On ma, 15 heinä 2019, Deepak Subhramanian via FreeIPA-users wrote:
Hi Rob,
Thanks for the quick follow up.
I am getting this error in Ambari - Management tool for Hadoop cluster when
it tries to generate the key tabs for all the principals it create for the
services in each node. This is actually invoked by some java code in
Ambari. I tried to simulate the error using ipa getkeytab command. It is
basically running ipagetkeytab command
https://github.com/apache/ambari/blob/c17ecd1b2d5e41e66533266c9f4d5880ef5...
String[] createKeytabFileCommand = (StringUtils.isEmpty(encryptionTypeSpec))
? new String[]{executableIpaGetKeytab, "-s", getAdminServerHost(true),
"-p",
principal, "-k", keytabFileDestinationPath}
2019-07-15 04:27:00,428 INFO [pool-34-thread-1]
CreatePrincipalsServerAction:224 - Processing principal,
ambari-qa-hdp31ipa37bp(a)MIA.CLOUD.NET
2019-07-15 04:27:02,010 WARN [pool-34-thread-1]
IPAKerberosOperationHandler:289 - Failed to export the keytab file for
ambari-qa-hdp31ipa37bp(a)MIA.CLOUD.NET:
ExitCode: 9
STDOUT:
STDERR: SASL Bind failed Can't contact LDAP server (-1) !
Failed to bind to server!
Retrying with pre-4.0 keytab retrieval method...
SASL Bind failed Can't contact LDAP server (-1) !
If it couldn't contact the
LDAP server, you need to look at what is
happening there in the directory server logs.
SASL Bind Failed might also happen because there was no actual
credentials cache with active ticket for the user whose identity is used
to retrieve the keys.
I tried to simulate the error using ipagetkeytab command . But getting
a
different error related to access rights even though it works when it retry
with pre-4.0 key tab method. I am trying to recreate the SASL Bind error
from command line and see what is causing the issue.
root@hdp31ipa37bp-hdp-management:/var/log/ambari-server# kinit hadoopadmin
Password for hadoopadmin(a)MIA.CLOUD.NET:
root@hdp31ipa37bp-hdp-management:/var/log/ambari-server# ipa-getkeytab -s
dev8-ipa-server.mia.cloud.net -p test(a)MIA.CLOUD.NET -k /tmp/ipa.keytab
Failed to parse result: Insufficient access rights
Retrying with pre-4.0 keytab retrieval method...
Keytab successfully retrieved and stored in: /tmp/ipa.keytab
I see it is creating ldap/dev8-ipa-server.mia.cloud.net@ .
root@hdp31ipa37bp-hdp-management:/var/log/ambari-server# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hadoopadmin(a)MIA.CLOUD.NET
Valid starting Expires Service principal
07/15/2019 22:23:51 07/16/2019 22:23:46 krbtgt/MIA.CLOUD.NET(a)MIA.CLOUD.NET
renew until 07/22/2019 22:23:46
07/15/2019 22:23:53 07/16/2019 22:23:46
ldap/dev8-ipa-server.mia.cloud.net@
renew until 07/22/2019 22:23:46
07/15/2019 22:23:53 07/16/2019 22:23:46 ldap/
dev8-ipa-server.mia.cloud.net(a)MIA.CLOUD.NET
renew until 07/22/2019 22:23:46
On Mon, Jul 15, 2019 at 1:22 PM Rob Crittenden <rcritten(a)redhat.com> wrote:
> Deepak Subhramanian via FreeIPA-users wrote:
> > I am getting this error when key tabs are generated for my Hadoop
> > Cluster. I am getting an access error when I create key tabs with IPA
> > commands -
> >
> > User has these permissions
> >
> > ipa role-add hadoopadminrole
> > ipa role-add-privilege hadoopadminrole --privileges="User
> Administrators"
> > ipa role-add-privilege hadoopadminrole --privileges="Service
> Administrators"
> >
> > root@hdp31ipa37bp-hdp-worker:/home/ubuntu# ipa-getkeytab -s
> >
dev8-ipa-server.mia.cloud.net <
http://dev8-ipa-server.mia.cloud.net> -p
> > test(a)MIA.CLOUD.NET <mailto:test@MIA.CLOUD.NET> -k /tmp/ipa.keytab
> >
> > Failed to parse result: Insufficient access rights
> >
> >
> >
> > 2019-07-15 04:39:33,221 - Failed to create keytab file for
> > kafka/hdp31ipa37bp-hdp-masternode-03.mia.cloud.net(a)MIA.CLOUD.NET
> > <mailto:hdp31ipa37bp-hdp-masternode-03.mia.cloud.net@MIA.CLOUD.NET> -
> > Failed to export the keytab file for
> > kafka/hdp31ipa37bp-hdp-masternode-03.mia.cloud.net(a)MIA.CLOUD.NET
> > <mailto:hdp31ipa37bp-hdp-masternode-03.mia.cloud.net@MIA.CLOUD.NET>:
> > ExitCode: 9
> > STDOUT:
> > STDERR: SASL Bind failed Can't contact LDAP server (-1) !
> > Failed to bind to server!
> > Retrying with pre-4.0 keytab retrieval method...
> > SASL Bind failed Can't contact LDAP server (-1) !
> > Failed to bind to server!
> > Failed to get keytab
> >
> > root@hdp31ipa37bp-hdp-worker:/home/ubuntu# ipa user-add test
> >
> > First name: Test
> >
> > Last name: Test
> >
> > -----------------
> >
> > Added user "test"
> >
> > -----------------
> >
> > User login: test
> >
> > First name: Test
> >
> > Last name: Test
> >
> > Full name: Test Test
> >
> > Display name: Test Test
> >
> > Initials: TT
> >
> > Home directory: /home/test
> >
> > GECOS: Test Test
> >
> > Login shell: /bin/sh
> >
> > Kerberos principal: test(a)MIA.CLOUD.NET <mailto:test@MIA.CLOUD.NET>
> >
> > Email address: test(a)mia.cloud.net <mailto:test@mia.cloud.net>
> >
> > UID: 1818200036
> >
> > GID: 1818200036
> >
> > Password: False
> >
> > Member of groups: ipausers
> >
> > Kerberos keys available: False
> >
> > root@hdp31ipa37bp-hdp-worker:/home/ubuntu# ipa-getkeytab -s
> >
dev8-ipa-server.mia.cloud.net <
http://dev8-ipa-server.mia.cloud.net> -p
> > test(a)MIA.CLOUD.NET <mailto:test@MIA.CLOUD.NET> -k /tmp/ipa.keytab
> >
> > Failed to parse result: Insufficient access rights
> >
> >
> > Retrying with pre-4.0 keytab retrieval method...
> >
> > Keytab successfully retrieved and stored in: /tmp/ipa.keytab
>
> This output is very confusing. It begins with getting a keytab for a
> user which doesn't exist? Then an error message for getting a service
> keytab for the service kafka but no ipa-getkeytab is shown, then
> creating the user and fetching the keytab succeeds.
>
> Can you clarify what you are doing?
>
> rob
>
--
Deepak Subhramanian
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland