About Manjunath

Manjunath · ‎09-12-2019

Hi All, I have added the Atlas service to our HDP 3.1 cluster. I have created few tables and added some random data and able to do CRUD operation to those tables in the hive. Whenever I open Atlas and search hive tables unable to see the tables in the list. Any additional configuration needed in HDP 3.1? Please guide me through this issue. Regards, Manjunath P N

Manjunath · ‎09-04-2019

@kwabstian53 Yes, I did as you said. telnet gspidn01.gsp.local 636 Able to connect, telnet gspidn01.gsp.local 636 Trying 10.32.83.35... Connected to gspidn01.gsp.local. Escape character is '^]'. As you said I did change ldap.conf, #TLS_CACERTDIR /home/admin/ad-ca.crt TLS_CACERT /etc/ssl/certs/ca-bundle.crt TLS_REQCERT allow Did restart ambari-server. Even after this also I am unable to do ldapsearch with 636 port.

Manjunath · ‎08-28-2019

Hi @kwabstian53 , Thank you for the quick response. here are the result for below tests, [root@gspdhd01 admin]# openssl s_client -connect gspidn01.gsp.local:636 CONNECTED(00000003) depth=1 DC = local, DC = gsp, CN = gsp-GSPIDN01-CA verify return:1 depth=0 CN = gspidn01.gsp.local verify return:1 --- Certificate chain 0 s:/CN=gspidn01.gsp.local i:/DC=local/DC=gsp/CN=gsp-GSPIDN01-CA --- Server certificate -----BEGIN CERTIFICATE----- MIIF4TCCBMmgAwIBAgITGAAAAAObh58/1Hp3NQAAAAAAAzANBgkqhkiG9w0BAQUF ADBGMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxEzARBgoJkiaJk/IsZAEZFgNnc3Ax GDAWBgNVBAMTD2dzcC1HU1BJRE4wMS1DQTAeFw0xOTA1MTYxMzI2NDdaFw0yMDA1 MTUxMzI2NDdaMB0xGzAZBgNVBAMTEmdzcGlkbjAxLmdzcC5sb2NhbDCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAL0NAv82q4G18yxxAqkIBcN6HF6xfn8o hPyAy0NEg6oN9DYPMZeAbI+M+4PgSFCkahhHq+Cc1hk920wuSkayCbLhGIrbQxk5 t66nYAccquRoUrcZEilIh3dlSFn7jUV5uNd6J4BJWeds7ZTbUWcPUv6LyaqHCYAH zifCQJc72VEZcyrfYHVKCRHFNP/wbc0dmIhsBPlrE8MfCpZmRCGk6dWMnTeQJxjG WEK03GuUohSPAyvRUszvws5ss8nclK0aNc3so3d4ChdHu3ES8LcI/EKX4Q+HZvFm gsIbP+1n82aY7w1ytI3Rr/q2FEfPszWsRFHN0prpUXk6UYDcCWexBXUCAwEAAaOC Au8wggLrMC8GCSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8A bABsAGUAcjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/ BAQDAgWgMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3 DQMEAgIAgDALBglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjAL BglghkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFJBJUps0 1o3qXXNBLI5eB6IZkv/MMB8GA1UdIwQYMBaAFIF0wvRzUzMxfPE1XswM76Z9nrWK MIHMBgNVHR8EgcQwgcEwgb6ggbuggbiGgbVsZGFwOi8vL0NOPWdzcC1HU1BJRE4w MS1DQSxDTj1nc3BpZG4wMSxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2Vydmlj ZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1nc3AsREM9bG9jYWw/ Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERp