Member since
09-29-2015
362
Posts
242
Kudos Received
63
Solutions
My Accepted Solutions
Title | Views | Posted |
---|---|---|
1293 | 03-14-2019 01:00 PM | |
1542 | 01-23-2019 04:19 PM | |
7102 | 01-15-2019 01:59 PM | |
4435 | 01-15-2019 01:57 PM | |
10360 | 12-06-2018 02:01 PM |
01-15-2019
04:55 PM
1 Kudo
I do not have any information on in the release date of the next version of Ambari. This way of authenticating to the kadmin server is new for Ambari 2.7, so your issue would not have been seen in previous versions
... View more
01-15-2019
01:59 PM
@Javert Kirilov In Ambari 2.7.x, the MIT KDC connector logic uses the following kinit format: kinit -S kadmin/<FQDN kadmin server>@EXAMPLE.COM admin/admin@EXAMPLE.COM See https://github.com/apache/ambari/blob/branch-2.7/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandler.java#L336-L346 for the code. This is different then what you suggest since the server principal is basically hardcoded to kadmin/<FQDN kadmin server>@<REALM>. Since not all installations of the MIT KDC have this principal set up, this can cause issues like what you are seeing. In the newer release of Ambari, we have this fixed and the user can override the kadmin server principal. So until that version is release, it is suggested that you manually create that missing principal. Hopefully you are willing to try this is see if it works for you.
... View more
01-15-2019
01:57 PM
@Javert Kirilov In Ambari 2.7.x, the MIT KDC connector logic uses the following kinit format: kinit -S kadmin/<FQDN kadmin server>@EXAMPLE.COM admin/admin@EXAMPLE.COM See https://github.com/apache/ambari/blob/branch-2.7/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandler.java#L336-L346 for the code. This is different then what you suggest since the server principal is basically hardcoded to kadmin/<FQDN kadmin server>@<REALM>. Since not all installations of the MIT KDC have this principal set up, this can cause issues like what you are seeing. In the newer release of Ambari, we have this fixed and the user can override the kadmin server principal. So until that version is release, it is suggested that you manually create that missing principal. Hopefully you are willing to try this is see if it works for you.
... View more
01-09-2019
03:34 PM
@huzaira bashir
It seems like there may be an issue exporting keytab files from the KDC. Can you try to do this manually using the admin user you configured in Ambari? /bin/kinit -c /tmp/my_cc -S kadmin/<KDC Admin Server Host> <KDC Admin Principal Name>
/bin/kadmin -c /tmp/my_cc -s <KDC Admin Server Host> -r <Realm> -q "xst -k /tmp/ambari_tmp.keytab -e des3-cbc-sha1-kd:normal,rc4-hmac:normal,des-cbc-md5:normal,aes128-cts-hmac-sha1-96:normal,aes256-cts-hmac-sha1-96:normal ambari-qa-<Cluster Name>@<Realm>"
/bin/klist -kte /tmp/ambari_tmp.keytab You will need to change the specifics to match your cluster. For my cluster I am using:
KDC Admin Server Host: c7402.ambari.apache.org KDC Admin Principal Name: admin/admin!@EXAMPLE.COM Realm: EXAMPLE.COM Cluster Name: c1 Also, I assume that you haven't changed:
The default temporary directory: /tmp The kadmin principal name: kadmin/<KDC Admin Server Host> The format of the Ambari smoke user principal name: ambari-qa-<Cluster Name>@<Realm> The default encryption types: aes des3-cbc-sha1 rc4 des-cbc-md5 Using the commands from above, I get the following: [root@c7402 ~]# /bin/kinit -c /tmp/my_cc -S kadmin/c7402.ambari.apache.org admin/admin@EXAMPLE.COM
Password for admin/admin@EXAMPLE.COM:<br>[root@c7402 ~]# /bin/kadmin -c /tmp/my_cc -s c7402.ambari.apache.org -r EXAMPLE.COM -q "xst -k "/tmp/ambari_tmp.keytab" -e des3-cbc-sha1-kd:normal,rc4-hmac:normal,des-cbc-md5:normal,aes128-cts-hmac-sha1-96:normal,aes256-cts-hmac-sha1-96:normal ambari-server-c1@EXAMPLE.COM"
Authenticating as principal admin/admin@EXAMPLE.COM with existing credentials.
