Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

SPNEGO keytab file ownership and chown errors at "Configure Ambari Identity" step during "Kerberize Cluster" in "Enable Kerberos Wizard"

avatar

HDP 2.6.4 on RHEL 7

Ambari is running under non-root user. While enabling Kerberos using Ambari, "Configure Ambari Identity" step errors out as the keytab file, /etc/security/keytabs/spnego.service.keytab is owned by non-root Ambari user. Error: ambari.server.AmbariException:chown: changing ownership of ‘/usr/hdp/security/keytabs/spnego.service.keytab’: Operation not permitted

The .csv file shows it has to be owned by root:hadoop and the non-root user is not able to do chown due to OS limitations. How to get around this issue ?

Can the Ambari-server be changed to run as root user by running "ambari-server setup" and restarting Ambari at this point and then restart "Enable Kerberos Wizard" ?

Any advice is welcome.

1 ACCEPTED SOLUTION

avatar
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login
5 REPLIES 5

avatar
Expert Contributor

Hi @Rajeswaran Govindan,

Since Ambari is running a non-privileged user, it is possible that the chown for keytab file failed due to permission issues.

Make sure that the sudoers file is setup properly. Please refer the below documentation for this.

http://docs.hortonworks.com/HDPDocuments/Ambari-2.4.2.0/bk_ambari-security/content/sudoer_configurat...

Hope this helps!

avatar
@Rajeswaran Govindan

If you are running the Ambari server as a non-root user, then you need to set up sudoers so that Ambari can properly sudo and execute the needed commands. See https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.5/bk_security/content/sudoer_configuration_se... for information on how to set this up.

avatar

Thanks you Robert and Sampath. In our environment editing the sudoers file is not an option.

Can the Ambari-server be changed to run as root user by running "ambari-server setup" and restarting Ambari at this point and then restart "Enable Kerberos Wizard" ?

avatar
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login

avatar

Thanks Akhil, that helps.