Member since
09-29-2015
362
Posts
242
Kudos Received
63
Solutions
My Accepted Solutions
Title | Views | Posted |
---|---|---|
1341 | 03-14-2019 01:00 PM | |
1620 | 01-23-2019 04:19 PM | |
7364 | 01-15-2019 01:59 PM | |
4692 | 01-15-2019 01:57 PM | |
11088 | 12-06-2018 02:01 PM |
09-18-2018
12:59 PM
Looking at the error message again, it appears that the issue is with the principal name HTTP/ec2-18-114-9-244.compute-1.amazonaws.com@EXAMPLE.COM. My reason is the same as before... a DNS or reverse DNS issue. Take a look at the KDC to see if this principal exists. If you are using an MIT KDC and have access to the host where the KDC is installed, you can find all of the SPNEGO principals by doing: kadmin.local -q list_principals | grep HTTP Ideally they all look similar and the hostname for each of the HTTP/<hostname> principals is an expected hostname. Keep in mind that both DNS and reverse DNS need to use the same IP address to DNS name mapping, else issues like this will occur.
... View more
09-18-2018
12:47 PM
oops.. sorry about that. It is not always clear when hostnames are masked and I have seen issues where the hostname was incorrect (for various reasons).
... View more
09-17-2018
04:11 PM
HTTP/sdssystemmaster2@EXAMPLE.COM is not a valid service principal. The "sdssystemmaster2" part needs to be a FQDN. Like HTTP/host1.example.com@EXAMPLE.COM. Where did that value come from? It is possible that you have a DNS or reverse DNS issue.
... View more
09-14-2018
03:35 PM
1 Kudo
Key type 3 is DES_CBC_MD5, which is pretty much deprecated (see https://www.opencore.com/blog/2017/3/kerberos-encryption-types/), but by default Ambari requests/creates keytab entries using this type for backwards compatibility. Your KDC is probably rejecting keys encrypted with this type.
To fix this, you should go into the Kerberos service settings and edit the "Encryption Type" value under the "Advanced kerberos-env" section. The default value is "aes des3-cbc-sha1 rc4 des-cbc-md5". Change it to "aes des3-cbc-sha1 rc4". You will also want to update the "krb5-conf template" value under "Advanced krb5-conf" to add the following under the "[libdefaults]" section: allow_weak_crypto = false
After saving the changes and restarting the Kerberos service (which ensure the krb5.conf file is synced up), you should restart all of the services.
If you still see issues, maybe regenerate all keytab files (Admin->Kerberos) and then restart all services. However depending on the KDC implementation you may or may not see a change in the generated keytab files. By default they will look like [root@c7401 ~]# klist -kte /etc/security/keytabs/spnego.service.keytab
Keytab name: FILE:/etc/security/keytabs/spnego.service.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
2 09/14/2018 15:06:22 HTTP/c7401.ambari.apache.org@EXAMPLE.COM (des3-cbc-sha1)
2 09/14/2018 15:06:22 HTTP/c7401.ambari.apache.org@EXAMPLE.COM (des-cbc-md5)
2 09/14/2018 15:06:22 HTTP/c7401.ambari.apache.org@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
2 09/14/2018 15:06:22 HTTP/c7401.ambari.apache.org@EXAMPLE.COM (arcfour-hmac)
2 09/14/2018 15:06:22 HTTP/c7401.ambari.apache.org@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
... View more
09-14-2018
03:32 PM
@Lija Mohan Key type 3 is DES_CBC_MD5, which is pretty much deprecated (see https://www.opencore.com/blog/2017/3/kerberos-encryption-types/), but by default Ambari requests/creates keytab entries using this type for backwards compatibility. Your KDC is probably rejecting keys encrypted with this type. To fix this, you should go into the Kerberos service settings and edit the "Encryption Type" value under the "Advanced kerberos-env" section. The default value is "aes des3-cbc-sha1 rc4 des-cbc-md5". Change it to "aes des3-cbc-sha1 rc4". You will also want to update the "krb5-conf template" value under "Advanced krb5-conf" to add the following under the "[libdefaults]" section: allow_weak_crypto = false After saving the changes and restarting the Kerberos service (which ensure the krb5.conf file is synced up), you should restart all of the services. If you still see issues, maybe regenerate all keytab files (Admin->Kerberos) and then restart all services. However depending on the KDC implementation you may or may not see a change in the generated keytab files. By default they will look like [root@c7401 ~]# klist -kte /etc/security/keytabs/spnego.service.keytab
Keytab name: FILE:/etc/security/keytabs/spnego.service.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
2 09/14/2018 15:06:22 HTTP/c7401.ambari.apache.org@EXAMPLE.COM (des3-cbc-sha1)
2 09/14/2018 15:06:22 HTTP/c7401.ambari.apache.org@EXAMPLE.COM (des-cbc-md5)
2 09/14/2018 15:06:22 HTTP/c7401.ambari.apache.org@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
2 09/14/2018 15:06:22 HTTP/c7401.ambari.apache.org@EXAMPLE.COM (arcfour-hmac)
2 09/14/2018 15:06:22 HTTP/c7401.ambari.apache.org@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
... View more
08-27-2018
04:01 PM
@Anant
Aneja
You probably should have posed this as a question in the form, rather than a comment to this article. It may have gotten answered quicker. The rule you are using will not perform the translation you want. The regular expression syntax to match using case-insensitivity is not supported as you have specified it and the translation will not generate local names with all lower-case characters. The rule you want is more like RULE:[1:$1@$0](.*@FOO.COM)s////L With this rule, the Hadoop UGI class will translate user@FOO.COM to user@foo.com [root@c7401 ~]# hadoop org.apache.hadoop.security.HadoopKerberosName joe_user@FOO.COM
18/08/27 15:57:07 INFO util.KerberosName: Non-simple name joe_user@FOO.COM after auth_to_local rule RULE:[1:$1@$0](.*@FOO.COM)s////L
Name: joe_user@FOO.COM to joe_user@foo.com As for the other principal names, they will technically be invalid since the realm name needs to always be in all upper-case characters. user1@FOO.COM - legal user2@foo.com - illegal user3@Foo.com - illegal
... View more
08-09-2018
04:09 PM
@Sudheer Velagapudi What version of Ambari are you using and did you turn on the Kerberos authentication feature of Ambari? Have you looked at the Ambari server log (/var/log/ambari-server/ambari-server.log) to see if there is anything interesting (and related) in there? Did you successfully kinit using a principal from a trusted KDC before issuing the curl command?
... View more
08-08-2018
01:38 PM
I am glad you found this useful. Thanks for the note.
... View more
08-03-2018
03:19 AM
1 Kudo
There is a workaround for this issue. However the results may not be desired since the CN will be a set of seemingly random characters. The CN is set using the value calculated using the Velocity template specified in the kerberos-env/ad_create_attributes_template configuration.
The default value of the template is {
"objectClass": ["top", "person", "organizationalPerson", "user"],
"cn": "$principal_name",
#if( $is_service )
"servicePrincipalName": "$principal_name",
#end
"userPrincipalName": "$normalized_principal",
"unicodePwd": "$password",
"accountExpires": "0",
"userAccountControl": "66048"
} As you can see, the CN value is set to the identity's principal name. This can be changed, but we need to make sure the value will be unique. There are several variables available to use in this template. See https://docs.hortonworks.com/HDPDocuments/Ambari-2.6.1.5/bk_ambari-security/content/customizing_the_attribute_template.html. You can use one of the hashes to limit the size of the value and provide a reasonable probability of uniqueness: principal_digest (SHA1) - 40 characters principal_digest_256 (SHA256) - 64 characters principal_digest_512 (SHA512) - 128 characters Since the maximum length for the CN attribute in an Active Directory is 64 characters, I would suggest using principal_digest_256. For example, {
"objectClass": ["top", "person", "organizationalPerson", "user"],
"cn": "$principal_digest_256",
#if( $is_service )
"servicePrincipalName": "$principal_name",
#end
"userPrincipalName": "$normalized_principal",
"unicodePwd": "$password",
"accountExpires": "0",
"userAccountControl": "66048"
} Notice the "cn" line was changed from "cn": "$principal_name" to "cn": "$principal_digest_256". You can change this templet from the Enable Kerberos Wizard if you open the Advanced kerberos-env tab on the Configure Kerberos page and look for the Account Attribute Template property.
... View more
07-31-2018
02:00 PM
myCom.global.ad is an invalid realm. The realm needs to be all uppercase characters, like MYCOM.GLOBAL.AD
... View more