Entry for principal ambari-server-c1@EXAMPLE.COM with kvno 4, encryption type des3-cbc-sha1 added to keytab WRFILE:/tmp/ambari_tmp.keytab.
Entry for principal ambari-server-c1@EXAMPLE.COM with kvno 4, encryption type arcfour-hmac added to keytab WRFILE:/tmp/ambari_tmp.keytab.
Entry for principal ambari-server-c1@EXAMPLE.COM with kvno 4, encryption type des-cbc-md5 added to keytab WRFILE:/tmp/ambari_tmp.keytab.
Entry for principal ambari-server-c1@EXAMPLE.COM with kvno 4, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/ambari_tmp.keytab.
Entry for principal ambari-server-c1@EXAMPLE.COM with kvno 4, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/ambari_tmp.keytab.
Administration credentials NOT DESTROYED.<br>[root@c7402 ~]# /bin/klist -kte /tmp/ambari_tmp.keytab
Keytab name: FILE:/tmp/ambari_tmp.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
4 01/09/2019 15:31:29 ambari-server-c1@EXAMPLE.COM (des3-cbc-sha1)
4 01/09/2019 15:31:29 ambari-server-c1@EXAMPLE.COM (arcfour-hmac)
4 01/09/2019 15:31:29 ambari-server-c1@EXAMPLE.COM (des-cbc-md5)
4 01/09/2019 15:31:29 ambari-server-c1@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
4 01/09/2019 15:31:29 ambari-server-c1@EXAMPLE.COM (aes256-cts-hmac-sha1-96) Can you try this to see if you get any errors?
... View more
01-04-2019
02:35 PM
@huzaira bashir Is the Ambari server on a host that is registered with the cluster? If not, I was recently alerted to an issue where this case was causing an error. But enabling Kerberos would have failed for you... unless you had enabled Kerberos before upgrading to Ambari 2.7.1. See AMBARI-25088 - Enable Kerberos fails when Ambari server is not on a registered host.
... View more
01-03-2019
02:57 PM
@huzaira bashir Can you take a look at your Ambari server log (/var/log/ambari-server/ambari-server.log) and see if there are any interesting error messages?
... View more
12-26-2018
02:10 PM
@Rajeswaran Govindan If you are running the Ambari server as a non-root user, then you need to set up sudoers so that Ambari can properly sudo and execute the needed commands. See https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.5/bk_security/content/sudoer_configuration_server.html for information on how to set this up.
... View more
12-17-2018
04:19 PM
I am at a loss as far as what the issue is. All tests I have proposed yielded results that make it seem like all should be working. Maybe Manually remove the credential from the credential store Restart Ambari Add it again, through Ambari when it asks for it To remove the credential using keytool - <JAVA_HOME>/bin/keytool -remove -alias -keystore /var/lib/ambari-server/keys/credentials.jceks -store-type JCEKS
... View more
12-17-2018
03:42 PM
@Qureshi F The column in question should be able to hold a hostname that is 255 characters long. Either the _hosts_ table in your database has been modified or your host name is really large. Can you log into your Ambari database and execute DESCRIBE hosts; Then post the results. No data will be returned, just the table definition. If the column type for hosts.public_host_name does not look lime the following, then someone or something has changed it and we need to get it fixed. public_host_name VARCHAR(255), I have to assume that your hostnames are not larger than 255 characters long.
... View more
12-12-2018
04:28 PM
So Ambari really cannot find the KDC administrator credentials. Can you execute the following to see if the alias exists in the Ambari credential store? <JAVA_HOME>/bin/keytool -list -keystore /var/lib/ambari-server/keys/credentials.jceks -store-type JCEKS For Example: [root@c7401 ~]# /usr/jdk64/jdk1.8.0_112/bin/keytool -list -keystore /var/lib/ambari-server/keys/credentials.jceks -store-type JCEKS
Enter keystore password:
Keystore type: JCEKS
Keystore provider: SunJCE
Your keystore contains 2 entries
cluster.ambari_predev.kdc.admin.credential, Dec 12, 2018, SecretKeyEntry,
ambari.db.password, Dec 12, 2018, SecretKeyEntry, Here you see that my persisted KDC admin credential is listed as cluster.ambari_predev.kdc.admin.credential. If you do not see this, then something is wrong.
... View more