c3RyaWJ1dGlvblBvaW50MIG/BggrBgEFBQcBAQSBsjCBrzCBrAYIKwYBBQUHMAKG gZ9sZGFwOi8vL0NOPWdzcC1HU1BJRE4wMS1DQSxDTj1BSUEsQ049UHVibGljJTIw S2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1n c3AsREM9bG9jYWw/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRp ZmljYXRpb25BdXRob3JpdHkwPgYDVR0RBDcwNaAfBgkrBgEEAYI3GQGgEgQQSctt 2ckXq0y5qQCiaAaA34ISZ3NwaWRuMDEuZ3NwLmxvY2FsMA0GCSqGSIb3DQEBBQUA A4IBAQAAW36YLTpHiiRjSWmu6H0/SjCbeLmdKJN5s1XnbXt4kjbbCUYvTMbb/oJ/ h5uf7kIsRdl0zfncGD/JsepLeVLh3GKz1ZDhOWkHQW4VbX0KUW84yqv+irxuKosd KDuhvGpaR2D9KmlYTdfzDF53rzvyBm6hZUQW+au9E/5MQ3Ej8XnjgaEK5GL3UKNE S3uUhqtdK91PcirvpTRVdgGsJb3DkzvxC628d3VQKLKkio4YkXi9rE3/rongu85C ow5WZ4SaPFh63l93Kd+Raa7CNmn1IWA0HXCAmX5kjNrQW9LDtYjTnvcXXfrnwaXd HNApJDvKPHlbqc6UGBU7JoUj6ri8 -----END CERTIFICATE----- subject=/CN=gspidn01.gsp.local issuer=/DC=local/DC=gsp/CN=gsp-GSPIDN01-CA --- No client certificate CA names sent Client Certificate Types: RSA sign, DSA sign, ECDSA sign Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1 Shared Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1 --- SSL handshake has read 1726 bytes and written 659 bytes --- New, TLSv1/SSLv3, Cipher is AES128-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : AES128-SHA256 Session-ID: 4220000056B7D77DBE11C53E29A71B0E71E06A867EF394A5564B9AE70D546C48 Session-ID-ctx: Master-Key: C2E4A6977EF6CF2B62C396EBF9C49E0DA95035CAA5A08BEC0C23A406F95DBA0C4B16EECC89F5CAEE504A00C597D7ED25 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1567053717 Timeout : 300 (sec) Verify return code: 0 (ok) [root@gspdhd01 admin]# openssl s_client -connect gspidn01.gsp.local:636 -CAfile /home/admin/ad-ca.crt CONNECTED(00000003) depth=1 DC = local, DC = gsp, CN = gsp-GSPIDN01-CA verify return:1 depth=0 CN = gspidn01.gsp.local verify return:1 --- Certificate chain 0 s:/CN=gspidn01.gsp.local i:/DC=local/DC=gsp/CN=gsp-GSPIDN01-CA --- Server certificate -----BEGIN CERTIFICATE----- MIIF4TCCBMmgAwIBAgITGAAAAAObh58/1Hp3NQAAAAAAAzANBgkqhkiG9w0BAQUF ADBGMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxEzARBgoJkiaJk/IsZAEZFgNnc3Ax GDAWBgNVBAMTD2dzcC1HU1BJRE4wMS1DQTAeFw0xOTA1MTYxMzI2NDdaFw0yMDA1 MTUxMzI2NDdaMB0xGzAZBgNVBAMTEmdzcGlkbjAxLmdzcC5sb2NhbDCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAL0NAv82q4G18yxxAqkIBcN6HF6xfn8o hPyAy0NEg6oN9DYPMZeAbI+M+4PgSFCkahhHq+Cc1hk920wuSkayCbLhGIrbQxk5 t66nYAccquRoUrcZEilIh3dlSFn7jUV5uNd6J4BJWeds7ZTbUWcPUv6LyaqHCYAH zifCQJc72VEZcyrfYHVKCRHFNP/wbc0dmIhsBPlrE8MfCpZmRCGk6dWMnTeQJxjG WEK03GuUohSPAyvRUszvws5ss8nclK0aNc3so3d4ChdHu3ES8LcI/EKX4Q+HZvFm gsIbP+1n82aY7w1ytI3Rr/q2FEfPszWsRFHN0prpUXk6UYDcCWexBXUCAwEAAaOC Au8wggLrMC8GCSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8A bABsAGUAcjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/ BAQDAgWgMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3 DQMEAgIAgDALBglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjAL BglghkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFJBJUps0 1o3qXXNBLI5eB6IZkv/MMB8GA1UdIwQYMBaAFIF0wvRzUzMxfPE1XswM76Z9nrWK MIHMBgNVHR8EgcQwgcEwgb6ggbuggbiGgbVsZGFwOi8vL0NOPWdzcC1HU1BJRE4w MS1DQSxDTj1nc3BpZG4wMSxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2Vydmlj ZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1nc3AsREM9bG9jYWw/ Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERp c3RyaWJ1dGlvblBvaW50MIG/BggrBgEFBQcBAQSBsjCBrzCBrAYIKwYBBQUHMAKG gZ9sZGFwOi8vL0NOPWdzcC1HU1BJRE4wMS1DQSxDTj1BSUEsQ049UHVibGljJTIw S2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1n c3AsREM9bG9jYWw/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRp ZmljYXRpb25BdXRob3JpdHkwPgYDVR0RBDcwNaAfBgkrBgEEAYI3GQGgEgQQSctt 2ckXq0y5qQCiaAaA34ISZ3NwaWRuMDEuZ3NwLmxvY2FsMA0GCSqGSIb3DQEBBQUA A4IBAQAAW36YLTpHiiRjSWmu6H0/SjCbeLmdKJN5s1XnbXt4kjbbCUYvTMbb/oJ/ h5uf7kIsRdl0zfncGD/JsepLeVLh3GKz1ZDhOWkHQW4VbX0KUW84yqv+irxuKosd KDuhvGpaR2D9KmlYTdfzDF53rzvyBm6hZUQW+au9E/5MQ3Ej8XnjgaEK5GL3UKNE S3uUhqtdK91PcirvpTRVdgGsJb3DkzvxC628d3VQKLKkio4YkXi9rE3/rongu85C ow5WZ4SaPFh63l93Kd+Raa7CNmn1IWA0HXCAmX5kjNrQW9LDtYjTnvcXXfrnwaXd HNApJDvKPHlbqc6UGBU7JoUj6ri8 -----END CERTIFICATE----- subject=/CN=gspidn01.gsp.local issuer=/DC=local/DC=gsp/CN=gsp-GSPIDN01-CA --- No client certificate CA names sent Client Certificate Types: RSA sign, DSA sign, ECDSA sign Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1 Shared Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1 --- SSL handshake has read 1726 bytes and written 659 bytes --- New, TLSv1/SSLv3, Cipher is AES128-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : AES128-SHA256 Session-ID: 1D230000F115D38D94169A6DBA55FE2062091ADD61B826DCF01BBC3AA9289224 Session-ID-ctx: Master-Key: 934F0B8AEF0695606BEF9BF0112F889E7E0499D15DED3744963307CC84BC2C4058E903136ABF1CC4274D820C4063D571 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1567053874 Timeout : 300 (sec) Verify return code: 0 (ok) [root@gspdhd01 admin]# ldapsearch -h gspidn02.gsp.local -p 636 -x -D "uid=HDP_Service,ou=ServiceAccounts,dc=gsp,dc=local" -b "dc=gsp,dc=local" -W Enter LDAP Password: ldap_result: Can't contact LDAP server (-1) [root@gspdhd01 admin]# ldapsearch -h gspidn01.gsp.local -p 636 -x -D "uid=HDP_Service,ou=ServiceAccounts,dc=gsp,dc=local" -b "dc=gsp,dc=local" -W Enter LDAP Password: ldap_result: Can't contact LDAP server (-1) May I know where is the problem? Regards, Manjunath P N

