Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Kerberos with FreeIPA: password expired

Labels:
avatar
author-rank qiwang
Master Collaborator

Created on ‎11-15-2016 09:43 PM - edited ‎08-19-2019 05:01 AM

@emaxwell

Following your HCC tutorial on kerberizing cluster with FreeIPA. Run into error where the password for the test principle always expire

https://community.hortonworks.com/content/kbentry/59645/ambari-24-kerberos-with-freeipa.html

Performing kinit using qi1-111516@FIELD.HORTONWORKS.COM
2016-11-15 21:33:42,394 - Execute['/usr/bin/kinit -c /var/lib/ambari-agent/tmp/kerberos_service_check_cc_79b5f4cfa04c21fdbd26a3e07b45366e -kt /etc/security/keytabs/kerberos.service_check.111516.keytab qi1-111516@FIELD.HORTONWORKS.COM'] {'user': 'ambari-qa'}
2016-11-15 21:33:42,460 - File['/var/lib/ambari-agent/tmp/kerberos_service_check_cc_79b5f4cfa04c21fdbd26a3e07b45366e'] {'action': ['delete']}

Command failed after 1 tries

I updated password global policy to make it never expire, and the user is using that policy

ipa pwpolicy-mod --maxlife=0 --minlife=0 global_policy

[root@qwang-hdp ~]# ipa pwpolicy-show --user=qi1-111516
  Group: global_policy
  Max lifetime (days): 0
  Min lifetime (hours): 0
  History size: 0
  Character classes: 0
  Min length: 8
  Max failures: 6
  Failure reset interval: 60
  Lockout duration: 600

But if I kinit with the user, it will ask me to reset the password anyway.

This seems to related to the second requirement of the wizard, but I can't make it work

9480-screen-shot-2016-11-15-at-42530-pm.png

Greatly appreciate if you could provide some advice.

7,239 Views
1 ACCEPTED SOLUTION

avatar
author-rank bdbruin
New Contributor

Created ‎12-18-2016 06:48 AM

You need a really recent FreeIPA to support --maxlife=0 (https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=d2cb9ed327ee4003598d5e45d80ab7918b89eeed). If you are on supported Redhat or CentOS then you probably you don't have it, unless you rolled your own.

You can find out by checking the krbPasswordExpiration attribute of the user. It shouldn't be there. In that case you can try to set it (http://www.therebel.eu/2015/08/setting-password-expiry-in-ipa/) or update your password policy to a lifetime of say 10 years or so (dont go beyond 2038)

View solution in original post

4,999 Views
0 Kudos
2 REPLIES 2

avatar
author-rank pminovic author-rank
Master Guru

Created ‎11-18-2016 11:10 AM

Can you try to create the keytab for the test user, and always do kinit from the keytab ("kinit -kt <keytab-file-name>" command). Ambari service checks are supposed to use the ambari-qa user and the wizard is supposed to create its keytab as well.

4,999 Views

avatar
author-rank bdbruin
New Contributor

Created ‎12-18-2016 06:48 AM

You need a really recent FreeIPA to support --maxlife=0 (https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=d2cb9ed327ee4003598d5e45d80ab7918b89eeed). If you are on supported Redhat or CentOS then you probably you don't have it, unless you rolled your own.

You can find out by checking the krbPasswordExpiration attribute of the user. It shouldn't be there. In that case you can try to set it (http://www.therebel.eu/2015/08/setting-password-expiry-in-ipa/) or update your password policy to a lifetime of say 10 years or so (dont go beyond 2038)

5,000 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera DataFlow 2.9 now supports building GenAI pipelines ...
What's New @ Cloudera
Accelerate Data Scientist Productivity with Cloudera Copilot...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
Community Announcements
October 2024 Community Highlights
What's New @ Cloudera
Accelerate Your AI with the Cloudera AI Inference Service wi...
View More Announcements