Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

SPNEGO keytab file ownership and chown errors at "Configure Ambari Identity" step during "Kerberize Cluster" in "Enable Kerberos Wizard"

Solved Go to solution
Highlighted

SPNEGO keytab file ownership and chown errors at "Configure Ambari Identity" step during "Kerberize Cluster" in "Enable Kerberos Wizard"

New Contributor

HDP 2.6.4 on RHEL 7

Ambari is running under non-root user. While enabling Kerberos using Ambari, "Configure Ambari Identity" step errors out as the keytab file, /etc/security/keytabs/spnego.service.keytab is owned by non-root Ambari user. Error: ambari.server.AmbariException:chown: changing ownership of ‘/usr/hdp/security/keytabs/spnego.service.keytab’: Operation not permitted

The .csv file shows it has to be owned by root:hadoop and the non-root user is not able to do chown due to OS limitations. How to get around this issue ?

Can the Ambari-server be changed to run as root user by running "ambari-server setup" and restarting Ambari at this point and then restart "Enable Kerberos Wizard" ?

Any advice is welcome.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: SPNEGO keytab file ownership and chown errors at "Configure Ambari Identity" step during "Kerberize Cluster" in "Enable Kerberos Wizard"

Hi @Rajeswaran Govindan ,

If you cant give the suoders permissions as listed docs , Its always better to run the ambari-server as root.

to run ambari server again as root again follow this steps

1)stop ambari-server
[root@asnaik-asnaik1 ~]# ambari-server stop
Using python  /usr/bin/python
Stopping ambari-server
Waiting for server stop...
Ambari Server stopped
2) perform ambari-server setup and customize the user-account for ambari server
[root@asnaik-asnaik1 ~]# ambari-server setup
Using python  /usr/bin/python
Setup ambari-server
Checking SELinux...
SELinux status is 'enabled'
SELinux mode is 'permissive'
WARNING: SELinux is set to 'permissive' mode and temporarily disabled.
OK to continue [y/n] (y)?
Customize user account for ambari-server daemon [y/n] (n)? y
Enter user account for ambari-server daemon (root):root
Adjusting ambari-server permissions and ownership...
WARNING: Command chown  -R -L root /var/lib/ambari-server returned exit code /var/lib/ambari-server with message: chown: cannot dereference ‘/var/lib/ambari-server/resources/mysql-connector-java.jar’: No such file or directory
chown: cannot dereference ‘/var/lib/ambari-server/resources/mysql-jdbc-driver.jar’: No such file or directory
Checking firewall status...
Checking JDK...
Do you want to change Oracle JDK [y/n] (n)? n
Checking GPL software agreement...
Completing setup...
Configuring database...
Enter advanced database configuration [y/n] (n)? n
Configuring database...
....
3) start ambari-server
[root@asnaik-asnaik1 ~]# ambari-server start
Using python  /usr/bin/python
Starting ambari-server
Ambari Server running with administrator privileges.
Organizing resource files at /var/lib/ambari-server/resources...

Refer to help : https://docs.hortonworks.com/HDPDocuments/Ambari-2.6.2.0/bk_ambari-installation/content/set_up_the_a...

If you have any doubt.

Please accept this answer if its helpful

5 REPLIES 5

Re: SPNEGO keytab file ownership and chown errors at "Configure Ambari Identity" step during "Kerberize Cluster" in "Enable Kerberos Wizard"

Expert Contributor

Hi @Rajeswaran Govindan,

Since Ambari is running a non-privileged user, it is possible that the chown for keytab file failed due to permission issues.

Make sure that the sudoers file is setup properly. Please refer the below documentation for this.

http://docs.hortonworks.com/HDPDocuments/Ambari-2.4.2.0/bk_ambari-security/content/sudoer_configurat...

Hope this helps!

Re: SPNEGO keytab file ownership and chown errors at "Configure Ambari Identity" step during "Kerberize Cluster" in "Enable Kerberos Wizard"

@Rajeswaran Govindan

If you are running the Ambari server as a non-root user, then you need to set up sudoers so that Ambari can properly sudo and execute the needed commands. See https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.5/bk_security/content/sudoer_configuration_se... for information on how to set this up.

Re: SPNEGO keytab file ownership and chown errors at "Configure Ambari Identity" step during "Kerberize Cluster" in "Enable Kerberos Wizard"

New Contributor

Thanks you Robert and Sampath. In our environment editing the sudoers file is not an option.

Can the Ambari-server be changed to run as root user by running "ambari-server setup" and restarting Ambari at this point and then restart "Enable Kerberos Wizard" ?

Re: SPNEGO keytab file ownership and chown errors at "Configure Ambari Identity" step during "Kerberize Cluster" in "Enable Kerberos Wizard"

Hi @Rajeswaran Govindan ,

If you cant give the suoders permissions as listed docs , Its always better to run the ambari-server as root.

to run ambari server again as root again follow this steps

1)stop ambari-server
[root@asnaik-asnaik1 ~]# ambari-server stop
Using python  /usr/bin/python
Stopping ambari-server
Waiting for server stop...
Ambari Server stopped
2) perform ambari-server setup and customize the user-account for ambari server
[root@asnaik-asnaik1 ~]# ambari-server setup
Using python  /usr/bin/python
Setup ambari-server
Checking SELinux...
SELinux status is 'enabled'
SELinux mode is 'permissive'
WARNING: SELinux is set to 'permissive' mode and temporarily disabled.
OK to continue [y/n] (y)?
Customize user account for ambari-server daemon [y/n] (n)? y
Enter user account for ambari-server daemon (root):root
Adjusting ambari-server permissions and ownership...
WARNING: Command chown  -R -L root /var/lib/ambari-server returned exit code /var/lib/ambari-server with message: chown: cannot dereference ‘/var/lib/ambari-server/resources/mysql-connector-java.jar’: No such file or directory
chown: cannot dereference ‘/var/lib/ambari-server/resources/mysql-jdbc-driver.jar’: No such file or directory
Checking firewall status...
Checking JDK...
Do you want to change Oracle JDK [y/n] (n)? n
Checking GPL software agreement...
Completing setup...
Configuring database...
Enter advanced database configuration [y/n] (n)? n
Configuring database...
....
3) start ambari-server
[root@asnaik-asnaik1 ~]# ambari-server start
Using python  /usr/bin/python
Starting ambari-server
Ambari Server running with administrator privileges.
Organizing resource files at /var/lib/ambari-server/resources...

Refer to help : https://docs.hortonworks.com/HDPDocuments/Ambari-2.6.2.0/bk_ambari-installation/content/set_up_the_a...

If you have any doubt.

Please accept this answer if its helpful

Re: SPNEGO keytab file ownership and chown errors at "Configure Ambari Identity" step during "Kerberize Cluster" in "Enable Kerberos Wizard"

New Contributor

Thanks Akhil, that helps.

Don't have an account?
Coming from Hortonworks? Activate your account here