We are running a self-signed certificate Ambari cluster (with HTTPS) and we also enabled the cluster with FreeIPA+Kerberos.
Ambari URL: https://xxxx.xxxx.nm1:8443 (its not .com) HDP: 3.0.1 (Latest)
After successfully integrating FreeIPA+Kerberos with Ambari cluster, we are unable to access few important GUIs such as Namenode UI, Resource Manager UI and Oozie UI. The error we are getting below is this:
HTTP ERROR 401 Problem accessing /index.html. Reason:Authentication required
I've tried all possible scenarios to debug this error like running the following command in my MAC terminal but its of no use.
defaults write com.google.Chrome AuthServerWhitelist "*.REALM_NAME.COM" defaults write com.google.Chrome AuthNegotiateDelegateWhitelist "*.REALM_NAME.COM"
I ran the same above command in Google Chrome console (option+command+j in MAC) and got this error:
Uncaught SyntaxError: Unexpected identifier
The following Keytabs are present in /etc/security/keytabs :
There is a valid ticket HDFS user as well but still unable to access the UI:
hdfs@xxxxxxx:/etc/security/keytabs$ klist Ticket cache: FILE:/tmp/krb5cc_1213 Default principal: nn/xxxxxx.xxxxxx.nm1@REALM.COM Valid starting Expires Service principal 11/30/18 16:13:31 12/01/18 16:13:31 krbtgt/REALM.COM@REALM.COM renew until 12/07/18 16:13:31
I also tried using "spnego.service.keytab" but still no use:
root@xxxxxxx102:/etc/security/keytabs# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: HTTP/xxxxxx102.xxxxx.nm1@REALM.COM Valid starting Expires Service principal 11/30/18 17:23:38 12/01/18 17:23:38 krbtgt/REALM.COM@REALM.COM renew until 12/07/18 17:23:38
Kindly provide your technical suggestions. It would be very helpful and highly appreciated.
Should I disable the Kerberos HTTP authentication ? If yes, please guide me the same for NN, RM and Oozie URLs
Hi @Shesh Kumar,
Did you after:
Then go to chrome://policy/ and reload
Also, you can try with firefox:
This preference lists the trusted sites for Kerberos authentication.
The domain that you just entered in the network.negotiate-auth.trusted-uris should now appear in Value column. The setting takes effect immediately; you do not have to restart Firefox.
Hope this help you.
I did try the steps which you recommend. But unfortunately it did not work. To make it work, I edited few properties in HDFS service
allow anonymous = true
http auth = simple (previous val was 'kerberos')
Did you tried disabling SPNEGO authentication in Configuration properties and tried restarting the service?