You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ambari.apache.org by Andrew Onischuk <ao...@hortonworks.com> on 2015/06/03 14:24:03 UTC
Review Request 34998: Non-root Agent: Kerberos Wizard - Check
Kerberos fails during Test Kerberos Client
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/34998/
-----------------------------------------------------------
Review request for Ambari and Robert Levas.
Repository: ambari
Description
-------
When enabling Kerberos on a non-root Ambari 2.0.0-151 setup, the Check Kerberos step fails during the Test Kerberos Client task.
The problem in the tasks stderr is:
Fail: Execution of '/usr/bin/kinit -c /var/lib/ambari-agent/data/tmp/kerberos_service_check_cc_30399f1839f2d5ac0ada0c280b95657e -kt /etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab ambari-qa_rghrcfxx@EXAMPLE.COM' returned 1. kinit: Permission denied while getting initial credentials
When capturing that keytab with 'cp -a' and trying to use it, I fail to authenticate:
[root@revo4 ~]# ls -l /etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab
-rw-r-----. 1 ambari-qa hadoop 358 Jun 1 15:22 /etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab
[root@revo4 ~]# klist -ket /etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab
Keytab name: FILE:/etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
1 06/01/15 15:22:01 ambari-qa_pfrlxjlh@EXAMPLE.COM (arcfour-hmac)
1 06/01/15 15:22:01 ambari-qa_pfrlxjlh@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
1 06/01/15 15:22:01 ambari-qa_pfrlxjlh@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
1 06/01/15 15:22:01 ambari-qa_pfrlxjlh@EXAMPLE.COM (des-cbc-md5)
1 06/01/15 15:22:01 ambari-qa_pfrlxjlh@EXAMPLE.COM (des3-cbc-sha1)
[root@revo4 ~]# kinit -kt /etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab ambari-qa_pfrlxjlh@EXAMPLE.COM
kinit: Client not found in Kerberos database while getting initial credentials
I validated that this kinit call is not run through sudo as there are no entries in /var/log/secure denying the action, and there are no instances in which ambari-sudo.sh is being called in regards to this command that I could find.
So, I need help in identifying why this is happening during the Check Kerberos step, and why the captured keytab isn't usable.
Diffs
-----
ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/service_check.py 412d12d
Diff: https://reviews.apache.org/r/34998/diff/
Testing
-------
1. Install cluster with ambari-agent
2. Kerberize it
also mvn clean test
Thanks,
Andrew Onischuk
Re: Review Request 34998: Non-root Agent: Kerberos Wizard - Check
Kerberos fails during Test Kerberos Client
Posted by Robert Levas <rl...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/34998/#review86402
-----------------------------------------------------------
Ship it!
Ship It!
- Robert Levas
On June 3, 2015, 8:29 a.m., Andrew Onischuk wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/34998/
> -----------------------------------------------------------
>
> (Updated June 3, 2015, 8:29 a.m.)
>
>
> Review request for Ambari and Robert Levas.
>
>
> Bugs: AMBARI-11647
> https://issues.apache.org/jira/browse/AMBARI-11647
>
>
> Repository: ambari
>
>
> Description
> -------
>
> When enabling Kerberos on a non-root Ambari 2.0.0-151 setup, the Check Kerberos step fails during the Test Kerberos Client task.
