Member since
09-29-2015
362
Posts
242
Kudos Received
63
Solutions
My Accepted Solutions
Title | Views | Posted |
---|---|---|
1341 | 03-14-2019 01:00 PM | |
1621 | 01-23-2019 04:19 PM | |
7365 | 01-15-2019 01:59 PM | |
4697 | 01-15-2019 01:57 PM | |
11092 | 12-06-2018 02:01 PM |
07-24-2018
06:27 PM
1 Kudo
@Harry Li It is likely the postgresql service was not started. Try to manually start it and re-run ambari-server setup. service postgresql start
... View more
07-19-2018
06:17 PM
1 Kudo
Are you really sure Ambari is running as root. Try doing a ps to be sure: # ps -ef | grep AmbariServer
root 3927 13603 0 18:15 pts/0 00:00:00 grep --color=auto AmbariServer
root 28360 1 2 16:05 pts/0 00:03:22 /usr/jdk64/jdk1.8.0_77/bin/java -server -XX:NewRatio=3 -XX:+UseConcMarkSweepGC -XX:-UseGCOverheadLimit -XX:CMSInitiatingOccupancyFraction=60 -XX:+CMSClassUnloadingEnabled -Dsun.zip.disableMemoryMapping=true -Xms512m -Xmx2048m -XX:MaxPermSize=128m -Djava.security.auth.login.config=/etc/ambari-server/conf/krb5JAASLogin.conf -Djava.security.krb5.conf=/etc/krb5.conf -Djavax.security.auth.useSubjectCredsOnly=false -Xms512m -Xmx2048m -XX:MaxPermSize=128m -Djava.security.auth.login.config=/etc/ambari-server/conf/krb5JAASLogin.conf -Djava.security.krb5.conf=/etc/krb5.conf -Djavax.security.auth.useSubjectCredsOnly=false -cp /etc/ambari-server/conf:/usr/lib/ambari-server/*:/usr/share/java/postgresql-jdbc.jar org.apache.ambari.server.controller.AmbariServer If Ambari is running as root, does root have a uid and gid of 0? # id root
uid=0(root) gid=0(root) groups=0(root)
... View more
07-09-2018
01:48 PM
1 Kudo
Please take a look at the following article to see if that helps - Java/Python Updates and Ambari Agent TLS Settings
... View more
06-26-2018
04:29 PM
@Mudit Kumar To connect to HDFS that required a Kerberos ticket for authentication, you need to get a valid Kerberos ticket from a relevant KDC and use a client that can send that ticket when requested - all on the client host. First, you need a Kerberos infrastructure on your laptop. If you are running Mac OS, then one should already be installed. If you are running Windows, you will probably need to install something. There are several ways to do this, I suggest searching the Internet for possibly solutions. For example - http://web.mit.edu/kerberos/kfw-4.1/kfw-4.1.html Once you have a Kerberos infrastructure installed, you need to set up a krb5.conf file so that kinit knows where the KDC is so you can authenticate and request service tickets. To get a Kerberos ticket, you need to authenticate using kinit: HW14041:~ rlevas$ kinit rlevas@EXAMPLE.COM
rlevas@EXAMPLE.COM's password: Upon success, you should have a Kerberos ticket: HW14041:~ rlevas$ klist
Credentials cache: API:47BBBB94-9891-4D2A-B8F0-9E796DC30BD1
Principal: rlevas@EXAMPLE.COM
Issued Expires Principal
Jun 26 12:17:06 2018 Jun 27 12:17:05 2018 krbtgt/EXAMPLE.COM@EXAMPLE.COM Now you can use a client that knows how to authenticate using Kerberos, like curl: curl -i --negotiate -u : "http://c6401.ambari.apache.org:50070/webhdfs/v1/tmp?op=LISTSTATUS" Note: --negotiate tells curl to use Kerberos for authentication; and -u tells curl that authentication data should be sent to the server, even though it is empty. Both are important for this call. I hope this helps.
... View more
06-18-2018
03:01 PM
This preauthentication failure can happen for several reasons. Mostly we see when either the password for the relevant account in the Active Directory has changed since the keytab file was created; or the system clock is off by about 5 minutes from that of the Active Directory. Is it possible one of these 2 scenarios are in play? For that Zookeeper issue, I think you may be able to manually start Zookeeper in a permissive mode so that you can manually update the ACLs on the znodes. However I am not too familiar with this part of the equation.
