Cloudera Community
rlevas
user rank
Guru

Re: Auth-to-local Rules Syntax

by Frequent Visitor in Community Articles
‎07-15-2024 01:53 AM
‎07-15-2024 01:53 AM
Hi team, I want to configuration "yarn-user/hdp01-node.lab.contoso.com@LAB.CONTOSO.COM" to "yarn-user" "yarn-user/hdp02-node.lab.contoso.com@LAB.CONTOSO.COM" to "yarn-user" "yarn-user/hdp03-node.lab.contoso.com@LAB.CONTOSO.COM" to "yarn-user" Please given a rule advidor. Thanks ... View more

Re: Ambari Fails to create Keytabs when Installing...

by Visitor in Support Questions
‎05-08-2021 12:51 AM
‎05-08-2021 12:51 AM
thank you so much. I encountered same problem,but it solved after read your solution. I also changed the default config in Ambari to only 2 encryption types and hashed out the default ticket encryptions as well, then error went away. ... View more

Re: .KerberosOperationException: Unexpected error ...

by New Contributor in Support Questions
‎04-06-2021 08:29 AM
‎04-06-2021 08:29 AM
@mRabramS Can you share how you reconfigure the KDC ?  @VidyaSargur I’m really sorry , I opened a new thread but there’s no response    BR, ... View more

Re: Error while enabling kerberos on ambari

by Reader in Support Questions
‎01-13-2020 03:37 PM
‎01-13-2020 03:37 PM
Sorry for the bump. I tried this in the HDP Sandbox and discovered that installing krb5-workstation-1.15.1-37.el7_7.2.x86_64.rpm solved the problem ... View more

Re: Ambari createKeytabFileCommand with IPA does n...

by Guru in Support Questions
‎03-14-2019 01:00 PM
1 Kudo
‎03-14-2019 01:00 PM
1 Kudo
@Oleg Tarassov, You are not looking at the correct source code version for Ambari 2.6.2.2. I believe that you want to look at https://github.com/apache/ambari/blob/release-2.6.2/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/IPAKerberosOperationHandler.java#L949. According to this, the encryption types are not considered when exporting keytab files from IPA. This has been fixed in Ambari 2.7.0 and above. See https://issues.apache.org/jira/browse/AMBARI-22293. ... View more

Re: Unexpected error condition executing the kadmi...

by Frequent Visitor in Support Questions
‎08-07-2019 01:41 PM
‎08-07-2019 01:41 PM
Hello! ran into the same problem, but in my case the kadmin/<FQDN kadmin server>@<REALM> existed and if i run kinit -S kadmin/@<REALM> admin/admin@<REALM> then he will authorize # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin/admin@<REALM> Valid starting       Expires              Service principal 08/07/2019 11:30:25  08/07/2019 14:30:25  kadmin/cluster@<REALM> ... View more

Re: Can't create un principal with ktutil

by New Member in Support Questions
‎10-25-2018 01:38 PM
‎10-25-2018 01:38 PM
OK thanks for your explanation. ... View more

Re: How to test LDAPS url from Linux?

by Guru in Support Questions
‎04-27-2018 12:24 PM
‎04-27-2018 12:24 PM
You appear to be using an Active Directory. In this case, you still want to use port 389 for LDAP and 636 for LDAPS unless there is a firewall in the way or the ports were changed on the Active Directory for some reason. That said, it is possible that SSL was not set up for your Active Directory and therefore it is not listening for LDAPS requests on port 636. Make sure that LDAPS is enabled on your Active Directory. ... View more

Re: Recreate Ambari's CA, used to sign SSL certifi...

by Guru in Community Articles
‎11-15-2018 02:16 PM
‎11-15-2018 02:16 PM
I am not exactly sure all of the tasks that the Ambari agent reset operation performs. It seems like it will do a lot more than just clean up the existing certs - if it does that at all. However, it will not perform any of the Ambari server-side tasks. So at lest the Ambari server steps from the article need to take place manually. ... View more

Recreate Ambari's CA, used to sign SSL certificate...

