About rlevas

rlevas · ‎05-13-2019

It seems like the user that runs the kadmin process does not have access to write to the backing database... or the backing data is locked by some other process. Take a look at the permission on the database file and make sure the permissions are set properly.

rlevas · ‎04-17-2019

It seems like Ambari is not able to retrieve the group named "ad_sshaccess_users" from the LDAP directory. Try using the OpenLDAP ldapsearch utility to see if that group is found: ldapsearch -ZZ -h <FQDN IPA server> -D <manager DN> -W -b <search base DN> '(cn=ad_sshaccess_users)' Ideally the following data is the same as what you entered in during setup-ldap: <FQDN IPA server> <manager DN> (and password when prompted) <search base DN> This may fail if the IPA server's SSL cert is not trusted, so you can edit /etc/openldap/ldap.conf and add the following line to disable certificate validation: TLS_REQCERT never If the entry is found, make sure the returned LDIF matches the properties you set during setup-ldap: object class group name attribute

rlevas · ‎04-16-2019

Looking at the stack trace, it seems like some keytab file was not created by the MIT KDC. Maybe there are messages in the Ambari server log that indicates why. Else maybe a look at the KDC or KAdmin logs will be needed to help figure out the issue.

rlevas · ‎04-08-2019

@Manjunath P N. I am not sure of all the steps, but they should be outlined here - https://web.mit.edu/kerberos/krb5-devel/doc/admin/install_kdc.html.

rlevas · ‎03-14-2019

@Oleg Tarassov, You are not looking at the correct source code version for Ambari 2.6.2.2. I believe that you want to look at https://github.com/apache/ambari/blob/release-2.6.2/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/IPAKerberosOperationHandler.java#L949. According to this, the encryption types are not considered when exporting keytab files from IPA. This has been fixed in Ambari 2.7.0 and above. See https://issues.apache.org/jira/browse/AMBARI-22293.

rlevas · ‎02-20-2019

Typically I have the DNS options turned off dns_lookup_realm = true dns_lookup_kdc = true If you do not need DNS lookup features, I would turn this off. Else make sure your DNS is set up correctly for this. The domain_realm block seems to ve missing the EXAMPLE.COM realm [domain_realm] .unknown_domain = UNKNOWN_DOMAIN unknown_domain = UNKNOWN_DOMAIN Maybe change it to something like [domain_realm] .unknown_domain = UNKNOWN_DOMAIN unknown_domain = UNKNOWN_DOMAIN .server.com = EXAMPLE.COM server.com = EXAMPLE.COM

rlevas · ‎02-20-2019

@Pirlouis Pirlouis I have no experience with ksu, but can you post the krb5.conf file. Maybe there is an issue in there. For example, is there a default realm specified?

rlevas · ‎01-23-2019

@scott powers As of Ambari 2.7, Ambari authenticates with an MIT KDC more securely - using Kerberos. To do this, it must call kinit and specify the kadmin service principal. kinit -c <path> -S kadmin/<kadmin server FQDN>@<realm> <principal> There may be one of two issue a play causing you an issue. 1) The KDC Administrator host is not set to the FQDN of the host there the kadmin server is running 2) The KDC does not have a principal like kadmin/<kadmin server FQDN>@<realm> Fixing #1 may be done by editing the Kerberos service configurations via Ambari. After restarting the Kerberos service, you should be able to properly kinit. Fixing #2 may be done by adding the missing principal (kadmin/<kadmin server FQDN>@<realm>) to the MIT KDC. In future versions of Ambari, you will be able to configure what the kadmin service principal is. However for now, Ambari assumes it is kadmin/<kadmin server FQDN>@<realm>. If one of these solutions does not help, you should take a look at your ambari-server.log file and see if there are any interesting error messages posted that you can share here.

rlevas · ‎01-16-2019

One thing to note is that Ambari appears to not be managing the krb5.conf file. This is fine, but Hadoop does not support the KEYRING cache type. You need to change default_ccache_name = KEYRING:persistent:%{uid} to default_ccache_name = /tmp/krb5cc_%{uid}

rlevas · ‎01-16-2019

Interesting.... Actually I am not sure why `UNKNOWN:normal` is in there. Did you edit the encryption types in the configure Kerberos page, under Advanced kerberos-env? It should be `aes des3-cbc-sha1 rc4 des-cbc-md5`. Does your have a different value?

Online	Offline
Last Visited	‎08-09-2019 12:22 AM

Member Since	‎09-29-2015 12:39 AM
Last Visited	‎08-09-2019 12:22 AM
Posts	362
Kudos received	242

Cloudera Community

Re: Ambari createKeytabFileCommand with IPA does n...

Re: invalid KDC administrator credentials after up...

Re: Unexpected error condition executing the kadmi...

Re: .KerberosOperationException: Unexpected error ...

Re: Kerberos and LDAP integration

Re: Error while enabling kerberos on ambari

Re: Sync AD users using FreeIPA LDAP with a trust ...

Re: Failed To Generate Keytab file.

Re: How to setup High Availability for kerberos

Re: Ambari createKeytabFileCommand with IPA does n...

Re: Kerberos "Server not found" : ksu generating u...

Re: Kerberos "Server not found" : ksu generating u...

Re: invalid KDC administrator credentials after up...

Re: Ambari Fails to create Keytabs when Installing...

Re: Ambari Fails to create Keytabs when Installing...