Member since
09-29-2015
362
Posts
242
Kudos Received
63
Solutions
My Accepted Solutions
Title | Views | Posted |
---|---|---|
888 | 03-14-2019 01:00 PM | |
1132 | 01-23-2019 04:19 PM | |
5501 | 01-15-2019 01:59 PM | |
2785 | 01-15-2019 01:57 PM | |
6791 | 12-06-2018 02:01 PM |
12-26-2018
05:53 PM
Thanks Akhil, that helps.
... View more
12-21-2018
02:30 PM
All, Thanks for your response. I found the root cause of the issue. Ambari was using its master's key in KDC admin credentials that is why it was giving "Missing KDC administrator credentials. Please enter admin principal and password". So I have removed that crendential file (PFA for this) and issue has been solved. For others, you may need to keep ambari master key and KDC admin creds same, because that file is required at the time of ambari-server restart (if you have configured jceks). PFA, kerberos-admin-creds-issue-solved.png
... View more
12-10-2018
07:29 PM
Thank you @Robert Levas @dvillarreal Yes, I am using a newer version of ambari and also tried FreeIPA since openLDAP didn't seem to work art all with kerberos. I followed the exact steps as on https://community.hortonworks.com/articles/59645/ambari-24-kerberos-with-freeipa.html - everything seems to be working fine but fails when kerberizing the cluster. I get the following error: Also, important to note that while I get the following error: DNS query for data2.testhdp.com. A failed: The DNS operation timed out after 30.0005660057 seconds DNS resolution for hostname data2.testhdp.com failed: The DNS operation timed out after 30.0005660057 seconds Failed to update DNS records. Missing A/AAAA record(s) for host data2.testhdp.com: 172.31.6.79. Missing reverse record(s) for address(es): 172.31.6.79.
I installed server as: ipa-server-install --domain=testhdp.com \ --realm=TESTHDP.COM \ --hostname=ldap2.testhdp.com \ --setup-dns \ --forwarder=8.8.8.8 \ --reverse-zone=3.2.1.in-addr.arpa. and the clients on each node as ipa-client-install --domain=testhdp.com \
--server=ldap2.testhdp.com \
--realm=TESTHDP.COM \
--principal=hadoopadmin@TESTHDP.COM\
--enable-dns-updates Also, that post doing the following step: echo "nameserver ldap2.testhdp.com" > /etc/resolv.conf my yum is broken and I need to revert to make it work. Do you guys have any idea about it? I thought that there is no need of DNS as I have resolution of *.testhdp.com in my hostfile on all nodes.
... View more
12-05-2018
03:25 PM
@fifi abd I didn't read through the entire error, but the last line indicates that there is an issue with XML in /home/v962173adm/nifi-1.8.0-bin/nifi-1.8.0/./conf/authorizers.xml. Take a look at row 159 and see if there is anything obvious. Maybe some copy/paste issue where an invalid or unicode character is there? Sometimes a forward or back quote gets in or that long dash character (Em Dash). If you attach that file, I can take a look and see if there is something obvious there.
... View more
12-06-2018
09:47 PM
Because of this below property in core-site.xml, it works for you hadoop.security.auth_to_local The mapping rules. For example: RULE:[2:$1@$0]([jt]t@.*EXAMPLE.COM)s/.*/mapred/ RULE:[2:$1@$0]([nd]n@.*EXAMPLE.COM)s/.*/hdfs/ RULE:[2:$1@$0](hm@.*EXAMPLE.COM)s/.*/hbase/ RULE:[2:$1@$0](rs@.*EXAMPLE.COM)s/.*/hbase/ DEFAULT The mapping from Kerberos principal names to local OS user names. See Creating Mappings Between Principals and UNIX Usernames for more information.
... View more
11-07-2018
08:16 PM
@Narendra Neerukonda Awesome... I am glad that I could help. Be sure to accept my answer to close out this issue.
... View more
09-19-2018
08:15 AM
Thanks for the detailed answer, it is very helpful! BR//Gagan
... View more
09-14-2018
03:32 PM
@Lija Mohan Key type 3 is DES_CBC_MD5, which is pretty much deprecated (see https://www.opencore.com/blog/2017/3/kerberos-encryption-types/), but by default Ambari requests/creates keytab entries using this type for backwards compatibility. Your KDC is probably rejecting keys encrypted with this type. To fix this, you should go into the Kerberos service settings and edit the "Encryption Type" value under the "Advanced kerberos-env" section. The default value is "aes des3-cbc-sha1 rc4 des-cbc-md5". Change it to "aes des3-cbc-sha1 rc4". You will also want to update the "krb5-conf template" value under "Advanced krb5-conf" to add the following under the "[libdefaults]" section: allow_weak_crypto = false After saving the changes and restarting the Kerberos service (which ensure the krb5.conf file is synced up), you should restart all of the services. If you still see issues, maybe regenerate all keytab files (Admin->Kerberos) and then restart all services. However depending on the KDC implementation you may or may not see a change in the generated keytab files. By default they will look like [root@c7401 ~]# klist -kte /etc/security/keytabs/spnego.service.keytab
Keytab name: FILE:/etc/security/keytabs/spnego.service.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
2 09/14/2018 15:06:22 HTTP/c7401.ambari.apache.org@EXAMPLE.COM (des3-cbc-sha1)
2 09/14/2018 15:06:22 HTTP/c7401.ambari.apache.org@EXAMPLE.COM (des-cbc-md5)
2 09/14/2018 15:06:22 HTTP/c7401.ambari.apache.org@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
2 09/14/2018 15:06:22 HTTP/c7401.ambari.apache.org@EXAMPLE.COM (arcfour-hmac)
2 09/14/2018 15:06:22 HTTP/c7401.ambari.apache.org@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
... View more
10-03-2018
08:42 AM
@Robert Levas : Thanks a lot for the solution, 'unsupported type' issue has been resolved after kerberose config changes. I have raised another issue for storm spenago load balancer related here.
... View more