[Freeipa-users] Re: SASL Bind failed Can't contact LDAP server

Hi Rob, Thanks for the quick follow up. I am getting this error in Ambari - Management tool for Hadoop cluster when it tries to generate the key tabs for all the principals it create for the services in each node. This is actually invoked by some java code in Ambari. I tried to simulate the error using ipa getkeytab command. It is basically running ipagetkeytab command https://github.com/apache/ambari/blob/c17ecd1b2d5e41e66533266c9f4d5880ef5... String[] createKeytabFileCommand = (StringUtils.isEmpty(encryptionTypeSpec)) ? new String[]{executableIpaGetKeytab, "-s", getAdminServerHost(true), "-p", principal, "-k", keytabFileDestinationPath} 2019-07-15 04:27:00,428 INFO [pool-34-thread-1] CreatePrincipalsServerAction:224 - Processing principal, ambari-qa-hdp31ipa37bp(a)MIA.CLOUD.NET 2019-07-15 04:27:02,010 WARN [pool-34-thread-1] IPAKerberosOperationHandler:289 - Failed to export the keytab file for ambari-qa-hdp31ipa37bp(a)MIA.CLOUD.NET: ExitCode: 9 STDOUT: STDERR: SASL Bind failed Can't contact LDAP server (-1) ! Failed to bind to server! Retrying with pre-4.0 keytab retrieval method... SASL Bind failed Can't contact LDAP server (-1) !

I tried to simulate the error using ipagetkeytab command . But getting a different error related to access rights even though it works when it retry with pre-4.0 key tab method. I am trying to recreate the SASL Bind error from command line and see what is causing the issue. root@hdp31ipa37bp-hdp-management:/var/log/ambari-server# kinit hadoopadmin Password for hadoopadmin(a)MIA.CLOUD.NET: root@hdp31ipa37bp-hdp-management:/var/log/ambari-server# ipa-getkeytab -s dev8-ipa-server.mia.cloud.net -p test(a)MIA.CLOUD.NET -k /tmp/ipa.keytab Failed to parse result: Insufficient access rights Retrying with pre-4.0 keytab retrieval method... Keytab successfully retrieved and stored in: /tmp/ipa.keytab I see it is creating ldap/dev8-ipa-server.mia.cloud.net@ . root@hdp31ipa37bp-hdp-management:/var/log/ambari-server# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: hadoopadmin(a)MIA.CLOUD.NET Valid starting Expires Service principal 07/15/2019 22:23:51 07/16/2019 22:23:46 krbtgt/MIA.CLOUD.NET(a)MIA.CLOUD.NET renew until 07/22/2019 22:23:46 07/15/2019 22:23:53 07/16/2019 22:23:46 ldap/dev8-ipa-server.mia.cloud.net@ renew until 07/22/2019 22:23:46 07/15/2019 22:23:53 07/16/2019 22:23:46 ldap/ dev8-ipa-server.mia.cloud.net(a)MIA.CLOUD.NET renew until 07/22/2019 22:23:46 On Mon, Jul 15, 2019 at 1:22 PM Rob Crittenden <rcritten(a)redhat.com&gt; wrote: > Deepak Subhramanian via FreeIPA-users wrote: > > I am getting this error when key tabs are generated for my Hadoop > > Cluster. I am getting an access error when I create key tabs with IPA > > commands - > > > > User has these permissions > > > > ipa role-add hadoopadminrole > > ipa role-add-privilege hadoopadminrole --privileges="User > Administrators" > > ipa role-add-privilege hadoopadminrole --privileges="Service > Administrators" > > > > root@hdp31ipa37bp-hdp-worker:/home/ubuntu# ipa-getkeytab -s > > dev8-ipa-server.mia.cloud.net <http://dev8-ipa-server.mia.cloud.net> -p > > test(a)MIA.CLOUD.NET <mailto:test@MIA.CLOUD.NET> -k /tmp/ipa.keytab > > > > Failed to parse result: Insufficient access rights > > > > > > > > 2019-07-15 04:39:33,221 - Failed to create keytab file for > > kafka/hdp31ipa37bp-hdp-masternode-03.mia.cloud.net(a)MIA.CLOUD.NET > > <mailto:hdp31ipa37bp-hdp-masternode-03.mia.cloud.net@MIA.CLOUD.NET> - > > Failed to export the keytab file for > > kafka/hdp31ipa37bp-hdp-masternode-03.mia.cloud.net(a)MIA.CLOUD.NET > > <mailto:hdp31ipa37bp-hdp-masternode-03.mia.cloud.net@MIA.CLOUD.NET>: > > ExitCode: 9 > > STDOUT: > > STDERR: SASL Bind failed Can't contact LDAP server (-1) ! > > Failed to bind to server! > > Retrying with pre-4.0 keytab retrieval method... > > SASL Bind failed Can't contact LDAP server (-1) ! > > Failed to bind to server! > > Failed to get keytab > > > > root@hdp31ipa37bp-hdp-worker:/home/ubuntu# ipa user-add test > > > > First name: Test > > > > Last name: Test > > > > ----------------- > > > > Added user "test" > > > > ----------------- > > > > User login: test > > > > First name: Test > > > > Last name: Test > > > > Full name: Test Test > > > > Display name: Test Test > > > > Initials: TT > > > > Home directory: /home/test > > > > GECOS: Test Test > > > > Login shell: /bin/sh > > > > Kerberos principal: test(a)MIA.CLOUD.NET <mailto:test@MIA.CLOUD.NET> > > > > Email address: test(a)mia.cloud.net <mailto:test@mia.cloud.net> > > > > UID: 1818200036 > > > > GID: 1818200036 > > > > Password: False > > > > Member of groups: ipausers > > > > Kerberos keys available: False > > > > root@hdp31ipa37bp-hdp-worker:/home/ubuntu# ipa-getkeytab -s > > dev8-ipa-server.mia.cloud.net <http://dev8-ipa-server.mia.cloud.net> -p > > test(a)MIA.CLOUD.NET <mailto:test@MIA.CLOUD.NET> -k /tmp/ipa.keytab > > > > Failed to parse result: Insufficient access rights > > > > > > Retrying with pre-4.0 keytab retrieval method... > > > > Keytab successfully retrieved and stored in: /tmp/ipa.keytab > > This output is very confusing. It begins with getting a keytab for a > user which doesn't exist? Then an error message for getting a service > keytab for the service kafka but no ipa-getkeytab is shown, then > creating the user and fetching the keytab succeeds. > > Can you clarify what you are doing? > > rob > -- Deepak Subhramanian

_______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...