Emil Anca created AMBARI-11022:
----------------------------------
Summary: Kerberos: Keytab files are not distributed during add
host if a retry is necessary during installation
Key: AMBARI-11022
URL: https://issues.apache.org/jira/browse/AMBARI-11022
Project: Ambari
Issue Type: Bug
Components: ambari-server
Affects Versions: 2.0.0
Reporter: Emil Anca
Assignee: Emil Anca
Fix For: 2.1.0
When adding a new host to a cluster where Kerberos is enabled and the
installation of the new components fails, upon retry the keytabs are not
distributed to the host after successfully installing the components. _Note:
the new identities were not created either_.
*Workaround*
To recover from this, the missing keytabs can be regenerated using the
_Regenerate Keytabs_ feature with the _missing only_ option specified. The
component can then be started successfully.
*Steps to reproduce*
# Create cluster (can be small, one node with only HDFS and Zookeeper)
# Enable Kerberos
# Add new host with only DataNode (no clients, only to make the failure happen
quicker)
# While the relevant hadoop packages are being installed, kill the package
manger (i.e., yum, zypper, etc...)
# The installation of the component will fail and the retry button will be
available
# Click the retry button and allow the installation to complete
# Startup of the Datanode component will fail due to missing keytab
{code}
2015-03-21 01:43:47,911 FATAL datanode.DataNode
(DataNode.java:secureMain(2385)) - Exception in secureMain
java.io.IOException: Login failure for dn/[email protected]
from keytab /etc/security/keytabs/dn.service.keytab:
javax.security.auth.login.LoginException: Unable to obtain password from user
{code}
_Note: Error indicates a keytab file was found but wrong password, this isn't
the case since the keytab file was not on the host._
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
