Member since
09-29-2015
362
Posts
242
Kudos Received
63
Solutions
My Accepted Solutions
Title | Views | Posted |
---|---|---|
1310 | 03-14-2019 01:00 PM | |
1581 | 01-23-2019 04:19 PM | |
7179 | 01-15-2019 01:59 PM | |
4516 | 01-15-2019 01:57 PM | |
10557 | 12-06-2018 02:01 PM |
05-13-2019
12:21 PM
It seems like the user that runs the kadmin process does not have access to write to the backing database... or the backing data is locked by some other process. Take a look at the permission on the database file and make sure the permissions are set properly.
... View more
04-17-2019
04:56 PM
It seems like Ambari is not able to retrieve the group named "ad_sshaccess_users" from the LDAP directory. Try using the OpenLDAP ldapsearch utility to see if that group is found: ldapsearch -ZZ -h <FQDN IPA server> -D <manager DN> -W -b <search base DN> '(cn=ad_sshaccess_users)' Ideally the following data is the same as what you entered in during setup-ldap: <FQDN IPA server> <manager DN> (and password when prompted) <search base DN> This may fail if the IPA server's SSL cert is not trusted, so you can edit /etc/openldap/ldap.conf and add the following line to disable certificate validation: TLS_REQCERT never If the entry is found, make sure the returned LDIF matches the properties you set during setup-ldap: object class group name attribute
... View more
04-16-2019
04:37 PM
Looking at the stack trace, it seems like some keytab file was not created by the MIT KDC. Maybe there are messages in the Ambari server log that indicates why. Else maybe a look at the KDC or KAdmin logs will be needed to help figure out the issue.
... View more
04-08-2019
12:18 PM
@Manjunath P N. I am not sure of all the steps, but they should be outlined here - https://web.mit.edu/kerberos/krb5-devel/doc/admin/install_kdc.html.
... View more
03-14-2019
01:00 PM
1 Kudo
@Oleg Tarassov, You are not looking at the correct source code version for Ambari 2.6.2.2. I believe that you want to look at https://github.com/apache/ambari/blob/release-2.6.2/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/IPAKerberosOperationHandler.java#L949. According to this, the encryption types are not considered when exporting keytab files from IPA. This has been fixed in Ambari 2.7.0 and above. See https://issues.apache.org/jira/browse/AMBARI-22293.
... View more
02-20-2019
05:34 PM
Typically I have the DNS options turned off dns_lookup_realm = true
dns_lookup_kdc = true If you do not need DNS lookup features, I would turn this off. Else make sure your DNS is set up correctly for this. The domain_realm block seems to ve missing the EXAMPLE.COM realm [domain_realm]
.unknown_domain = UNKNOWN_DOMAIN
unknown_domain = UNKNOWN_DOMAIN Maybe change it to something like [domain_realm]
.unknown_domain = UNKNOWN_DOMAIN
unknown_domain = UNKNOWN_DOMAIN
.server.com = EXAMPLE.COM
server.com = EXAMPLE.COM
... View more
02-20-2019
05:16 PM
@Pirlouis Pirlouis I have no experience with ksu, but can you post the krb5.conf file. Maybe there is an issue in there. For example, is there a default realm specified?
... View more
01-23-2019
04:19 PM
@scott powers As of Ambari 2.7, Ambari authenticates with an MIT KDC more securely - using Kerberos. To do this, it must call kinit and specify the kadmin service principal. kinit -c <path> -S kadmin/<kadmin server FQDN>@<realm> <principal> There may be one of two issue a play causing you an issue. 1) The KDC Administrator host is not set to the FQDN of the host there the kadmin server is running 2) The KDC does not have a principal like kadmin/<kadmin server FQDN>@<realm> Fixing #1 may be done by editing the Kerberos service configurations via Ambari. After restarting the Kerberos service, you should be able to properly kinit. Fixing #2 may be done by adding the missing principal (kadmin/<kadmin server FQDN>@<realm>) to the MIT KDC. In future versions of Ambari, you will be able to configure what the kadmin service principal is. However for now, Ambari assumes it is kadmin/<kadmin server FQDN>@<realm>. If one of these solutions does not help, you should take a look at your ambari-server.log file and see if there are any interesting error messages posted that you can share here.
... View more
01-16-2019
01:30 PM
One thing to note is that Ambari appears to not be managing the krb5.conf file. This is fine, but Hadoop does not support the KEYRING cache type. You need to change default_ccache_name = KEYRING:persistent:%{uid}
to default_ccache_name = /tmp/krb5cc_%{uid}
... View more
01-16-2019
01:25 PM
Interesting.... Actually I am not sure why `UNKNOWN:normal` is in there. Did you edit the encryption types in the configure Kerberos page, under Advanced kerberos-env? It should be `aes des3-cbc-sha1 rc4 des-cbc-md5`. Does your have a different value?
... View more