About balusu

balusu · ‎07-10-2018

@bgooley unicodePwd attribute in the /usr/share/cmf/bin/gen_credentials_ad.sh is causing the issue, Cloudera manager is still having the issues while creating the service principals, so I ran multiple tests in the same way as Cloudera manager by changing/modifying attributes in LDIF file and figured out that unicodePwd property is throwing the below misleading error: ldap_add: Insufficient access (50) additional info: 00000005: SecErr: DSID-031A11CC, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 I did a manual testing replacing the unicodePwd attribute with userPassword attribute in my test ldif file and it worked fine.....Can I make the change in /usr/share/cmf/bin/gen_credentials_ad.sh also..any idea on its consequences? Thanks & Regards, Siva

balusu · ‎07-09-2018

Hi, I am trying to enable Kerberos for the newly built cluster, The user has full control over the OU and I also tested adding a user using ldapadd but cloudera manager throws INSUFF_ACCESS_RIGHTS for the same user: 2018-07-09 16:00:16,785 ERROR CommandPusher:com.cloudera.cmf.command.CommandHelpers: GenerateCredentials - Execution error: java.io.IOException: /usr/share/cmf/bin/gen_credentials_ad.sh failed with exit code 50 and output of << + export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin + PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin + KEYTAB_OUT=/var/run/cloudera-scm-server/cmf1473504603598890242.keytab + PRINC=hue/hostname.example.com@EXAMPLE.COM + USER=user_LFecFhBoWF + PASSWD=REDACTED + DELETE_ON_REGENERATE=true + SET_ENCRYPTION_TYPES=true + ENC_TYPES_MASK=28 + USERACCOUNTCONTROL=66048 + ACCOUNTEXPIRES=0 + OBJECTCLASSES='objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user ' + DIST_NAME='CN=prod_LFecFhBoWF,OU=username,OU=example Enterprise,DC=example,DC=com' + '[' -z /etc/krb5.conf ']' + echo 'Using custom config path '\''/etc/krb5.conf'\'', contents below:' + cat /etc/krb5.conf + SIMPLE_PWD_STR= + '[' 'REDACTED' = '' ']' + SIMPLE_PWD_STR='-x -D user@EXAMPLE>COM -w REDACTED' ++ mktemp /tmp/cm_ldap.XXXXXXXX + LDAP_CONF=/tmp/cm_ldap.9d2I7GO6 + echo 'TLS_REQCERT never' + echo 'sasl_secprops minssf=0,maxssf=0' + export LDAPCONF=/tmp/cm_ldap.9d2I7GO6 + LDAPCONF=/tmp/cm_ldap.9d2I7GO6 ++ ldapsearch -LLL -H ldap://ldaphost.example.com -b 'OU=username,OU=Servers,OU=example Enterprise,DC=example,DC=com' -x -D user@EXAMPLE>COM -w 'REDACTED' userPrincipalName=hue/hostname.example.com@EXAMPLE.COM + PRINC_SEARCH= ++ echo '' ++ sed -n '1 {h; $ !d}; $ {x; s/\n //g; p}; /^ / {H; d}; /^ /! {x; s/\n //g; p}' + RESULTS_UNWRAPPED= + echo $'\342\200\234\342\200\235' + set +e + echo + grep -q userPrincipalName + '[' 1 -eq 0 ']' + set -e + '[' true = true ']' + ldapmodify -H ldap://ldaphost.example.com -x -D user@EXAMPLE>COM -w 'REDACTED' ++ echo 'objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user ' ++ sed /str/d ++ echo hue/hostname.example.com@EXAMPLE.COM ++ sed -e 's/\@EXAMPLE.COM//g' ++ echo -n '"REDACTED"' ++ iconv -f UTF8 -t UTF16LE ++ base64 -w 0 ldap_add: Insufficient access (50) additional info: 00000005: SecErr: DSID-031A11CC, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 >> As soon as I hit Import KDC Account Manager Credentials, I also see the follwing message in /var/log/messages Jul 9 17:17:39 hostname ldapsearch: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) In need of serious help. Thanks in advance!

balusu · ‎07-09-2018

I have the SSSD configured to short name and everything looks good now!!! Thanks @bgooley

balusu · ‎07-06-2018

@bgooley Ya, it does not seem to be working. HDFS --> Configuration --> Superuser Group = hadoopadmingroup@example.com and then hadoopadmingroup, both of them yielded zero groups. [sbalusu@example.com@hostname ~]$ hdfs groups sbalusu@example.com sbalusu_c@example.com : [sbalusu@example.com@hostname ~]$ hdfs groups sbalusu_c sbalusu_c : Thanks & Regards, Siva

balusu · ‎07-06-2018

@bgooley I appolgise for the confusion, The supergroup I mentioned is hadoopadmingroup@example.com In cloudera Manager i changed this configuration in HDFS --> Configuration --> Superuser Group and tried setting it to hadoopadmingroup@example.com and then hadoopadmingroup, both of them did not worked. sssd is set up to have a domain name at the end of Unix group and Unix user, Somehow hdfs is not able to map user to group with the domain name at the end. True, I agree this is not a Kerberos issue. My intention is to find if Hadoop can work having a domain name at the end of the group so that I can have a conversation with Unix team to trim domain name at the end of the group. Thanks, Siva

balusu · ‎07-06-2018

@bgooley hdfs is not picking up the users from supergroup@domain.com, does auth to local rule works for groups? hadoop.security.group.mapping org.apache.hadoop.security.ShellBasedUnixGroupsMapping [sbalusu@domain.com@hostname ~]$ hadoop fs -chown hdfs:supergroup /user/test chown: changing ownership of '/user/test': Non-super user cannot change owner [sbalusu@domain.com@hostname ~]$ getent group supergroup@domain.com supergroup@domain.com:*:514734591:sbalusu@supergroup.com I tried both group short name as well as group fqdn: dfs.permissions.supergroup, dfs.permissions.superusergroup supergroup@domain.com dfs.permissions.supergroup, dfs.permissions.superusergroup supergroup any suggestions?

balusu · ‎07-05-2018

@bgooley I completely agree with the Uppercase realm concept and it worked fine for many clusters we deployed for different clients but somehow the current cluster only works when I have the lower case in trusted realms. Thanks, Siva

balusu · ‎06-28-2018

@bgooley Ya, The pattern is wrong and I am glad that the documentation link you provided is very clear. I observed an interesting thing in our environment: When only example.com as trusted domain: [sbalusu@example.com@host ~]$ hadoop org.apache.hadoop.security.HadoopKerberosName sbalusu@example.com Name: sbalusu@example.com to sbalusu [sbalusu@example.com@host ~]$ hadoop org.apache.hadoop.security.HadoopKerberosName sbalusu@EXAMPLE.COM Name: sbalusu@EXAMPLE.COM to sbalusu When only EXAMPLE.COM as trusted domain: [sbalusu@example.com@host ~]$ hadoop org.apache.hadoop.security.HadoopKerberosName sbalusu@EXAMPLE.COM Name: sbalusu@EXAMPLE.COM to sbalusu [sbalusu@example.com@host ~]$ hadoop org.apache.hadoop.security.HadoopKerberosName sbalusu@example.com 18/06/28 17:41:41 INFO util.KerberosName: No auth_to_local rules applied to sbalusu@example.com Name: sbalusu@example.com to sbalusu@example.com and kinit shows EXAMPLE.COM [sbalusu@example.com@host ~]$ kinit Password for sbalusu@EXAMPLE.COM: Not sure from where hadoop is picking lower case realm.

balusu · ‎06-27-2018

I tried exactly same but it threw the below error Failed to start namenode. java.util.regex.PatternSyntaxException: Illegal/unsupported escape sequence near index 22 .*@\EXAMPLE.COM\E$ ^ also i had to add example.com to make it work, Can you please suggest if there is a way to ignore case in the rule.

balusu · ‎06-27-2018

Hi Ben, I had the pattern wrong in the rule, Here is the updated and working one: RULE:[1:$1@$0](.*@\EXAMPLE.COM)s/@\EXAMPLE.COM// RULE:[2:$1@$0](.*@\EXAMPLE.COM)s/@\EXAMPLE.COM// Thanks & Regards, Siva

Online	Offline
Last Visited	‎02-23-2019 06:45 PM

Member Since	‎06-06-2018 06:34 AM
Last Visited	‎02-23-2019 06:45 PM
Posts	29
Kudos received	1

Cloudera Community

Re: Error while enabling kerberos

Error while enabling kerberos

Re: Kerberos ticket error:No rules applied to hdfs...

Re: Kerberos ticket error:No rules applied to hdfs...

Re: Kerberos ticket error:No rules applied to hdfs...

Re: Kerberos ticket error:No rules applied to hdfs...

Re: Kerberos ticket error:No rules applied to hdfs...

Re: Kerberos ticket error:No rules applied to hdfs...

Re: Kerberos ticket error:No rules applied to hdfs...

Re: Kerberos ticket error:No rules applied to hdfs...