----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/34998/#review86402 -----------------------------------------------------------
Ship it! Ship It! - Robert Levas On June 3, 2015, 8:29 a.m., Andrew Onischuk wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/34998/ > ----------------------------------------------------------- > > (Updated June 3, 2015, 8:29 a.m.) > > > Review request for Ambari and Robert Levas. > > > Bugs: AMBARI-11647 > https://issues.apache.org/jira/browse/AMBARI-11647 > > > Repository: ambari > > > Description > ------- > > When enabling Kerberos on a non-root Ambari 2.0.0-151 setup, the Check > Kerberos step fails during the Test Kerberos Client task. > > The problem in the tasks stderr is: > > Fail: Execution of '/usr/bin/kinit -c > /var/lib/ambari-agent/data/tmp/kerberos_service_check_cc_30399f1839f2d5ac0ada0c280b95657e > -kt /etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab > [email protected]' returned 1. kinit: Permission denied while > getting initial credentials > > > When capturing that keytab with 'cp -a' and trying to use it, I fail to > authenticate: > > > [root@revo4 ~]# ls -l > /etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab > -rw-r-----. 1 ambari-qa hadoop 358 Jun 1 15:22 > /etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab > [root@revo4 ~]# klist -ket > /etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab > Keytab name: FILE:/etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab > KVNO Timestamp Principal > ---- ----------------- > -------------------------------------------------------- > 1 06/01/15 15:22:01 [email protected] (arcfour-hmac) > 1 06/01/15 15:22:01 [email protected] > (aes256-cts-hmac-sha1-96) > 1 06/01/15 15:22:01 [email protected] > (aes128-cts-hmac-sha1-96) > 1 06/01/15 15:22:01 [email protected] (des-cbc-md5) > 1 06/01/15 15:22:01 [email protected] (des3-cbc-sha1) > [root@revo4 ~]# kinit -kt > /etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab > [email protected] > kinit: Client not found in Kerberos database while getting initial credentials > > I validated that this kinit call is not run through sudo as there are no > entries in /var/log/secure denying the action, and there are no instances in > which ambari-sudo.sh is being called in regards to this command that I could > find. > > So, I need help in identifying why this is happening during the Check > Kerberos step, and why the captured keytab isn't usable. > > > Diffs > ----- > > > ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/service_check.py > 412d12d > > Diff: https://reviews.apache.org/r/34998/diff/ > > > Testing > ------- > > 1. Install cluster with ambari-agent > 2. Kerberize it > > also mvn clean test > > > Thanks, > > Andrew Onischuk > >
