krb5.conf's default realm was forced to uppercase

Emil Anca (JIRA) Fri, 29 May 2015 08:09:35 -0700

    [ 
https://issues.apache.org/jira/browse/AMBARI-11524?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14564939#comment-14564939
 ]


Emil Anca commented on AMBARI-11524:
------------------------------------

Yeah I just noticed the 500 Error on the review link.
Very weird as it was working earlier today.

> Kerberos: using realm name with mixed case, /etc/krb5.conf's default realm 
> was forced to uppercase
> --------------------------------------------------------------------------------------------------
>
>                 Key: AMBARI-11524
>                 URL: https://issues.apache.org/jira/browse/AMBARI-11524
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.0.0
>            Reporter: Emil Anca
>            Assignee: Emil Anca
>            Priority: Critical
>             Fix For: 2.1.0
>
>         Attachments: AMBARI-11524_01.patch
>
>
> I've set up a KDC with the default realm and realm as CUSTOM.com in 
> /etc/krb5.conf, created the kdc database, created admin principal 
> admin/[email protected], made sure I can run kadmin (and not just 
> kadmin.local) and create new principals using the admin principal by editing 
> /var/kerberos/krb5kdc/kadm5.acl and restarting the kdc/kadmin services.
> Also, with this set up, I verified that I can run "kinit" without the 
> explicit realm name of CUSTOM.com, as it is the default realm (e.g., "kinit 
> testuser" kinits as [email protected])
> I ran the Kerberos Wizard and faced some issues, because
> the default krb5 template forces uppercase for the default_realm in 
> /etc/krb5.conf.  Also, it looks like it forces uppercasing on domain entries 
> in case these are specified, though I did not test the latter:
> {code}
> [libdefaults]
>   renew_lifetime = 7d
>   forwardable = true
>   default_realm = {{realm|upper()}}  <-- FORCES UPPERCASE
>   ticket_lifetime = 24h
>   dns_lookup_realm = false
>   dns_lookup_kdc = false
>   #default_tgs_enctypes = {{encryption_types}}
>   #default_tkt_enctypes = {{encryption_types}}
> {% if domains %}
> [domain_realm]
> {% for domain in domains.split(',') %}
>   {{domain}} = {{realm|upper()}}   <-- FORCES UPPERCASE
> {% endfor %}
> {% endif %}
> [logging]
>   default = FILE:/var/log/krb5kdc.log
>   admin_server = FILE:/var/log/kadmind.log
>   kdc = FILE:/var/log/krb5kdc.log
> [realms]
>   {{realm}} = {  <-- UPPERCASE NOT FORCED (AS DESIRED)
>     admin_server = {{admin_server_host|default(kdc_host, True)}}
>     kdc = {{kdc_host}}
>   }
> {# Append additional realm declarations below #}
> {code}
> I observed two issues.
> 1. My /etc/krb5.conf entry *default_realm = CUSTOM.com* was overwritten by 
> Ambari as  *default_realm = CUSTOM.COM*.  So after the wizard ran, the 
> default realm is set to a non-existent realm.  So kerberos commands now 
> require an explicit @CUSTOM.com for kinit, etc.  This is an undesired and 
> unexpected side effect.
> My /etc/krb5.conf looked like the following after being modified via Ambari:
> {code}
> [libdefaults]
>   renew_lifetime = 7d
>   forwardable = true
>   default_realm = CUSTOM.COM  <-- FORCED TO UPPERCASE.  CUSTOM.COM DOES NOT 
> EXIST
>   ticket_lifetime = 24h
>   dns_lookup_realm = false
>   dns_lookup_kdc = false
>   #default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
>   #default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
> [logging]
>   default = FILE:/var/log/krb5kdc.log
>   admin_server = FILE:/var/log/kadmind.log
>   kdc = FILE:/var/log/krb5kdc.log
> [realms]
>   CUSTOM.com = {  <-- WAS NOT FORCED TO UPPERCASE (GOOD)
>     admin_server = y2-1.c.pramod-thangali.internal
>     kdc = y2-1.c.pramod-thangali.internal
>   }
> {code}
> 2. Because of the above, for the admin principal name in the UI, you have to 
> type "admin/[email protected]" where as if you had all uppercase realm, like 
> CUSTOM.COM, then you can just type "admin/admin".
> It seems like we should not be forcing uppercase on the default realm in the 
> template.  If upper() is removed from the template, this problem does not 
> occur, and it works the same way as in the case where the realm name was all 
> uppercase.
> 3. I just used the admin/[email protected] for the admin principal (note the 
> explicit realm name) and was able to pass Test Kerberos step with CUSTOM.com 
> realm.  However, in the Start and Test Services part of the Wizard, it failed 
> at Check ZooKeeper.  
> I'm not sure if this is because of the mixed case or the default realm being 
> wrong.  I was running a kerberization test in parallel with the same 
> Ambari/HDP build, and I did not hit any issues (I just used the default 
> EXAMPLE.COM for the one that succeeded).
> Succeeded cluster with EXAMPLE.COM:
> y1-1.c.pramod-thangali.internal   104.196.80.112   10.240.164.253   4h <- 
> Ambari server
> y1-2.c.pramod-thangali.internal   104.196.89.113   10.240.143.145   4h
> y1-3.c.pramod-thangali.internal   104.196.83.169   10.240.232.100   4h
> Failed cluster with CUSTOM.com:
> y2-1.c.pramod-thangali.internal   104.196.91.17   10.240.33.220   4h  <- 
> Ambari server
> y2-2.c.pramod-thangali.internal   104.196.90.52   10.240.67.205   4h
> y2-3.c.pramod-thangali.internal   104.196.82.69   10.240.90.190   4h



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (AMBARI-11524) Kerberos: using realm name with mixed case, /etc/krb5.conf's default realm was forced to uppercase

Reply via email to