Manjunath · ‎08-28-2019

Hi All, I have a problem related to Enabling LDAP with SSL. Here is the situation, I have received a self-signed SSL certificate from Window Active Directory Team. We have 2 Window AD server primary and secondary gspdidn01.gsp.local and gspdidn02.gsp.local and certificate is valid. Now I am following HDP 3.1 official documentation for enabling, installed the certificate using steps mentioned in the below link. (https://docs.hortonworks.com/HDPDocuments/HDP3/HDP-3.1.0/ambari-authentication-ldap-ad/content/authe_ldapad_configure_ambari_to_use_ldap_server.html) ==================== Review Settings ==================== Primary LDAP Host (10.32.83.35): gspidn01.gsp.local Primary LDAP Port (636): 636 Secondary LDAP Host <Optional> (10.32.83.36): gspidn02.gsp.local Secondary LDAP Port <Optional> (636): 636 Use SSL [true/false] (true): true User object class (user): user User ID attribute (sAMAccountName): sAMAccountName Group object class (group): group Group name attribute (cn): cn Group member attribute (member): member Distinguished name attribute (distinguishedName): distinguishedName Search Base (dc=gsp,dc=local): dc=gsp,dc=local Referral method [follow/ignore] (follow): follow Bind anonymously [true/false] (false): false Handling behavior for username collisions [convert/skip] for LDAP sync (skip): skip Force lower-case user names [true/false] (false): false Results from LDAP are paginated when requested [true/false] (false): false ambari.ldap.connectivity.bind_dn: CN=HDP_Service,OU=Service Accounts,dc=gsp,dc=local ambari.ldap.connectivity.bind_password: ***** ambari.ldap.advanced.disable_endpoint_identification: true ssl.trustStore.type: jks ssl.trustStore.path: /etc/security/ldaps-truststore.jks ssl.trustStore.password: ***** Save settings [y/n] (y)? y -> ambari-server restart Whenever I do curl ldap://gspidn01.gsp.local:389 Gives the expected results but when I do isSynchronized: TRUE isGlobalCatalogReady: TRUE domainFunctionality: 6 forestFunctionality: 6 domainControllerFunctionality: 6 [root@gspdhd01 admin]# curl ldaps://gspidn01.gsp.local:636 ##Just black nothing will be displayed. This has blocked me totally by enabling Kerberos as that needs an LDAP with secured SSL. Please, can somebody let me know where the things are wrong or any suggestion?

Manjunath · ‎08-20-2019

Hi, This gave some hope that we are in proper direction, [root@10 security]# curl "ldaps://10.32.83.35:636/DC=gsp.local?cn,objectClass?sub?(objectClass=)" -u "cn=HDP_Service,OU=Service Accounts,DC=gsp,DC=local" --cacert /etc/pki/ca-trust/source/anchors/activedirectory.pem -v Enter host password for user 'cn=HDP_Service,OU=Service Accounts,DC=gsp,DC=local': * About to connect() to 10.32.83.35 port 636 (#0) * Trying 10.32.83.35... * Connected to 10.32.83.35 (10.32.83.35) port 636 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * Closing connection 0 curl: (77) Problem with the SSL CA cert (path? access rights?) How can I change .pem file path?

Manjunath · ‎08-20-2019

Here in this step one of the team members did follow some different steps and installed a certificate but now we are unable to remove that whenever I key tool its saying key tool already present <ambari-server> can it be removed completely so that I can start the fresh installation? If yes could please let me know the steps to completely remove the existing certificate.

Manjunath · ‎08-20-2019

curl "ldaps://10.32.83.35:636/DC=gsp.local?cn,objectClass?sub?(objectClass=)" -u "cn=HDP_Service,OU=Service Accounts,DC=gsp,DC=local" --insecure -v Enter host password for user 'cn=HDP_Service,OU=Service Accounts,DC=gsp,DC=local': * About to connect() to 10.32.83.35 port 636 (#0) * Trying 10.32.83.35... * Connected to 10.32.83.35 (10.32.83.35) port 636 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * skipping SSL peer certificate verification * NSS: client certificate not found (nickname not specified) * SSL connection using TLS_RSA_WITH_AES_128_CBC_SHA256 * Server certificate: * subject: CN=gspidn01.gsp.local * start date: May 16 13:26:47 2019 GMT * expire date: May 15 13:26:47 2020 GMT * common name: gspidn01.gsp.local * issuer: CN=gsp-GSPIDN01-CA,DC=gsp,DC=local * LDAP local: ldaps://10.32.83.35:636/DC=gsp.local?cn,objectClass?sub?(objectClass=) * LDAP remote: search failed Success 0000202B: RefErr: DSID-0310082F, data 0, 1 access points ref 1: 'gsp.local' * Closing connection 0 curl: (39) NSS: client certificate not found (nickname not specified) Output for the 1st command shared. Not able to access the AD certificate using OpenSSL. Regards,

