Member since
03-13-2019
1
Post
0
Kudos Received
0
Solutions
03-14-2019
01:36 AM
Hello - I have ambari version: 2.6.2.2-1 with IPA version: 4.6.4. Issue I am facing is when ambari pulls the keytab file for each host after creating the principle (step 2 of the enable kerberos) it does not take into account the encryption types field used. It pulls all the encryptions from the IPA server but the IPA server only supports: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96. Looking at the code: https://github.com/apache/ambari/blob/c17ecd1b2d5e41e66533266c9f4d5880ef5bd948/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/IPAKerberosOperationHandler.java String[] createKeytabFileCommand = (StringUtils.isEmpty(encryptionTypeSpec))
? new String[]{executableIpaGetKeytab, "-s", getAdminServerHost(true), "-p", principal, "-k", keytabFileDestinationPath}
: new String[]{executableIpaGetKeytab, "-s", getAdminServerHost(true), "-e", encryptionTypeSpec, "-p", principal, "-k", keytabFileDestinationPath}; It should add -e value with what was put in the box but it does not. Executing the below command works and generates the desired encryptions: ipa-getkeytab -p devops-val01@DEVOPS.MTL -k /etc/security/keytabs/kerberos.service_check.new.keytab -e aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 Tried turning debug on ambari-agent did not show anything new. Any idea how i can debug this further? Thanks Oleg
... View more
Labels:
- Labels:
-
Apache Ambari
-
Kerberos
-
Security