Hi Rob,
Thanks for the quick follow up.
I am getting this error in Ambari - Management tool for Hadoop cluster when
it tries to generate the key tabs for all the principals it create for the
services in each node. This is actually invoked by some java code in
Ambari. I tried to simulate the error using ipa getkeytab command. It is
basically running ipagetkeytab command
https://github.com/apache/ambari/blob/c17ecd1b2d5e41e66533266c9f4d5880ef5...
String[] createKeytabFileCommand = (StringUtils.isEmpty(encryptionTypeSpec))
? new String[]{executableIpaGetKeytab, "-s", getAdminServerHost(true),
"-p",
principal, "-k", keytabFileDestinationPath}
2019-07-15 04:27:00,428 INFO [pool-34-thread-1]
CreatePrincipalsServerAction:224 - Processing principal,
ambari-qa-hdp31ipa37bp(a)MIA.CLOUD.NET
2019-07-15 04:27:02,010 WARN [pool-34-thread-1]
IPAKerberosOperationHandler:289 - Failed to export the keytab file for
ambari-qa-hdp31ipa37bp(a)MIA.CLOUD.NET:
ExitCode: 9
STDOUT:
STDERR: SASL Bind failed Can't contact LDAP server (-1) !
Failed to bind to server!
Retrying with pre-4.0 keytab retrieval method...
SASL Bind failed Can't contact LDAP server (-1) !
Failed to bind to server!
Failed to get keytab
2019-07-15 04:27:02,010 ERROR [pool-34-thread-1]
CreateKeytabFilesServerAction:373 - Failed to create keytab file for
ambari-qa-hdp31ipa37bp(a)MIA.CLOUD.NET - Failed to export the keytab file for
ambari-qa-hdp31ipa37bp(a)MIA.CLOUD.NET:
ExitCode: 9
STDOUT:
STDERR: SASL Bind failed Can't contact LDAP server (-1) !
Failed to bind to server!
Retrying with pre-4.0 keytab retrieval method...
SASL Bind failed Can't contact LDAP server (-1) !
Failed to bind to server!
Failed to get keytab
I tried to simulate the error using ipagetkeytab command . But getting a
different error related to access rights even though it works when it retry
with pre-4.0 key tab method. I am trying to recreate the SASL Bind error
from command line and see what is causing the issue.
root@hdp31ipa37bp-hdp-management:/var/log/ambari-server# kinit hadoopadmin
Password for hadoopadmin(a)MIA.CLOUD.NET:
root@hdp31ipa37bp-hdp-management:/var/log/ambari-server# ipa-getkeytab -s
dev8-ipa-server.mia.cloud.net -p test(a)MIA.CLOUD.NET -k /tmp/ipa.keytab
Failed to parse result: Insufficient access rights
Retrying with pre-4.0 keytab retrieval method...
Keytab successfully retrieved and stored in: /tmp/ipa.keytab
I see it is creating ldap/dev8-ipa-server.mia.cloud.net@ .
root@hdp31ipa37bp-hdp-management:/var/log/ambari-server# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hadoopadmin(a)MIA.CLOUD.NET
Valid starting Expires Service principal
07/15/2019 22:23:51 07/16/2019 22:23:46 krbtgt/MIA.CLOUD.NET(a)MIA.CLOUD.NET
renew until 07/22/2019 22:23:46
07/15/2019 22:23:53 07/16/2019 22:23:46
ldap/dev8-ipa-server.mia.cloud.net@
renew until 07/22/2019 22:23:46
07/15/2019 22:23:53 07/16/2019 22:23:46 ldap/
dev8-ipa-server.mia.cloud.net(a)MIA.CLOUD.NET
renew until 07/22/2019 22:23:46
On Mon, Jul 15, 2019 at 1:22 PM Rob Crittenden <rcritten(a)redhat.com> wrote:
Deepak Subhramanian via FreeIPA-users wrote:
> I am getting this error when key tabs are generated for my Hadoop
> Cluster. I am getting an access error when I create key tabs with IPA
> commands -
>
> User has these permissions
>
> ipa role-add hadoopadminrole
> ipa role-add-privilege hadoopadminrole --privileges="User
Administrators"
> ipa role-add-privilege hadoopadminrole --privileges="Service
Administrators"
>
> root@hdp31ipa37bp-hdp-worker:/home/ubuntu# ipa-getkeytab -s
>
dev8-ipa-server.mia.cloud.net <
http://dev8-ipa-server.mia.cloud.net> -p
> test(a)MIA.CLOUD.NET <mailto:test@MIA.CLOUD.NET> -k /tmp/ipa.keytab
>
> Failed to parse result: Insufficient access rights
>
>
>
> 2019-07-15 04:39:33,221 - Failed to create keytab file for
> kafka/hdp31ipa37bp-hdp-masternode-03.mia.cloud.net(a)MIA.CLOUD.NET
> <mailto:hdp31ipa37bp-hdp-masternode-03.mia.cloud.net@MIA.CLOUD.NET> -
> Failed to export the keytab file for
> kafka/hdp31ipa37bp-hdp-masternode-03.mia.cloud.net(a)MIA.CLOUD.NET
> <mailto:hdp31ipa37bp-hdp-masternode-03.mia.cloud.net@MIA.CLOUD.NET>:
> ExitCode: 9
> STDOUT:
> STDERR: SASL Bind failed Can't contact LDAP server (-1) !
> Failed to bind to server!
> Retrying with pre-4.0 keytab retrieval method...
> SASL Bind failed Can't contact LDAP server (-1) !
> Failed to bind to server!
> Failed to get keytab
>
> root@hdp31ipa37bp-hdp-worker:/home/ubuntu# ipa user-add test
>
> First name: Test
>
> Last name: Test
>
> -----------------
>
> Added user "test"
>
> -----------------
>
> User login: test
>
> First name: Test
>
> Last name: Test
>
> Full name: Test Test
>
> Display name: Test Test
>
> Initials: TT
>
> Home directory: /home/test
>
> GECOS: Test Test
>
> Login shell: /bin/sh
>
> Kerberos principal: test(a)MIA.CLOUD.NET <mailto:test@MIA.CLOUD.NET>
>
> Email address: test(a)mia.cloud.net <mailto:test@mia.cloud.net>
>
> UID: 1818200036
>
> GID: 1818200036
>
> Password: False
>
> Member of groups: ipausers
>
> Kerberos keys available: False
>
> root@hdp31ipa37bp-hdp-worker:/home/ubuntu# ipa-getkeytab -s
>
dev8-ipa-server.mia.cloud.net <
http://dev8-ipa-server.mia.cloud.net> -p
> test(a)MIA.CLOUD.NET <mailto:test@MIA.CLOUD.NET> -k /tmp/ipa.keytab
>
> Failed to parse result: Insufficient access rights
>
>
> Retrying with pre-4.0 keytab retrieval method...
>
> Keytab successfully retrieved and stored in: /tmp/ipa.keytab
This output is very confusing. It begins with getting a keytab for a
user which doesn't exist? