blanca_sanz
blanca_sanz
Explorer

Re: Problems with kerberos (NFS and File view)

by Explorer blanca_sanz in Support Questions
‎08-23-2016 12:16 PM
‎08-23-2016 12:16 PM
Maybe the problem is in the configuration of the client. Because if we do hadoop fs -ls in the server we don't get any errors. It's been a nightmare! We only want to have a secure way (through kerberos) in order to leave files in ambari server!!! ... View more

Re: Problems with kerberos (NFS and File view)

by Explorer blanca_sanz in Support Questions
‎08-23-2016 11:07 AM
‎08-23-2016 11:07 AM
Thanks @emaxwell that give me a clue. But we still have problems. Now we are trying to connect through a hadoop client. And we get the following error: bash-4.1# kinit user Password for USER@MY.DOMAIN: bash-4.1# /usr/local/hadoop/bin/hadoop fs -ls hdfs://server-datalake/data -vv ls: SIMPLE authentication is not enabled. Available:[TOKEN, KERBEROS] ls: Call From c43852c98eb6/172.17.0.2 to server-datalake:9000 failed on connection exception: java.net.ConnectException: Connection refused; For more details see: http://wiki.apache.org/hadoop/ConnectionRefused And about file view, we still have problems. ... View more

Problems with kerberos (NFS and File view)

by Explorer blanca_sanz in Support Questions
‎08-22-2016 11:56 AM
‎08-22-2016 11:56 AM
Hi, We have the kerberos security enabled in Ambari. All services are running without any problems. Now we are trying to connect through nfs with kerberos security. mount -t nfs -o vers=3,proto=tcp,nolock,sync,noatime server-datalake:/ /mnt/hdfs But with kerberos we get this error: mount -t nfs -o sec=krb5,vers=3,noatime server-datalake:/ /mnt/hdfs -vvvv mount.nfs: timeout set for Mon Aug 22 13:51:37 2016 mount.nfs: trying text-based options 'sec=krb5,vers=3,proto=tcp,nolock,addr=172.16.7.1' mount.nfs: prog 100003, trying vers=3, prot=6 mount.nfs: trying 172.16.7.1 prog 100003 vers 3 prot TCP port 2049 mount.nfs: prog 100005, trying vers=3, prot=6 mount.nfs: trying 172.16.7.1 prog 100005 vers 3 prot TCP port 4242 mount.nfs: mount(2): Permission denied mount.nfs: access denied by server while mounting server-datalake:/ What could be the problem? Otherwise, configuring with kerberos the file view, we obtain this error: 500 Authentication required Any help? Thanks in advance ... View more

Re: It is possible Kerberos with LDAP (not LDAPs)

by Explorer blanca_sanz in Support Questions
‎06-03-2016 11:55 AM
‎06-03-2016 11:55 AM
@Robert Levas many thanks! I had base errors. Finally I have it clear. Now I only need to implement it 🙂 ... View more

Re: It is possible Kerberos with LDAP (not LDAPs)

by Explorer blanca_sanz in Support Questions
‎06-03-2016 09:36 AM
‎06-03-2016 09:36 AM
Thanks @Robert Levas. My problem is that we have OpenLDAP but we don't have KDC. So I do not know if it would be better to install MIT KDC on the same server that we have OpenLDAP, or try to install and configurate Kerberos in the Ambari Server . I think the following guidelines is for this case: https://community.hortonworks.com/content/kbentry/29203/automated-kerberos-installation-and-configuration.html ... View more

Re: It is possible Kerberos with LDAP (not LDAPs)

by Explorer blanca_sanz in Support Questions
‎06-01-2016 07:58 AM
‎06-01-2016 07:58 AM
Thanks @Robert Levas Let me see if I understand you correctly.. We don't have Active Directory. We only have OpenLDAP, so we don't need LDAPs. So now that we want to install Kerberos, we only need to connect it with our own LDAP? Could you clarify the steps? Thanks ... View more

It is possible Kerberos with LDAP (not LDAPs)

by Explorer blanca_sanz in Support Questions
‎05-31-2016 11:21 AM
‎05-31-2016 11:21 AM
Hello, We have set Ambari and HDFS with LDAP and Ranger. But we need strong user authentication in Hadoop. So I guess I need to configure Kerberos. I am a little afraid because we already have fairly stable system, and I don't want to break anything. So I am reading documentation first. I doubt one of the prerequisites: "Active Directory secure LDAP (LDAPS) connectivity has been configured. " We have an external LDAP server but not with SSL (we don't have LDAPS). So, it will be possible to configure Kerberos with our own LDAP server? Thanks in advance. ... View more