>
> The problem in the tasks stderr is:
>
> Fail: Execution of '/usr/bin/kinit -c /var/lib/ambari-agent/data/tmp/kerberos_service_check_cc_30399f1839f2d5ac0ada0c280b95657e -kt /etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab ambari-qa_rghrcfxx@EXAMPLE.COM' returned 1. kinit: Permission denied while getting initial credentials
>
>
> When capturing that keytab with 'cp -a' and trying to use it, I fail to authenticate:
>
>
> [root@revo4 ~]# ls -l /etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab
> -rw-r-----. 1 ambari-qa hadoop 358 Jun 1 15:22 /etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab
> [root@revo4 ~]# klist -ket /etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab
> Keytab name: FILE:/etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab
> KVNO Timestamp Principal
> ---- ----------------- --------------------------------------------------------
> 1 06/01/15 15:22:01 ambari-qa_pfrlxjlh@EXAMPLE.COM (arcfour-hmac)
> 1 06/01/15 15:22:01 ambari-qa_pfrlxjlh@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
> 1 06/01/15 15:22:01 ambari-qa_pfrlxjlh@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
> 1 06/01/15 15:22:01 ambari-qa_pfrlxjlh@EXAMPLE.COM (des-cbc-md5)
> 1 06/01/15 15:22:01 ambari-qa_pfrlxjlh@EXAMPLE.COM (des3-cbc-sha1)
> [root@revo4 ~]# kinit -kt /etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab ambari-qa_pfrlxjlh@EXAMPLE.COM
> kinit: Client not found in Kerberos database while getting initial credentials
>
> I validated that this kinit call is not run through sudo as there are no entries in /var/log/secure denying the action, and there are no instances in which ambari-sudo.sh is being called in regards to this command that I could find.
>
> So, I need help in identifying why this is happening during the Check Kerberos step, and why the captured keytab isn't usable.
>
>
> Diffs
> -----
>
> ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/service_check.py 412d12d
>
> Diff: https://reviews.apache.org/r/34998/diff/
>
>
> Testing
> -------
>
> 1. Install cluster with ambari-agent
> 2. Kerberize it
>
> also mvn clean test
>
>
> Thanks,
>
> Andrew Onischuk
>
>
Re: Review Request 34998: Non-root Agent: Kerberos Wizard - Check
Kerberos fails during Test Kerberos Client
Posted by Andrew Onischuk <ao...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/34998/
-----------------------------------------------------------
(Updated June 3, 2015, 12:29 p.m.)
Review request for Ambari and Robert Levas.
Bugs: AMBARI-11647
https://issues.apache.org/jira/browse/AMBARI-11647
Repository: ambari
Description
-------
When enabling Kerberos on a non-root Ambari 2.0.0-151 setup, the Check Kerberos step fails during the Test Kerberos Client task.
The problem in the tasks stderr is:
Fail: Execution of '/usr/bin/kinit -c /var/lib/ambari-agent/data/tmp/kerberos_service_check_cc_30399f1839f2d5ac0ada0c280b95657e -kt /etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab ambari-qa_rghrcfxx@EXAMPLE.COM' returned 1. kinit: Permission denied while getting initial credentials
When capturing that keytab with 'cp -a' and trying to use it, I fail to authenticate:
[root@revo4 ~]# ls -l /etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab
-rw-r-----. 1 ambari-qa hadoop 358 Jun 1 15:22 /etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab
[root@revo4 ~]# klist -ket /etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab
Keytab name: FILE:/etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
1 06/01/15 15:22:01 ambari-qa_pfrlxjlh@EXAMPLE.COM (arcfour-hmac)
1 06/01/15 15:22:01 ambari-qa_pfrlxjlh@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
1 06/01/15 15:22:01 ambari-qa_pfrlxjlh@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
1 06/01/15 15:22:01 ambari-qa_pfrlxjlh@EXAMPLE.COM (des-cbc-md5)
1 06/01/15 15:22:01 ambari-qa_pfrlxjlh@EXAMPLE.COM (des3-cbc-sha1)
[root@revo4 ~]# kinit -kt /etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab ambari-qa_pfrlxjlh@EXAMPLE.COM
kinit: Client not found in Kerberos database while getting initial credentials
I validated that this kinit call is not run through sudo as there are no entries in /var/log/secure denying the action, and there are no instances in which ambari-sudo.sh is being called in regards to this command that I could find.
So, I need help in identifying why this is happening during the Check Kerberos step, and why the captured keytab isn't usable.
Diffs
-----
ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/service_check.py 412d12d
Diff: https://reviews.apache.org/r/34998/diff/
Testing
-------
1. Install cluster with ambari-agent
2. Kerberize it
also mvn clean test
Thanks,
Andrew Onischuk