Member since
02-22-2024
24
Posts
12
Kudos Received
0
Solutions
06-10-2024
07:47 PM
1 Kudo
Hi Everyone can help me, I'm strat NodeManger in ambari but show error "failure to login: for principal: nm/slave1.hadoop.com@HADOOP.COM from keytab /etc/security/keytabs/nm.service.keytab" for detail like below 2024-06-11 09:30:28,202 INFO impl.MetricsSystemImpl (MetricsSystemImpl.java:shutdown(611)) - NodeManager metrics system shutdown complete.
2024-06-11 09:30:28,202 ERROR nodemanager.NodeManager (NodeManager.java:initAndStartNodeManager(965)) - Error starting NodeManager
org.apache.hadoop.yarn.exceptions.YarnRuntimeException: Failed NodeManager login
at org.apache.hadoop.yarn.server.nodemanager.NodeManager.serviceInit(NodeManager.java:488)
at org.apache.hadoop.service.AbstractService.init(AbstractService.java:164)
at org.apache.hadoop.yarn.server.nodemanager.NodeManager.initAndStartNodeManager(NodeManager.java:962)
at org.apache.hadoop.yarn.server.nodemanager.NodeManager.main(NodeManager.java:1042)
Caused by: org.apache.hadoop.security.KerberosAuthException: failure to login: for principal: nm/slave1.hadoop.com@HADOOP.COM from keytab /etc/security/keytabs/nm.service.keytab javax.security.auth.login.LoginException: Unable to obtain password from user
at org.apache.hadoop.security.UserGroupInformation.doSubjectLogin(UserGroupInformation.java:2012)
at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1365)
at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:1125)
at org.apache.hadoop.security.SecurityUtil.login(SecurityUtil.java:324)
at org.apache.hadoop.security.SecurityUtil.login(SecurityUtil.java:288)
at org.apache.hadoop.yarn.server.nodemanager.NodeManager.doSecureLogin(NodeManager.java:295)
at org.apache.hadoop.yarn.server.nodemanager.NodeManager.serviceInit(NodeManager.java:486)
... 3 more
Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user
at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:903)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:766)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:618)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at org.apache.hadoop.security.UserGroupInformation$HadoopLoginContext.login(UserGroupInformation.java:2091)
at org.apache.hadoop.security.UserGroupInformation.doSubjectLogin(UserGroupInformation.java:2001)
... 9 more
2024-06-11 09:30:28,204 INFO nodemanager.NodeManager (LogAdapter.java:info(51)) - SHUTDOWN_MSG: any suggestions?
... View more
Labels:
- Labels:
-
Apache YARN
-
Kerberos
06-07-2024
04:07 PM
1 Kudo
@Shelton I'm using Ubuntu 22.04 & using ODP (https://clemlabs.s3.eu-west-3.amazonaws.com/ubuntu22/odp-release/1.2.2.0-46/ODP)
... View more
06-06-2024
08:44 PM
1 Kudo
@Shelton @Majeti I found in the kdf.conf for "admin_keytab" path /etc/krb5kdc/kadm5.keytab not found, where i can create kadm5.keyab? please see below any suggestions?
... View more
06-06-2024
05:35 PM
1 Kudo
@Shelton I'm following your step, but show an error like below root@master1:~# sudo systemctl restart krb5-kdc
Job for krb5-kdc.service failed because the control process exited with error code.
See "systemctl status krb5-kdc.service" and "journalctl -xeu krb5-kdc.service" for details.
root@master1:~# systemctl status krb5-kdc.service
× krb5-kdc.service - Kerberos 5 Key Distribution Center
Loaded: loaded (/lib/systemd/system/krb5-kdc.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Fri 2024-06-07 00:33:16 UTC; 5min ago
Process: 13894 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid $DAEMON_ARGS (code=exited, status=1/FAILURE)
CPU: 92ms
Jun 07 00:33:16 master1.hadoop.com systemd[1]: Starting Kerberos 5 Key Distribution Center...
Jun 07 00:33:16 master1.hadoop.com krb5kdc[13894]: Couldn't open log file /var/log/krb5kdc.log: Read-only file system
Jun 07 00:33:16 master1.hadoop.com krb5kdc[13894]: krb5kdc: Configuration file does not specify default realm, attempt>
Jun 07 00:33:16 master1.hadoop.com krb5kdc[13894]: Configuration file does not specify default realm - while attemptin>
Jun 07 00:33:16 master1.hadoop.com systemd[1]: krb5-kdc.service: Control process exited, code=exited, status=1/FAILURE
Jun 07 00:33:16 master1.hadoop.com systemd[1]: krb5-kdc.service: Failed with result 'exit-code'.
Jun 07 00:33:16 master1.hadoop.com systemd[1]: Failed to start Kerberos 5 Key Distribution Center.
