Announcements
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.
rlevas
Guru

Re: Error while enabling kerberos on ambari

by Guru in Support Questions
‎05-13-2019 12:21 PM
‎05-13-2019 12:21 PM
It seems like the user that runs the kadmin process does not have access to write to the backing database... or the backing data is locked by some other process. Take a look at the permission on the database file and make sure the permissions are set properly. ... View more

Re: Sync AD users using FreeIPA LDAP with a trust ...

by Guru in Support Questions
‎04-17-2019 04:56 PM
‎04-17-2019 04:56 PM
It seems like Ambari is not able to retrieve the group named "ad_sshaccess_users" from the LDAP directory. Try using the OpenLDAP ldapsearch utility to see if that group is found: ldapsearch -ZZ -h <FQDN IPA server> -D <manager DN> -W -b <search base DN> '(cn=ad_sshaccess_users)' Ideally the following data is the same as what you entered in during setup-ldap: <FQDN IPA server> <manager DN> (and password when prompted) <search base DN> This may fail if the IPA server's SSL cert is not trusted, so you can edit /etc/openldap/ldap.conf and add the following line to disable certificate validation: TLS_REQCERT never If the entry is found, make sure the returned LDIF matches the properties you set during setup-ldap: object class group name attribute ... View more

Re: Failed To Generate Keytab file.

by Guru in Support Questions
‎04-16-2019 04:37 PM
‎04-16-2019 04:37 PM
Looking at the stack trace, it seems like some keytab file was not created by the MIT KDC. Maybe there are messages in the Ambari server log that indicates why. Else maybe a look at the KDC or KAdmin logs will be needed to help figure out the issue. ... View more

Re: How to setup High Availability for kerberos

by Guru in Support Questions
‎04-08-2019 12:18 PM
‎04-08-2019 12:18 PM
@Manjunath P N. I am not sure of all the steps, but they should be outlined here - https://web.mit.edu/kerberos/krb5-devel/doc/admin/install_kdc.html. ... View more

Re: Ambari createKeytabFileCommand with IPA does n...

by Guru in Support Questions
‎03-14-2019 01:00 PM
1 Kudo
‎03-14-2019 01:00 PM
1 Kudo
@Oleg Tarassov, You are not looking at the correct source code version for Ambari 2.6.2.2. I believe that you want to look at https://github.com/apache/ambari/blob/release-2.6.2/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/IPAKerberosOperationHandler.java#L949. According to this, the encryption types are not considered when exporting keytab files from IPA. This has been fixed in Ambari 2.7.0 and above. See https://issues.apache.org/jira/browse/AMBARI-22293. ... View more

Re: Kerberos "Server not found" : ksu generating u...

by Guru in Support Questions
‎02-20-2019 05:34 PM
‎02-20-2019 05:34 PM
Typically I have the DNS options turned off dns_lookup_realm = true dns_lookup_kdc = true If you do not need DNS lookup features, I would turn this off. Else make sure your DNS is set up correctly for this. The domain_realm block seems to ve missing the EXAMPLE.COM realm [domain_realm] .unknown_domain = UNKNOWN_DOMAIN unknown_domain = UNKNOWN_DOMAIN Maybe change it to something like [domain_realm] .unknown_domain = UNKNOWN_DOMAIN unknown_domain = UNKNOWN_DOMAIN .server.com = EXAMPLE.COM server.com = EXAMPLE.COM ... View more

Re: Kerberos "Server not found" : ksu generating u...

by Guru in Support Questions
‎02-20-2019 05:16 PM
‎02-20-2019 05:16 PM
@Pirlouis Pirlouis I have no experience with ksu, but can you post the krb5.conf file. Maybe there is an issue in there. For example, is there a default realm specified? ... View more

Re: To add Custom http header for SSO integration

by Guru in Support Questions
‎02-08-2019 12:46 PM
1 Kudo
‎02-08-2019 12:46 PM
1 Kudo
This seems like it could be a useful feature; however Ambari, does not currently support it. Maybe submit a new feature request for Ambari at https://issues.apache.org? ... View more

Re: invalid KDC administrator credentials after up...

by Guru in Support Questions
‎01-23-2019 04:19 PM
‎01-23-2019 04:19 PM
@scott powers As of Ambari 2.7, Ambari authenticates with an MIT KDC more securely - using Kerberos. To do this, it must call kinit and specify the kadmin service principal. kinit -c <path> -S kadmin/<kadmin server FQDN>@<realm> <principal> There may be one of two issue a play causing you an issue. 1) The KDC Administrator host is not set to the FQDN of the host there the kadmin server is running 2) The KDC does not have a principal like kadmin/<kadmin server FQDN>@<realm> Fixing #1 may be done by editing the Kerberos service configurations via Ambari. After restarting the Kerberos service, you should be able to properly kinit. Fixing #2 may be done by adding the missing principal (kadmin/<kadmin server FQDN>@<realm>) to the MIT KDC. In future versions of Ambari, you will be able to configure what the kadmin service principal is. However for now, Ambari assumes it is kadmin/<kadmin server FQDN>@<realm>. If one of these solutions does not help, you should take a look at your ambari-server.log file and see if there are any interesting error messages posted that you can share here. ... View more

Re: Ambari Fails to create Keytabs when Installing...

by Guru in Support Questions
‎01-16-2019 01:30 PM
‎01-16-2019 01:30 PM
One thing to note is that Ambari appears to not be managing the krb5.conf file. This is fine, but Hadoop does not support the KEYRING cache type. You need to change default_ccache_name = KEYRING:persistent:%{uid} to default_ccache_name = /tmp/krb5cc_%{uid} ... View more
Contact Me
Online
Offline
Last Visited
‎08-09-2019 12:22 AM
Public Statistics
Date Registered ‎09-29-2015 12:39 AM
Last Visited ‎08-09-2019 12:22 AM
Total Messages Posted 362
Total Kudos Received 242