Member since
09-29-2015
362
Posts
242
Kudos Received
63
Solutions
My Accepted Solutions
Title | Views | Posted |
---|---|---|
1008 | 03-14-2019 01:00 PM | |
1265 | 01-23-2019 04:19 PM | |
5988 | 01-15-2019 01:59 PM | |
3313 | 01-15-2019 01:57 PM | |
7943 | 12-06-2018 02:01 PM |
10-24-2017
12:22 PM
@Hiroshi Shidara Your question is a bit broad. Are you looking to set up a KDC (or Active Directory) for high availability or configure Ambari to connect to replicated KDCs or Active Directories? If you are looking to set up a replicated KDC, this is probably not the forum for that. However if you are setting up an MIT KDC, you can following docs from https://web.mit.edu/kerberos/krb5-devel/doc/admin/install_kdc.html. From the Ambari side, as of Ambari 2.4.0, you can specify multiple KDC hosts to be set in the Ambari-managed krb5.conf file. Also, you will want to set the master_kdc value for the realm. There is a field in the Enable Kerberos Wizard in Ambari 2.5.1 and above for this (Advanced kerberos-env -> Master KDC host) or you can manually add it to the krb5.conf template under "Advanced krb5-conf". Whether the krb5,conf file is managed by Ambari or not, the realm specification for your realm should look something like EXAMPLE.COM = {
kdc = kdc1.example.com
kdc = kdc2.example.com
master_kdc = kdc1.example.com
}
... View more
10-17-2017
04:42 PM
@Neha G Your question is unclear, however in the kinit line you posted, the principal is hdfs-testcluster@SRV.COM. This is typically the "root" user for HDFS and is generally translated to the local user with the username "hfds" using the configured auth-to-local rule set. Using this principal, you should have full access to manage HDFS. To see the current Kerberos ticket cache for the active user, you can issue the command klist This will show you what identity is being used as the authenticated user, if a user was authenticated.
... View more
10-14-2017
08:19 PM
1 Kudo
@Mamta Chawla You cannot use the MIT Kerberos kadmin to create accounts in an Active Directory. That tool is only for use with the MIT KDC. To create accounts in an Active Directory, you will need to use Active Directory-specific tools. However, you can use a similar process that Ambari uses to create accounts in an Active Directory and then manually build the keytab files. This requires the use of the OpenLDAP ldapadd and ldapmodify tools as well as the ktutil command. See https://community.hortonworks.com/articles/82544/how-to-create-ad-principal-accounts-using-openldap.html. On top of this, you will need to make sure your krb5.conf file is correct in order for you to test it out. The krb5.conf file is not needed to create the AD account if you are using LDAP to do the work.
... View more
10-06-2017
03:25 PM
is "hostname" in HTTP/hostname@RELAY.COM, literally "hostname" or did you replace that for the purposes of this query?
... View more
09-21-2017
07:02 PM
@Kumar Veerappan, From https://web.mit.edu/kerberos/krb5-1.12/doc/user/user_commands/kinit.html -R
requests renewal of the ticket-granting ticket. Note that an expired ticket cannot be renewed, even if the ticket is still within its renewable life. Maybe sometime during the script execution the ticket expires and kinit -K is not failing as you expect?
... View more
09-21-2017
05:07 PM
@Kumar Veerappan, This is a tough question to answer since there is no indication of what your script is doing. The cache file, /tmp/krb5cc_603, is owned by the user with the uid of 603. Is this the user that was used to issue the kinit? Assuming a kinit was executed at some point before or during the script execution.
... View more
09-05-2017
12:05 PM
Hi @Rui Ornellas Junior The problem is probably the case of your realm name. Realm names MUST be all capital letters according to the widely accepted realm naming convention. The MIT Kerberos library appears to adhere to this convention and tends to generate failures when the convention is not satisfied. On top of this, the case of the realm name MUST match the case of your KDC. If the realm name known to you KDC is lowercase, then you will need to fix the KDC (or Active Directory). Many have tried to get around this case issue with no luck.
... View more
07-24-2017
09:16 AM
1 Kudo
You can specify that you do not want Ambari to manage the underlying Kerberos infrastructure (MIT Kerberos library, kb5.conf, principals, and keytab files) using the API or Blueprints by setting the following configurations: kerberos-env/kdc_type = "none"
kerberos-env/manage_identities = false
kerberos-env/install_packages = false
krb5-conf/manage_krb5_conf = false Technically, you can pick and choose which features you want Ambari to, or not to handle; but the above setting are what the UI sets when you choose the "manual" option. See https://github.com/apache/ambari/blob/trunk/ambari-server/docs/security/kerberos/enabling_kerberos.md#the-rest-api for more information on using the API to enable Kerberos.
... View more
07-17-2017
03:13 PM
@Ajit Sonawane There are a few articles on HCC related to enabling Kerberos using Ambari when Centrify is involved. For example: https://community.hortonworks.com/questions/2939/hdp-23ambari-integration-with-ad-managed-by-centri.html https://community.hortonworks.com/articles/5388/centrify-integration-with-hdp.html However if you wish to have Ambari skip creating keytab files and principals, you can use the Enable Kerberos Wizard and choose the "manual" option. This will allow Ambari to configure the services while allowing you to manually manage the underlying Kerberos infrastructure and identities (principals and keytab files).
... View more
07-10-2017
05:24 PM
1 Kudo
@Michael DeGuzis Currently, there is no way to get the user created date from the Ambari REST API. This will hopefully be a feature in Ambari 3.x.
... View more