by Guru in Community Articles
‎06-12-2017 03:03 PM
‎06-12-2017 03:03 PM
There are certain circumstances where the Ambari CA needs to be recreated. Maybe it was corrupted, maybe Ambari's CA certificate expired, etc.... This how-to, assumes that the certificates signed by the Ambari CA are replaceable - which is generally the case for certificates used by Ambari agents for 2-way SSL connections. In the end, the Ambari server and all the agents will be restarted, causing a new CA certificate to be created along with new SSL certificates for each of the Ambari agents. On the Ambari server: Stop the Ambari server Backup /var/lib/ambari-server/keys and it child directories Delete the following files from /var/lib/ambari-server/keys ca.key ca.csr ca.crt pass.txt keystore.p12 *.csr *.crt Delete the following files from /var/lib/ambari-server/keys/db index.txt.old index.txt.attr.old serial.old Truncate the following files from /var/lib/ambari-server/keys/db index.txt index.txt.attr Edit the following files from /var/lib/ambari-server/keys/db serial set the contents to be exactly 00 Delete all files under /var/lib/ambari-server/keys/db/newcerts Restart Ambari server. On each Ambari agent host: Stop the Ambari agent Backup /var/lib/ambari-agent/keys and it child directories Delete the following files from /var/lib/ambari-agent/keys ca.crt *.crt *.csr *.key Restart Ambari agent After restarting the Ambari server, the following (or similar) entries should be seen in the /var/log/ambari-server/ambari-server.log file: 12 Jun 2017 14:38:19,606 INFO [main] ShellCommandUtil:63 - Command openssl genrsa -des3 -passout pass:**** -out /var/lib/ambari-server/keys/ca.key 4096 was finished with exit code: 0 - the operation was completely successfully . 12 Jun 2017 14:38:19,640 INFO [main] ShellCommandUtil:63 - Command openssl req -passin pass:**** -new -key /var/lib/ambari-server/keys/ca.key -out /var/lib/ambari-server/keys/ca.csr -batch was finished with exit code: 0 - the o peration was completely successfully. 12 Jun 2017 14:38:19,683 INFO [main] ShellCommandUtil:63 - Command openssl ca -create_serial -out /var/lib/ambari-server/keys/ca.crt -days 365 -keyfile /var/lib/ambari-server/keys/ca.key -key **** -selfsign -extensions jdk7_ca -config /var/lib/ambari-server/keys/ca.config -batch -infiles /var/lib/ambari-server/keys/ca.csr was finished with exit code: 0 - the operation was completely successfully. 12 Jun 2017 14:38:19,701 INFO [main] ShellCommandUtil:63 - Command openssl pkcs12 -export -in /var/lib/ambari-server/keys/ca.crt -inkey /var/lib/ambari-server/keys/ca.key -certfile /var/lib/ambari-server/keys/ca.crt -out /var/lib/ambari-server/keys/keystore.p12 -password pass:**** -passin pass:**** was finished with exit code: 0 - the operation was completely successfully. 12 Jun 2017 14:38:19,708 INFO [main] ShellCommandUtil:63 - Command find /var/lib/ambari-server/keys -type f -exec chmod 700 {} + was finished with exit code: 0 - the operation was completely successfully. 12 Jun 2017 14:38:19,708 INFO [main] ShellCommandUtil:63 - Command chmod 600 /var/lib/ambari-server/keys/pass.txt was finished with exit code: 0 - the operation was completely successfully. .... 12 Jun 2017 14:52:53,797 INFO [qtp-ambari-agent-34] CertificateManager:200 - Signing agent certificate 12 Jun 2017 14:52:53,800 INFO [qtp-ambari-agent-34] CertificateManager:220 - Validating agent hostname: c6401.ambari.apache.org 12 Jun 2017 14:52:53,800 INFO [qtp-ambari-agent-34] CertificateManager:232 - Verifying passphrase 12 Jun 2017 14:52:53,849 INFO [qtp-ambari-agent-34] ShellCommandUtil:63 - Command openssl ca -config /var/lib/ambari-server/keys/ca.config -in /var/lib/ambari-server/keys/c6401.ambari.apache.org.csr -out /var/lib/ambari-server/keys/c6401.ambari.apache.org.crt -batch -passin pass:**** -keyfile /var/lib/ambari-server/keys/ca.key -cert /var/lib/ambari-server/keys/ca.crt was finished with exit code: 0 - the operation was completely successfully. After restarting the Ambari agent, the following (or similar) entires should be seen in the /var/log/ambari-agent/ambari-agent.log file: INFO 2017-06-12 14:52:53,625 security.py:55 - Server require two-way SSL authentication. Use it instead of one-way... INFO 2017-06-12 14:52:53,625 security.py:179 - Server certicate not exists, downloading INFO 2017-06-12 14:52:53,625 security.py:202 - Downloading server cert from https://localhost:8440/cert/ca/ INFO 2017-06-12 14:52:53,693 security.py:187 - Agent key not exists, generating request INFO 2017-06-12 14:52:53,693 security.py:258 - openssl req -new -newkey rsa:1024 -nodes -keyout "/var/lib/ambari-agent/keys/c6401.ambari.apache.org.key" -subj /OU=c6401.ambari.apache.org/ -out "/var/lib/ambari-agent/keys/c6401.ambari.apache.org.csr" INFO 2017-06-12 14:52:53,736 security.py:195 - Agent certificate not exists, sending sign request INFO 2017-06-12 14:52:53,855 security.py:93 - SSL Connect being called.. connecting to the server INFO 2017-06-12 14:52:53,933 security.py:77 - SSL connection established. Two-way SSL authentication completed successfully. ... View more
Labels:
Contact Me
Online
Offline
Last Visited
‎08-09-2019 12:22 AM
Community Statistics
Member Since ‎09-29-2015 12:39 AM
Last Visited ‎08-09-2019 12:22 AM
Posts 362
Kudos received 242