Manjunath · ‎08-20-2019

Hi, The document is really handy but for me, the issue has been resolved after moving the Ambari metrics to different node initially it was in data node now moved to Namenode and I am still finding the reason how it works here. Regards, Manjunath P N

Manjunath · ‎08-20-2019

Hi ngarg, The document is really handy but for me the issue has been resolved after moving the ambari metrics to different node initially it was in datanode now moved to Namenode and I am still finding the reason how it works here. Regards, Manjunath P N

Manjunath · ‎08-20-2019

Hi All, Can somebody let me know why Ambari Metrics Collector is not starting every time I start it fails. Log file says: 2019-08-20 09:13:25,420 INFO [agent-report-processor-1] ServiceComponentHostImpl:1054 - Host role transitioned to a new state, serviceComponentName=METRICS_COLLECTOR, hostName=gspdhd04.gsp.local, oldState=STARTING, currentState=STARTED 2019-08-20 09:13:28,379 ERROR [ambari-client-thread-116] MetricsRequestHelper:112 - Error getting timeline metrics : Connection refused (Connection refused) 2019-08-20 09:13:28,379 ERROR [ambari-client-thread-116] MetricsRequestHelper:119 - Cannot connect to collector: SocketTimeoutException for gspdhd04.gsp.local 2019-08-20 09:13:30,370 ERROR [ambari-client-thread-115] MetricsRequestHelper:112 - Error getting timeline metrics : Connection refused (Connection refused) 2019-08-20 09:13:30,370 ERROR [ambari-client-thread-115] MetricsRequestHelper:119 - Cannot connect to collector: SocketTimeoutException for gspdhd04.gsp.local 2019-08-20 09:13:44,388 ERROR [ambari-client-thread-34] MetricsRequestHelper:112 - Error getting timeline metrics : Connection refused (Connection refused) 2019-08-20 09:13:44,388 ERROR [ambari-client-thread-34] MetricsRequestHelper:119 - Cannot connect to collector: SocketTimeoutException for gspdhd04.gsp.local 2019-08-20 09:13:45,373 ERROR [ambari-client-thread-162] MetricsRequestHelper:112 - Error getting timeline metrics : Connection refused (Connection refused) 2019-08-20 09:13:45,374 ERROR [ambari-client-thread-162] MetricsRequestHelper:119 - Cannot connect to collector: SocketTimeoutException for gspdhd04.gsp.local 2019-08-20 09:14:00,384 ERROR [ambari-client-thread-162] MetricsRequestHelper:112 - Error getting timeline metrics : Connection refused (Connection refused) 2019-08-20 09:14:00,385 ERROR [ambari-client-thread-162] MetricsRequestHelper:119 - Cannot connect to collector: SocketTimeoutException for gspdhd04.gsp.local 2019-08-20 09:14:00,387 ERROR [ambari-client-thread-35] MetricsRequestHelper:112 - Error getting timeline metrics : Connection refused (Connection refused) 2019-08-20 09:14:00,387 ERROR [ambari-client-thread-35] MetricsRequestHelper:119 - Cannot connect to collector: SocketTimeoutException for gspdhd04.gsp.local 2019-08-20 09:14:07,703 INFO [agent-report-processor-1] HeartbeatProcessor:647 - State of service component METRICS_COLLECTOR of service AMBARI_METRICS of cluster 2 has changed from STARTED to INSTALLED at host gspdhd04.gsp.local according to STATUS_COMMAND report 2019-08-20 09:14:15,370 INFO [ambari-client-thread-162] AMSPropertyProvider:626 - METRICS_COLLECTOR host is not live. Skip populating resources with metrics, next message will be logged after 1000 attempts. I am not able to understand this.

Manjunath · ‎08-19-2019

Thank you Jsen, I would also like to know once after the installation of the certificate will I be able to use curl command example: curl ldaps://exmaple.com:636 because currently i get error like curl ldaps://example.com:636 curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate. But it works well with ldap://example.com:389. This means the installation of SSL is not done in the proper way right. Regards, Manjunath

Manjunath · ‎08-19-2019

Hi All, I have .cer certificate with me generated by AD and this is a private one. We are using this to integrate Ambari with AD as a pre-requisites we need to enable LDAPS I have installed LDAP but wanted to know how to install this certificate, I would like to know the steps to install the certificate in Ambari server. cluster details: 1 Namenode 2 Datanode HDP 3.1 Ambari 2.7.3 Regards, Manjunath P N

Manjunath · ‎05-16-2019

Hi All, I am getting below error while enabling Kerberos using AD. Error 400 status code received on POST method for API: /api/v1/clusters/gsp_abo_dev/requests Error message: Failed to connect to KDC - Failed to communicate with the Active Directory at ldaps://exampleidn01.example.local:636: simple bind failed: exampleidn01.example.local:636 Update the KDC settings in krb5-conf and kerberos-env configurations to correct this issue. I have followed the steps as per this video as reference: https://www.youtube.com/watch?v=PzRXF6qGrGQ I did install the certificate in ambari server. My AD Config: Domain Name: example.local OU created for storing keytabs: Service_Account_HDP User: HDP_Service Realm Name using in ambari: example.LOCAL below is my krb5.conf file: -------------------------------------------------------------------------------------------------- # Configuration snippets may be placed in this directory as well includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt default_realm = EXAMPLEABO.COM default_ccache_name = KEYRING:persistent:%{uid} [realms] EXAMPLEABO.COM = { kdc = 10.32.83.36 admin_server = 10.32.83.36 } [domain_realm] .exampleabo.com = EXAMPLEABO.COM exampleabo.com = EXAMPLEABO.COM -------------------------------------------------------------------------------------------------- @Geoffrey Shelton Okot Please guide me on this.

Manjunath · ‎05-16-2019

@Geoffrey Shelton Okot Please find the link for new thread https://community.hortonworks.com/questions/246319/failed-to-connect-to-kdc-failed-to-communicate-wit.html Please guide me on this its really critical for me.

Manjunath · ‎05-16-2019

Hi @Robert Levas I have confirmed the SSL path password type and even I did set. kerberos.operation.verify.kdc.trust = false but still I am receiving an error like Failed to connect to KDC - Failed to communicate with the Active Directory at ldaps://hostip:636: hostip:636 Update the KDC settings in krb5-conf and kerberos-env configurations to correct this issue. Please guide me on this Regards, Manjunath P N

Manjunath · ‎04-25-2019

Hi @Geoffrey Shelton Okot I have a quick question while configuring Kerberos with AD in Ambari wizard we have some prerequisites one of them is AD's SSL, is it really mandatory? If yes can we add the certificate later once after enabling Kerberos? Regards, Manjunath P N

Manjunath · ‎04-22-2019

Hi @Hamid Zorgani, Thanks a lot for the detailed information. It's really helpful. I have couple of doubts could you please clarify, 1. Do we need to execute all steps in Ambari server? especially from step 1 to 10? 2. I have OpenLDAP installed already in my in cluster, even are also all steps mandatory? Please let me know if you need any more information. Regards, Manjunath P N

Manjunath · ‎04-17-2019

Traceback (most recent call last): File "/var/lib/ambari-agent/cache/common-services/HDFS/2.1.0.2.0/package/scripts/hdfs_client.py", line 73, in <module> HdfsClient().execute() File "/usr/lib/python2.6/site-packages/resource_management/libraries/script/script.py", line 367, in execute method(env) File "/var/lib/ambari-agent/cache/common-services/HDFS/2.1.0.2.0/package/scripts/hdfs_client.py", line 35, in install import params File "/var/lib/ambari-agent/cache/common-services/HDFS/2.1.0.2.0/package/scripts/params.py", line 25, in <module> from params_linux import * File "/var/lib/ambari-agent/cache/common-services/HDFS/2.1.0.2.0/package/scripts/params_linux.py", line 343, in <module> dn_principal_name = dn_principal_name.replace('_HOST',hostname.lower()) File "/usr/lib/python2.6/site-packages/resource_management/libraries/script/config_dictionary.py", line 73, in __getattr__ raise Fail("Configuration parameter '" + self.name + "' was not found in configurations dictionary!") resource_management.core.exceptions.Fail: Configuration parameter 'dfs.datanode.kerberos.principal' was not found in configurations dictionary

