[
https://issues.apache.org/jira/browse/AMBARI-11647?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14570947#comment-14570947
]
Hudson commented on AMBARI-11647:
---------------------------------
SUCCESS: Integrated in Ambari-trunk-Commit #2797 (See
[https://builds.apache.org/job/Ambari-trunk-Commit/2797/])
AMBARI-11647. Non-root Agent: Kerberos Wizard - Check Kerberos fails during
Test Kerberos Client (aonishuk) (aonishuk:
http://git-wip-us.apache.org/repos/asf?p=ambari.git&a=commit&h=819b67bb3b264fb6d727918eb0a271b60e10ed69)
*
ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/service_check.py
> Non-root Agent: Kerberos Wizard - Check Kerberos fails during Test Kerberos
> Client
> ----------------------------------------------------------------------------------
>
> Key: AMBARI-11647
> URL: https://issues.apache.org/jira/browse/AMBARI-11647
> Project: Ambari
> Issue Type: Bug
> Reporter: Andrew Onischuk
> Assignee: Andrew Onischuk
> Fix For: 2.1.0
>
>
> When enabling Kerberos on a non-root Ambari 2.0.0-151 setup, the Check
> Kerberos step fails during the Test Kerberos Client task.
> The problem in the tasks stderr is:
>
>
> Fail: Execution of '/usr/bin/kinit -c
> /var/lib/ambari-agent/data/tmp/kerberos_service_check_cc_30399f1839f2d5ac0ada0c280b95657e
> -kt /etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab
> [email protected]' returned 1. kinit: Permission denied while
> getting initial credentials
>
> When capturing that keytab with 'cp -a' and trying to use it, I fail to
> authenticate:
>
>
> [root@revo4 ~]# ls -l
> /etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab
> -rw-r-----. 1 ambari-qa hadoop 358 Jun 1 15:22
> /etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab
> [root@revo4 ~]# klist -ket
> /etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab
> Keytab name:
> FILE:/etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab
> KVNO Timestamp Principal
> ---- -----------------
> --------------------------------------------------------
> 1 06/01/15 15:22:01 [email protected] (arcfour-hmac)
> 1 06/01/15 15:22:01 [email protected]
> (aes256-cts-hmac-sha1-96)
> 1 06/01/15 15:22:01 [email protected]
> (aes128-cts-hmac-sha1-96)
> 1 06/01/15 15:22:01 [email protected] (des-cbc-md5)
> 1 06/01/15 15:22:01 [email protected] (des3-cbc-sha1)
> [root@revo4 ~]# kinit -kt
> /etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab
> [email protected]
> kinit: Client not found in Kerberos database while getting initial
> credentials
>
> I validated that this kinit call is not run through sudo as there are no
> entries in /var/log/secure denying the action, and there are no instances in
> which ambari-sudo.sh is being called in regards to this command that I could
> find.
> So, I need help in identifying why this is happening during the Check Kerberos
> step, and why the captured keytab isn't usable.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