Re: Problem with hadoop access permissions

by Explorer blanca_sanz in Support Questions
‎05-25-2016 11:43 AM
‎05-25-2016 11:43 AM
It is not a solution because an user can create his own virtual machine with root access and create the user, and have access to data that should not. I think I should request the password when trying to connect. ... View more

Problem with hadoop access permissions

by Explorer blanca_sanz in Support Questions
‎05-25-2016 08:57 AM
‎05-25-2016 08:57 AM
Hello, We have a security problem with hadoop access. [root@server]$ hadoop fs -ls hdfs://datalake/data ls: Permission denied: user=root, access=READ_EXECUTE, inode="/data":ldap_user:ldap_group:drwxr-x--- This is correct because root does not have access. The access is for ldap_users y ldap_group. If user1ldap is part of group ldap_group (an authorized user), we only need to create the user. [root@server]$ useradd user1ldap [root@server]$ su - user1ldap [user1ldap@server]$ hadoop fs -ls hdfs://datalake/data Found 3 items [..] How can it be? Without asking password? For us it is a security problem! Through NFS connection does ask the correct ldap user and password. Thanks in advance. ... View more
Labels:

Re: Apache Ranger and HDFS

by Explorer blanca_sanz in Community Articles
‎04-29-2016 09:08 AM
‎04-29-2016 09:08 AM
@Neeraj Sabharwal Thanks for the tutorial, very userfull! But, does it work with grops too? ... View more

Re: Ranger usersync don't sync ldap groups with me...

by Explorer blanca_sanz in Support Questions
‎04-29-2016 07:21 AM
‎04-29-2016 07:21 AM
@spolavarapu Thanks for your answer, that is exactly what I was looking for. So I wait for the next release, it will be soon? Meanwhile, I would try to use File based Sync. ... View more

Re: Ranger usersync don't sync ldap groups with me...

by Explorer blanca_sanz in Support Questions
‎04-28-2016 10:47 AM
‎04-28-2016 10:47 AM
Thanks for the answer, but I am using memberUid because I don't have the memberOf properties in my LDAP. It is for that reason that I'm trying to use memberUid. ... View more

Ranger usersync don't sync ldap groups with member...

by Explorer blanca_sanz in Support Questions
‎04-28-2016 06:31 AM
1 Kudo
‎04-28-2016 06:31 AM
1 Kudo
Hello, First of all, sorry for my english. When I try to sync ldap with memberUid, only sync users but don't sync groups. This is the part in the log with groups part: groupSearchEnabled: true, groupSearchBase: ou=Samba,dc=example,dc=es, groupSearchScope: 2, groupObjectClass: posixGroup, groupSearchFilter: cn=*, extendedGroupSearchFilter: (&(objectclass=posixGroup)(cn=*)(memberUid={0})), extendedAllGroupsSearchFilter: (&(objectclass=posixGroup)(cn=*)), groupMemberAttributeName: memberUid, groupNameAttribute: cn, groupUserMapSyncEnabled: false, ldapReferral: ignore The problem is that in my LDAP this is the search for groups: slapd[8101]: conn=1034 op=6 SRCH base="ou=Samba,dc=example,dc=es" scope=2 deref=3 filter="(&(objectClass=posixGroup)(cn=*)(memberUid=uid=user.user,ou=Users,dc=example,dc=es))" Allways append memberUid=uid=user.user,ou=Users,dc=example,dc=es But we need memberUid=user.user The following search: ldapsearch -x -LLL -b dc=example,dc=es '(&(objectClass=posixGroup)(cn=*)(memberUid=uid=user.user,ou=Users,dc=example,dc=es))' Doesn't bring any result. I need this correct search: ldapsearch -x -LLL -b dc=example,dc=es '(&(objectClass=posixGroup)(cn=*)(memberUid=user.user))' Other thing: with the script run.sh in the ldaptool the groups are sync correctly. Please, help!! Thanks ... View more
Labels:
Contact Me
Online
Offline
Last Visited
‎08-23-2016 12:16 PM
Public Statistics
Date Registered ‎04-28-2016 06:30 AM
Last Visited ‎08-23-2016 12:16 PM
Total Messages Posted 13
Total Kudos Received 1