Manjunath · ‎04-17-2019

@Rishi, @Gaurav Sharma @Jay Kumar SenSharma Please guide me on the similar issue. resource_management.core.exceptions.ExecutionFailed: Execution of 'kinit -kt /etc/security/keytabs/hdfs.headless.keytab ' returned 127. -bash: kinit: command not found raise Fail("Configuration parameter '" + self.name + "' was not found in configurations dictionary!") resource_management.core.exceptions.Fail: Configuration parameter 'dfs.datanode.kerberos.principal' was not found in configurations dictionary! I am getting these error when i restart Hadoop services. I disabled Kerberos and removed and manually removed these files : rm -rf /var/kerberos/ rm /etc/krb5.conf rm -rf /usr/lib64/krb5 Now i dont know whats causing this issue please guide me on this. Regards, Manjunath P N

Manjunath · ‎04-10-2019

same issue with me please suggest some solution. @benoit moisan did you find any solution??? Please guide me.

Manjunath · ‎04-08-2019

Hi Robert, Could you please clarify me some doubts. I have installed kerberos in my cluster and its working fine. Now i have to enable HA for Kerberos so as per my understanding I should install KDC in another server which acts as Standby and then I should update krb5.conf file on both servers as mentioned above. Is my understanding correct? if not could you please guide me through the steps to enable HA. Kind Regards, Manjunath P N

Manjunath · ‎03-26-2019

Hi All, We need to push all Hive data from Int to Prod and we have what could be possible ways of pushing migrating from Int to Prod and is that really a best way to copy to all hive files present in HDFS Storage and load into Prod and what are the dependencies? Is there any other way of migrating Hive from one environment to another.

Manjunath · ‎03-07-2019

@Geoffrey Shelton Okot @Jay Kumar SenSharma When I am trying to enable the Kerberos after all the back end setup, i am getting warning as "YARN log and local dir will be deleted and ResourceManager state will be formatted as part of Enabling/Disabling Kerberos. " what does it mean local dir and what all will be deleted and how does it related because YARN log will be deletion is acceptable but why local dir? Can you please provide some detailed clarification on this?

Manjunath · ‎03-06-2019

@zkfs Thanks for the detailed backup process, I am able to backup as mentioned. I wanted to know ho we restore the content which you are taking backup /data/backup2082016/dfs-old-fsck-1.log. at the end this log file should be useful somewhere how are we making use of this log file?I can recover the current directory by creating same folder structure and place it there back but how about the dfs-old-fsck-1.log? Please let me know. Regards, Manjunath P N

Manjunath · ‎03-05-2019

@Jay Kumar SenSharma, Thank you for your inputs. After running yum install commands the outcome will be krb5.conf file and i am already having the same file structure in my repository so can I directly go ahead with enabling Kerberos via Ambari and does the conf file will accept this? Regards, Manjunath P N

Manjunath · ‎03-04-2019

Hi @Jay Kumar SenSharma, Thank you for your inputs. When I am trying to install Kerberos using "yum install krb5-server krb5-libs krb5-workstation" it is failing to install with below error messages. https://fedora-mirror.zerocopy.io/epel/7/x86_64/repodata/repomd.xml: [Errno 14] curl#7 - "Failed connect to fedora-mirror.zerocopy.io:443; Connection refused" Trying other mirror. http://mirror.de.leaseweb.net/epel/7/x86_64/repodata/repomd.xml: [Errno 14] curl#7 - "Failed to connect to 2a00:c98:2030:a034::21: Network is unreachable" Trying other mirror. http://ftp.uni-stuttgart.de/epel/7/x86_64/repodata/repomd.xml: [Errno 14] curl#7 - "Failed to connect to 2001:7c0:2041:8::112: Network is unreachable" Trying other mirror. http://mirror.23media.de/epel/7/x86_64/repodata/repomd.xml: [Errno 14] curl#7 - "Failed to connect to 2a00:f48:1007::80: Network is unreachable" Trying other mirror. https://mirror.imt-systems.com/epel/7/x86_64/repodata/repomd.xml: [Errno 14] curl#7 - "Failed to connect to 2a01:7e0:0:201::10:20: Network is unreachable" Trying other mirror. ^Chttp://fedora.tu-chemnitz.de/pub/linux/fedora-epel/7/x86_64/repodata/repomd.xml: [Errno -1] Error importing repomd.xml for epel: Damaged repomd.xml file Trying other mirror. Error list keeps on increasing what could be the reason for this? Regards, Manjunath P N