... View more
06-05-2024
05:38 PM
@Majeti . my issue is when Ambari tests Kerberos client always shows a dialog box like this My previous settings were like this I have the principal admin/admin@HADOOP.COM and the password is correct, root@master1:~# kadmin -p admin/admin
Authenticating as principal admin/admin with password.
Password for admin/admin@HADOOP.COM:
kadmin: listprincs
HTTP/master1.hadoop.com@HADOOP.COM
K/M@HADOOP.COM
admin/admin@HADOOP.COM
admin/master1.hadoop.com@HADOOP.COM
hdfs/master1.hadoop.com@HADOOP.COM
kadmin/admin@HADOOP.COM
kadmin/changepw@HADOOP.COM
krbtgt/HADOOP.COM@HADOOP.COM Any suggestions for this issue?
... View more
06-05-2024
01:06 AM
1 Kudo
@Shelton /etc/host root@master1:~# hostname -f master1.hadoop.com /etc/hosts 127.0.0.1 localhost 192.168.122.10 master1.hadoop.com 192.168.122.11 slave1.hadoop.com 192.168.122.12 slave2.hadoop.com # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters /etc/krb5.conf [libdefaults] renew_lifetime = 7d forwardable = true default_realm = HADOOP.COM ticket_lifetime = 24h dns_lookup_realm = false dns_lookup_kdc = false default_ccache_name = /tmp/krb5cc_%{uid} #default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5 #default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5 [logging] default = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log kdc = FILE:/var/log/krb5kdc.log [realms] HADOOP.COM = { admin_server = master1.hadoop.com kdc = master1.hadoop.com } kadm5.acl */admin@HADOOP.COM * event create ticket show error root@master1:~# systemctl restart krb5-kdc
root@master1:~# systemctl restart krb5-admin-server
root@master1:~# kinit -kt /etc/security/keytabs/hdfs.keytab hdfs/master1.hadoop.com@HADOOP.COM
kinit: Client 'hdfs/master1.hadoop.com@HADOOP.COM' not found in Kerberos database while getting initial credentials
... View more
06-05-2024
12:23 AM
@Majed im my cluster master1,slave1 & slave2 kinit logged in fine without errors, listed below root@master1:~# kinit admin/admin@HADOOP.COM
Password for admin/admin@HADOOP.COM:
root@master1:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin/admin@HADOOP.COM
Valid starting Expires Service principal
06/05/2024 07:17:16 06/05/2024 17:17:16 krbtgt/HADOOP.COM@HADOOP.COM
renew until 06/05/2024 07:17:16
root@master1:~#
root@slave1:~# kinit admin/admin@HADOOP.COM
Password for admin/admin@HADOOP.COM:
root@slave1:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin/admin@HADOOP.COM
Valid starting Expires Service principal
06/05/2024 07:19:26 06/05/2024 17:19:26 krbtgt/HADOOP.COM@HADOOP.COM
renew until 06/05/2024 07:19:26
root@slave1:~# root@slave2:~# kinit admin/admin@HADOOP.COM
Password for admin/admin@HADOOP.COM:
root@slave2:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin/admin@HADOOP.COM
Valid starting Expires Service principal
06/05/2024 07:20:19 06/05/2024 17:20:19 krbtgt/HADOOP.COM@HADOOP.COM
renew until 06/05/2024 07:20:19
root@slave2:~#
... View more
06-03-2024
11:42 PM
1 Kudo
Hallo, When to enable Kerberos via ambari, I am facing the following window popup at the time of Testing client after client installation saying in my log ambari-server listed below 2024-06-04 06:27:43,380 WARN [agent-report-processor-2] ActionManager:162 - The task 76 is not in progress, ignoring update
2024-06-04 06:27:43,861 INFO [ambari-client-thread-6248] AmbariManagementControllerImpl:4086 - Received action execution request, clusterName=hadoop, request=isCommand :true, action :null, command :KERBEROS_SERVICE_CHECK, inputs :{HAS_RESOURCE_FILTERS=true}, resourceFilters: [RequestResourceFilter{serviceName='KERBEROS', componentName='null', hostNames=[]}], exclusive: false, clusterName :hadoop
2024-06-04 06:27:44,149 WARN [ambari-client-thread-6248] KDCKerberosOperationHandler:329 - Failed to kinit as the KDC administrator user, admin/admin@HADOOP.COM:
ExitCode: 1
STDOUT:
STDERR: kinit: Server not found in Kerberos database while getting initial credentials
2024-06-04 06:27:44,151 ERROR [ambari-client-thread-6248] KerberosHelperImpl:2507 - Cannot validate credentials: org.apache.ambari.server.serveraction.kerberos.KerberosAdminAuthenticationException: Invalid KDC administrator credentials.