... View more
06-06-2018
09:21 PM
@infa elance The issue is as described by @mrodriguez; however, the real solution is to use the -norandkey option to the ktadd function. This way the key for the principal you want add to the keytab file will not be updated. kadmin.local -q "ktadd -norandkey -k /etc/security/keytabs/user_name.keytab HTTP/hdp26.xyz.com@xyz.COM" I assume this is a better option since you may want to have the keytab entry for some user's principal in that file as well. Note: the -norandkey option is only available when using kadmin.local. It is not an option for the general kadmin utility. Another option is to use the ktuil utility to read in multiple keytab files and write out a new one. See https://web.mit.edu/kerberos/krb5-1.12/doc/admin/admin_commands/ktutil.html.
... View more
04-28-2018
10:49 AM
1 Kudo
After the searching the internet for "the trustAnchors parameter must be non-empty", it appears that message may mean that the specified trust store was not found or could not be read. Take a look at the values of the following properties in the /etc/ambari-server/conf/ambari.properties file to make sure they are correct: ssl.truststore.path ssl.truststore.password ssl.truststore.type Another thing you might try is to turn off SSL certificate validation when connecting to Active Directory while enabling Kerberos. This can be done by setting the following property in the /etc/ambari-server/conf/ambari.properties file and restart Ambari: kerberos.operation.verify.kdc.trust = false
... View more
04-27-2018
12:24 PM
You appear to be using an Active Directory. In this case, you still want to use port 389 for LDAP and 636 for LDAPS unless there is a firewall in the way or the ports were changed on the Active Directory for some reason. That said, it is possible that SSL was not set up for your Active Directory and therefore it is not listening for LDAPS requests on port 636. Make sure that LDAPS is enabled on your Active Directory.
... View more
04-26-2018
12:11 AM
1 Kudo
@Sivaprakasam Theivanayagam There are various tools you can use to test connectivity. To test the SSL connection and grab the SSL cert, you can use the OpenSSL s_client utility: openssl s_client -connect HOST:PORT To grab the SSL certificate you can use the following command: openssl s_client -connect <AD_HOST_NAME_OR_IP_ADDRESS>:636 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > ad_ldap_server.pem
Example:
openssl s_client -connect ad_host.example.com:636 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > ad_ldap_server.pem
You can then import the ad_ldap_server.pem into Ambari's trust store. This is needed to ensure Ambari trusts the connection to the Active Directory. Later versions of Ambari require this (but the verification process can be turned off if you really want to). To test the LDAP(S) interface, you can use the OpenLDAP ldapsearch utility. You may need to install the openldap-clients package to use it. The following command can be used to test connectivity and list the distinguished names contained in the base DN: ldapsearch -ZZ -h <AD_HOST_NAME_OR_IP_ADDRESS> -D <BIND_DN> -W -b <BASE_DN> dn
-ZZ: Start TLS (for LDAPS)
-h: IP/hostname of Active Directory server
-D: BindDN or User principal name
-W: Password (to be provided interactively)
-b: Base DN for search (where in the LDAP tree to start looking)
Example:
ldapsearch -ZZ -h ad_host.example.com -D some_user@EXAMPLE.COM -W -b OU=users,DC=EXAMPLE,DC=COM dn
This ldapsearch command may fail if the host does not trust the SSL cert provided by the Active Directory. If so, you can either no use SSL/TLS, turn off OpenLDAP cert validation, or trust the cert. To not use TLS/SSL, remove the -ZZ from the command line. To skip certificate validation, edit the /etc/openldap/ldap.conf file and add the following line TLS_REQCERT never
... View more
02-13-2018
02:24 AM
1 Kudo
@Bala K It seems like we are getting closer. So I think we have some confusion on what realm the enterprise users need to be. You posted that bspchaseuser@XYZDEV.ABC.NET was the user you used, but needed to create a principal in the cluster's MIT KDC. However, if you wanted to use the enterprise user identity, the principal should have been bspchaseuser@XYZ.ABC.NET. Or looking at your krb5.conf file, bspchaseuser@FDA.EYFIDS.NET. Since Winbind appears to not automatically kinit for you, you need to issue the following kinit command after logging in: kinit bspchaseuser@FDA.EYFIDS.NET If the trust is set up properly, you should be able do successfully issue an HDFS command hdfs dfs -ls / If something it wrong you will get some Kerberos-related or GSS-API error. \
... View more