[jira] [Created] (AMBARI-11647) Non-root Agent: Kerberos Wizard - Check Kerberos fails during Test Kerberos Client

Wed, 03 Jun 2015 05:28:40 -0700 

Andrew Onischuk created AMBARI-11647:
----------------------------------------

             Summary: Non-root Agent: Kerberos Wizard - Check Kerberos fails 
during Test Kerberos Client
                 Key: AMBARI-11647
                 URL: https://issues.apache.org/jira/browse/AMBARI-11647
             Project: Ambari
          Issue Type: Bug
            Reporter: Andrew Onischuk
            Assignee: Andrew Onischuk
             Fix For: 2.1.0


When enabling Kerberos on a non-root Ambari 2.0.0-151 setup, the Check
Kerberos step fails during the Test Kerberos Client task.

The problem in the tasks stderr is:

    
    
    Fail: Execution of '/usr/bin/kinit -c 
/var/lib/ambari-agent/data/tmp/kerberos_service_check_cc_30399f1839f2d5ac0ada0c280b95657e
 -kt /etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab 
[email protected]' returned 1. kinit: Permission denied while 
getting initial credentials
    

When capturing that keytab with 'cp -a' and trying to use it, I fail to
authenticate:

    
    
    [root@revo4 ~]# ls -l 
/etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab 
    -rw-r-----. 1 ambari-qa hadoop 358 Jun  1 15:22 
/etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab
    [root@revo4 ~]# klist -ket 
/etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab 
    Keytab name: 
FILE:/etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab
    KVNO Timestamp         Principal
    ---- ----------------- 
--------------------------------------------------------
       1 06/01/15 15:22:01 [email protected] (arcfour-hmac) 
       1 06/01/15 15:22:01 [email protected] 
(aes256-cts-hmac-sha1-96) 
       1 06/01/15 15:22:01 [email protected] 
(aes128-cts-hmac-sha1-96) 
       1 06/01/15 15:22:01 [email protected] (des-cbc-md5) 
       1 06/01/15 15:22:01 [email protected] (des3-cbc-sha1) 
    [root@revo4 ~]# kinit -kt 
/etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab 
[email protected]
    kinit: Client not found in Kerberos database while getting initial 
credentials
    

I validated that this kinit call is not run through sudo as there are no
entries in /var/log/secure denying the action, and there are no instances in
which ambari-sudo.sh is being called in regards to this command that I could
find.

So, I need help in identifying why this is happening during the Check Kerberos
step, and why the captured keytab isn't usable.





--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to