The KDC administrator credentials must be set as a persisted or temporary credential resource.This may be done by issuing a POST (or PUT for updating) to the /api/v1/clusters/:clusterName/credentials/kdc.admin.credential API entry point with the following payload:
{
"Credential" : {
"principal" : "(PRINCIPAL)", "key" : "(PASSWORD)", "type" : "(persisted|temporary)"}
}
}
2024-06-04 06:27:44,152 ERROR [ambari-client-thread-6248] CreateHandler:80 - Bad request received: Invalid KDC administrator credentials.
The KDC administrator credentials must be set as a persisted or temporary credential resource.This may be done by issuing a POST (or PUT for updating) to the /api/v1/clusters/:clusterName/credentials/kdc.admin.credential API entry point with the following payload:
{
"Credential" : {
"principal" : "(PRINCIPAL)", "key" : "(PASSWORD)", "type" : "(persisted|temporary)"}
}
}
2024-06-04 06:27:44,578 WARN [agent-report-processor-1] ActionManager:162 - The task 75 is not in progress, ignoring update can anyone help me, please..
... View more
Labels:
- Labels:
-
Apache Ambari
-
Kerberos
05-30-2024
05:42 PM
@Scharan My Hostname in my kdc server *** System restart required ***
Last login: Thu May 30 07:23:57 2024 from 192.168.7.211
root@admin:~# hostname
admin.com
root@admin:~# in my client host root@slave2:~# ping admin.com
PING admin.com (192.168.7.4) 56(84) bytes of data.
64 bytes from admin.com (192.168.7.4): icmp_seq=1 ttl=64 time=0.608 ms
64 bytes from admin.com (192.168.7.4): icmp_seq=2 ttl=64 time=0.669 ms
64 bytes from admin.com (192.168.7.4): icmp_seq=3 ttl=64 time=0.561 ms
64 bytes from admin.com (192.168.7.4): icmp_seq=4 ttl=64 time=1.94 ms
... View more
05-29-2024
08:28 PM
1 Kudo
Hi Everyone, While kerberizing my cluster using MIT-KDC and Ambari Kerberos Wizard. I am facing the following window popup at the time of Testing client after client installation saying : I'm using ambari 2.7.8 HDFS 3.3.6 UBUNTU 22 config of krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] EXAMPLE.COM = { kdc = admin.com admin_server = admin.com } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM config of /etc/hostname list principal is root@admin:/# kadmin.local -q "listprincs" Authenticating as principal admin/admin@EXAMPLE.COM with password. K/M@EXAMPLE.COM admin/admin@EXAMPLE.COM kadmin/admin@EXAMPLE.COM kadmin/changepw@EXAMPLE.COM krbtgt/EXAMPLE.COM@EXAMPLE.COM ambari-server.log :KERBEROS_SERVICE_CHECK, inputs :{HAS_RESOURCE_FILTERS=true}, resourceFilters: [RequestResourceFilter{serviceName='KERBEROS', componentName='null', hostNames=[]}], exclusive: false, clusterName :hadoop
2024-05-30 05:12:20,298 WARN [ambari-client-thread-108] KDCKerberosOperationHandler:329 - Failed to kinit as the KDC administrator user, admin/admin@EXAMPLE.COM:
ExitCode: 1
STDOUT:
STDERR: kinit: Server not found in Kerberos database while getting initial credentials
2024-05-30 05:12:20,299 ERROR [ambari-client-thread-108] KerberosHelperImpl:2507 - Cannot validate credentials: org.apache.ambari.server.serveraction.kerberos.KerberosAdminAuthenticationException: Invalid KDC administrator credentials.
The KDC administrator credentials must be set as a persisted or temporary credential resource.This may be done by issuing a POST (or PUT for updating) to the /api/v1/clusters/:clusterName/credentials/kdc.admin.credential API entry point with the following payload:
{
"Credential" : {
"principal" : "(PRINCIPAL)", "key" : "(PASSWORD)", "type" : "(persisted|temporary)"}
}
}
2024-05-30 05:12:20,299 ERROR [ambari-client-thread-108] CreateHandler:80 - Bad request received: Invalid KDC administrator credentials.
The KDC administrator credentials must be set as a persisted or temporary credential resource.This may be done by issuing a POST (or PUT for updating) to the /api/v1/clusters/:clusterName/credentials/kdc.admin.credential API entry point with the following payload:
{
"Credential" : {
"principal" : "(PRINCIPAL)", "key" : "(PASSWORD)", "type" : "(persisted|temporary)"}
}
}
2024-05-30 05:12:20,733 WARN [agent-report-processor-3] ActionManager:162 - The task 1304 is not in progress, ignoring update
2024-05-30 05:12:21,052 WARN [agent-report-processor-1] ActionManager:162 - The task 1302 is not in progress, ignoring update
... View more
Labels:
- Labels:
-
Apache Ambari
-
Kerberos
- « Previous
-
- 1
- 2
- Next »