You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@ambari.apache.org by Fay Wang <fa...@yahoo.com> on 2016/05/02 20:07:49 UTC

question on Kerberos

Hi,
I need to switch to use FreeIPA kerberos server and made all necessary changes for keytabs and principals, but services can not be started:

resource_management.core.exceptions.Fail: Execution of '/usr/bin/kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs@FOO.COM' returned 1. kinit: Keytab contains no suitable keys for hdfs@FOO.COM while getting initial credentials
Note that my realm is changed to "BAR.COM", and I also updated Ambari Kerberos configuration for Realm name and KDS host name, which is verified in Ambari UI kerberos configuration. Not sure why Ambari still use FOO.COM when doing the kinit.
Please note that I did not disable or enable kerberos. I simply added principals to IPA kerberos server and retrieved keystabs from it by following the instruction below:

Manual Keytab / Principal creation for IPA to support Ambari Kerberos Wizard - Hortonworks
Any help is highly appreciated!
-fay


  
|  
|   
|   
|   |    |

   |

  |
|  
|   |  
Manual Keytab / Principal creation for IPA to support Ambari Kerberos Wizar...
 Forums, Q&A, Knowledgebase articles, gallery of the best GitHub repos for Hadoop, HDF, Spark, HDP, IOT, Stre...  |   |

  |

  |

Re: question on Kerberos

Posted by Robert Levas <rl...@hortonworks.com>.

Hi Fay…

It seems like if you were switching KDCs, your best bet would have been to disable Kerberos and then enable Kerberos using the new KDC.  In any case, I assume you have Ambari set up to integrate with a KDC using the “manual” option where you are responsible for creating the principals and then exporting and distributing the keytab files.

In nay case, it looks like there are 2 places where the realm name needs to be changed.

  1.  In the kerberos-env config using the property name “realm” (aka, kerberos-env/realm)
  2.  In the kerberos descriptor, under the “properties” item for the property named “realm”.

Technically, the kerberos descriptor should refer to the kerberos-env property… but it seems to not always be the case.

The UI does not seem to allow the realm to be changed, so this needs to be done via the API.

So it appears that you already may the changes to the kerberos-env…. For the Kerberos descriptor, you can take a look at https://cwiki.apache.org/confluence/display/AMBARI/Automated+Kerberizaton#AutomatedKerberizaton-GetthecustomizedKerberosDescriptor(ifpreviouslyset) on how to get the Kerberos Descriptor.  Then modify the property/realm value and replace it using information from https://cwiki.apache.org/confluence/display/AMBARI/Automated+Kerberizaton#AutomatedKerberizaton-SettheKerberosDescriptor.

Once you do that, you need to get Ambari to rebuild the configs. This can be done by telling it to regenerate the keytab files. However, since you are in “manual” mode, there is no button on the UI to do this.  So you need to issue the following REST API CALL:

PUT /api/v1/clusters/c1?regenerate_keytabs=all
{"Clusters": {"security_type" : "KERBEROS"}}

Using curl, it may look like:

curl -H "X-Requested-By:ambari" -u admin:admin -i -X PUT -d '{"Clusters": {"security_type" : "KERBEROS"}}' http://AMBARI_SERVER:8080/api/v1/clusters/CLUSTER_NAME?regenerate_keytabs=all

Once this has been issues, you need to take a look at the UI and wait for the background operations to complete.  The stop and start the services to push the configs to the hosts.

Ideally this should solve your issue.

Rob



From: Fay Wang <fa...@yahoo.com>>
Reply-To: "user@ambari.apache.org<ma...@ambari.apache.org>" <us...@ambari.apache.org>>, Fay Wang <fa...@yahoo.com>>
Date: Monday, May 2, 2016 at 2:07 PM
To: "user@ambari.apache.org<ma...@ambari.apache.org>" <us...@ambari.apache.org>>
Subject: question on Kerberos

Hi,

I need to switch to use FreeIPA kerberos server and made all necessary changes for keytabs and principals, but services can not be started:

resource_management.core.exceptions.Fail: Execution of '/usr/bin/kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs@FOO.COM<ma...@FOO.COM>' returned 1. kinit: Keytab contains no suitable keys for hdfs@FOO.COM<ma...@FOO.COM> while getting initial credentials

Note that my realm is changed to "BAR.COM", and I also updated Ambari Kerberos configuration for Realm name and KDS host name, which is verified in Ambari UI kerberos configuration. Not sure why Ambari still use FOO.COM when doing the kinit.

Please note that I did not disable or enable kerberos. I simply added principals to IPA kerberos server and retrieved keystabs from it by following the instruction below:

Manual Keytab / Principal creation for IPA to support Ambari Kerberos Wizard - Hortonworks<https://community.hortonworks.com/articles/811/manual-keytab-principal-creation-for-ipa-to-suppor.html>

Any help is highly appreciated!

-fay


<https://community.hortonworks.com/articles/811/manual-keytab-principal-creation-for-ipa-to-suppor.html>





Manual Keytab / Principal creation for IPA to support Ambari Kerberos Wizar...
Forums, Q&A, Knowledgebase articles, gallery of the best GitHub repos for Hadoop, HDF, Spark, HDP, IOT, Stre...