You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ambari.apache.org by "Emil Anca (JIRA)" <ji...@apache.org> on 2015/05/08 13:23:59 UTC

[jira] [Created] (AMBARI-11022) Kerberos: Keytab files are not distributed during add host if a retry is necessary during installation

Emil Anca created AMBARI-11022:
----------------------------------

             Summary: Kerberos: Keytab files are not distributed during add host if a retry is necessary during installation
                 Key: AMBARI-11022
                 URL: https://issues.apache.org/jira/browse/AMBARI-11022
             Project: Ambari
          Issue Type: Bug
          Components: ambari-server
    Affects Versions: 2.0.0
            Reporter: Emil Anca
            Assignee: Emil Anca
             Fix For: 2.1.0


When adding a new host to a cluster where Kerberos is enabled and the installation of the new components fails, upon retry the keytabs are not distributed to the host after successfully installing the components.  _Note:  the new identities were not created either_.

*Workaround*
To recover from this, the missing keytabs can be regenerated using the _Regenerate Keytabs_ feature with the _missing only_ option specified. The component can then be started successfully.

*Steps to reproduce*
# Create cluster (can be small, one node with only HDFS and Zookeeper)
# Enable Kerberos
# Add new host with only DataNode (no clients, only to make the failure happen quicker)
# While the relevant hadoop packages are being installed, kill the package manger (i.e., yum, zypper, etc...)
# The installation of the component will fail and the retry button will be available
# Click the retry button and allow the installation to complete
# Startup of the Datanode component will fail due to missing keytab
{code}
2015-03-21 01:43:47,911 FATAL datanode.DataNode (DataNode.java:secureMain(2385)) - Exception in secureMain
java.io.IOException: Login failure for dn/c6504.ambari.apache.org@EXAMPLE.COM from keytab /etc/security/keytabs/dn.service.keytab: javax.security.auth.login.LoginException: Unable to obtain password from user
{code}
_Note: Error indicates a keytab file was found but wrong password, this isn't the case since the keytab file was not on the host._




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)