with the following kind of message:

# su - hdfs
# kdestroy
# klist
klist: No credentials cache found (filename: /tmp/krb5cc_1011)

Above we see that there are no valid kerberos tickets. So lets try to perform some HDFS operation like following:

17/10/30 11:57:28 WARN ipc.Client: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]

Now try to get the kerberos ticket and then perform the same operation again:

1. Get the Principal Name from the keytab:

# klist -kte /etc/security/keytabs/hdfs.headless.keytab 
Keytab name: FILE:/etc/security/keytabs/hdfs.headless.keytab
KVNO Timestamp  Principal
---- ------------------- ------------------------------------------------------
  11 09/22/2017 08:59:28 hdfs-kerberos_ambari@EXAMPLE.COM (aes128-cts-hmac-sha1-96) 
  11 09/22/2017 08:59:28 hdfs-kerberos_ambari@EXAMPLE.COM (aes256-cts-hmac-sha1-96) 
  11 09/22/2017 08:59:28 hdfs-kerberos_ambari@EXAMPLE.COM (arcfour-hmac) 
  11 09/22/2017 08:59:28 hdfs-kerberos_ambari@EXAMPLE.COM (des-cbc-md5) 
  11 09/22/2017 08:59:28 hdfs-kerberos_ambari@EXAMPLE.COM (des3-cbc-sha1)

2. Now get a valid kerberos ticket as following using "kinit"

# kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs-kerberos_ambari@EXAMPLE.COM

3. Check if you got a valid ticket or not?

# klist
Ticket cache: FILE:/tmp/krb5cc_1011
Default principal: hdfs-kerberos_ambari@EXAMPLE.COM
Valid starting  Expires  Service principal
10/30/2017 12:00:12  10/31/2017 12:00:12  krbtgt/EXAMPLE.COM@EXAMPLE.COM

4. Now you should be able to perform the HDFS operations:

# hdfs dfs -ls /tmp
Found 11 items
drwx------  - ambari-qa hdfs  0 2017-06-09 12:15 /tmp/ambari-qa
drwxr-xr-x  - hdfs  hdfs  0 2017-06-09 11:36 /tmp/entity-file-history
drwx-wx-wx  - ambari-qa hdfs  0 2017-06-27 05:13 /tmp/hive
-rwxr-xr-x  3 hdfs  hdfs  2075 2017-07-25 12:53 /tmp/id1aac366a_date532517

.

View solution in original post

jsensharma · ‎10-30-2017

@raouia

Please try to perform any HDFS operation like listing a directory without having a kerberos ticket and it should fail with the following kind of message:

# su - hdfs
# kdestroy
# klist
klist: No credentials cache found (filename: /tmp/krb5cc_1011)

Above we see that there are no valid kerberos tickets. So lets try to perform some HDFS operation like following:

17/10/30 11:57:28 WARN ipc.Client: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]

Now try to get the kerberos ticket and then perform the same operation again:

1. Get the Principal Name from the keytab:

# klist -kte /etc/security/keytabs/hdfs.headless.keytab 
Keytab name: FILE:/etc/security/keytabs/hdfs.headless.keytab
KVNO Timestamp  Principal
---- ------------------- ------------------------------------------------------
  11 09/22/2017 08:59:28 hdfs-kerberos_ambari@EXAMPLE.COM (aes128-cts-hmac-sha1-96) 
  11 09/22/2017 08:59:28 hdfs-kerberos_ambari@EXAMPLE.COM (aes256-cts-hmac-sha1-96) 
  11 09/22/2017 08:59:28 hdfs-kerberos_ambari@EXAMPLE.COM (arcfour-hmac) 
  11 09/22/2017 08:59:28 hdfs-kerberos_ambari@EXAMPLE.COM (des-cbc-md5) 
  11 09/22/2017 08:59:28 hdfs-kerberos_ambari@EXAMPLE.COM (des3-cbc-sha1)

2. Now get a valid kerberos ticket as following using "kinit"

# kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs-kerberos_ambari@EXAMPLE.COM

3. Check if you got a valid ticket or not?

# klist
Ticket cache: FILE:/tmp/krb5cc_1011
Default principal: hdfs-kerberos_ambari@EXAMPLE.COM
Valid starting  Expires  Service principal
10/30/2017 12:00:12  10/31/2017 12:00:12  krbtgt/EXAMPLE.COM@EXAMPLE.COM

4. Now you should be able to perform the HDFS operations:

# hdfs dfs -ls /tmp
Found 11 items
drwx------  - ambari-qa hdfs  0 2017-06-09 12:15 /tmp/ambari-qa
drwxr-xr-x  - hdfs  hdfs  0 2017-06-09 11:36 /tmp/entity-file-history
drwx-wx-wx  - ambari-qa hdfs  0 2017-06-27 05:13 /tmp/hive
-rwxr-xr-x  3 hdfs  hdfs  2075 2017-07-25 12:53 /tmp/id1aac366a_date532517

.

shashankkumar_m · ‎06-21-2018

@Jay Kumar SenSharma

I've a question which is quite opposite to this. I removed kerberos completely from ambari but when I tried to restart the services throws error some. Checked logs and found that it's failing due to performing 'kinit". My question is since I removed kerberos it's not supposed to generate ticket automatically. There's some configuration which is triggering this. Can you help on this issue.

Below is error when I tried to restart services.

 File "/usr/lib/ambari-agent/lib/resource_management/core/shell.py", line 102, in checked_call
    tries=tries, try_sleep=try_sleep, timeout_kill_strategy=timeout_kill_strategy)
  File "/usr/lib/ambari-agent/lib/resource_management/core/shell.py", line 150, in _call_wrapper
    result = _call(command, **kwargs_copy)
  File "/usr/lib/ambari-agent/lib/resource_management/core/shell.py", line 303, in _call
    raise ExecutionFailed(err_msg, code, out, err) 

resource_management.core.exceptions.ExecutionFailed: Execution of 'kinit -kt /etc/security/keytabs/smokeuser.headless.keytab ambari-qa-hwx_tvx@FHILLS.LOCAL;' returned 127. bash: kinit: command not found

Cloudera Community

Support Questions

How to test kerberos authentication?