Manjunath · ‎02-28-2019

@Geoffrey Shelton Okot, @mthiele, I want to install Kerberos on Hadoop cluster, i have seen the article Configuring Ambari and Hadoop for Kerberos using AD as the KDC - Video https://community.hortonworks.com/questions/103945/kerberos-setup-on-hdp-26.html and this is really helpful. I have couple of questions on this, 1.Do I need to install Kerberos via command line before starting this task? 2. Because i see krb5.conf file exists in my cluster and kerberos is not enabled, do I need to delete the conf files in all nodes and run"yum install -y krb5-server krb5-libs krb5-workstation" command then carry on the steps provided in the aboe article or i don't need to bother to about and straightaway start from Ambari for enabling process. 3. As per the official doc. https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.5/bk_security/content/configuring_amb_hdp_for_kerberos.html we need to enable Kerberos from Ambari, Now i need a clear idea 1st do I need to install kerberos using yum command and then start enabling from Ambari.?? Best Regards and Thanks in advance, Manjunath P N

Manjunath · ‎02-28-2019

Hi @mthiele, One quick question: Does ambari server and all other datanodes will have krb5.conf file by default? or it will be available under /etc folder only after we enabling kerberos via ambari? Because when I see in our prod env. krb5.file is available even though we did not enable. If yes, after Configuring KDC in Ambari does it change the conf for all nodes? Regards, Manjunath P N

Manjunath · ‎02-11-2019

@Geoffrey Shelton Okot, Could you please share the link for screenshot which you have attached. Regards, Manjunath P N

Manjunath · ‎02-11-2019

Hi All, I want logger=INFO to be stored in a different file. I am running pyspark script using JupyterHub so I want to know where all i need to change the configurations to achieve the activity of getting logs into a different file path of my wish. I mean do i need to change the jupyterhub pyspark config files. I found this link :https://medium.com/@shantanualshi/logging-in-pyspark-36b0bd4dec55 But it is for spark i need the same for pyspark. If i update spark does it work for pySpark as well? Please help in this. Regards, Manjunath P N

Online	Offline
Last Visited	‎09-24-2019 05:59 AM

Date Registered	‎03-25-2019 02:53 AM
Last Visited	‎09-24-2019 05:59 AM
Total Messages Posted	37

Hive tables not visible in Atlas

Re: LDAP with secured SSL for Kerberos HDP 3.1

Re: LDAP with secured SSL for Kerberos HDP 3.1

LDAP with secured SSL for Kerberos HDP 3.1

Re: Active Directory integration with Kerberos HDP...

Re: Active Directory integration with Kerberos HDP...

Re: Active Directory integration with Kerberos HDP...

Re: Metrics Collector doesn't start in HDP 3.1

Re: Metrics Collector doesn't start in HDP 3.1

Metrics Collector doesn't start in HDP 3.1

Re: Active Directory integration with Kerberos HDP...

Active Directory integration with Kerberos HDP 3.1

Failed to connect to KDC - Failed to communicate w...

Re: Issue with enable Kerberos with existing acti...

Re: Issue with enable Kerberos with existing acti...

Re: kerberos setup with AD/LDAP

Re: Configuring Kerberos with OpenLDAP back-end

Re: Can't restart services after removing kerberos...

Re: Can't restart services after removing kerberos...

Re: Configure two Kerberos KDCs as a Master/Slave

Re: How to setup High Availability for kerberos

Migrating Hive Data from Int Env to Production.

Re: When is the best time to enable Kerberos

Re: NameNode Metadata backup

Re: Kerberos setup on HDP 2.6 prerequisites

Re: Kerberos setup on HDP 2.6 prerequisites

Kerberos setup on HDP 2.6 prerequisites

Re: Configuring Ambari and Hadoop for Kerberos us...

Re: Which version of HDP supports spark 2.4

Pyspark logs to different file