Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

Kerberos with FreeIPA: password expired

Labels:
avatar
author-rank qiwang
Master Collaborator

Created on ‎11-15-2016 09:43 PM - edited ‎08-19-2019 05:01 AM

@emaxwell

Following your HCC tutorial on kerberizing cluster with FreeIPA. Run into error where the password for the test principle always expire

https://community.hortonworks.com/content/kbentry/59645/ambari-24-kerberos-with-freeipa.html

Performing kinit using qi1-111516@FIELD.HORTONWORKS.COM
2016-11-15 21:33:42,394 - Execute['/usr/bin/kinit -c /var/lib/ambari-agent/tmp/kerberos_service_check_cc_79b5f4cfa04c21fdbd26a3e07b45366e -kt /etc/security/keytabs/kerberos.service_check.111516.keytab qi1-111516@FIELD.HORTONWORKS.COM'] {'user': 'ambari-qa'}
2016-11-15 21:33:42,460 - File['/var/lib/ambari-agent/tmp/kerberos_service_check_cc_79b5f4cfa04c21fdbd26a3e07b45366e'] {'action': ['delete']}

Command failed after 1 tries

I updated password global policy to make it never expire, and the user is using that policy

ipa pwpolicy-mod --maxlife=0 --minlife=0 global_policy

[root@qwang-hdp ~]# ipa pwpolicy-show --user=qi1-111516
  Group: global_policy
  Max lifetime (days): 0
  Min lifetime (hours): 0
  History size: 0
  Character classes: 0
  Min length: 8
  Max failures: 6
  Failure reset interval: 60
  Lockout duration: 600

But if I kinit with the user, it will ask me to reset the password anyway.

This seems to related to the second requirement of the wizard, but I can't make it work

9480-screen-shot-2016-11-15-at-42530-pm.png

Greatly appreciate if you could provide some advice.

6,590 Views
1 ACCEPTED SOLUTION

avatar
author-rank bdbruin
New Contributor

Created ‎12-18-2016 06:48 AM

You need a really recent FreeIPA to support --maxlife=0 (https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=d2cb9ed327ee4003598d5e45d80ab7918b89eeed). If you are on supported Redhat or CentOS then you probably you don't have it, unless you rolled your own.

You can find out by checking the krbPasswordExpiration attribute of the user. It shouldn't be there. In that case you can try to set it (http://www.therebel.eu/2015/08/setting-password-expiry-in-ipa/) or update your password policy to a lifetime of say 10 years or so (dont go beyond 2038)

View solution in original post

4,350 Views
0 Kudos
2 REPLIES 2

avatar
author-rank pminovic author-rank
Master Guru

Created ‎11-18-2016 11:10 AM

Can you try to create the keytab for the test user, and always do kinit from the keytab ("kinit -kt <keytab-file-name>" command). Ambari service checks are supposed to use the ambari-qa user and the wizard is supposed to create its keytab as well.

4,350 Views

avatar
author-rank bdbruin
New Contributor

Created ‎12-18-2016 06:48 AM

You need a really recent FreeIPA to support --maxlife=0 (https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=d2cb9ed327ee4003598d5e45d80ab7918b89eeed). If you are on supported Redhat or CentOS then you probably you don't have it, unless you rolled your own.

You can find out by checking the krbPasswordExpiration attribute of the user. It shouldn't be there. In that case you can try to set it (http://www.therebel.eu/2015/08/setting-password-expiry-in-ipa/) or update your password policy to a lifetime of say 10 years or so (dont go beyond 2038)

4,351 Views
0 Kudos
webinar banner
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements
meetups banner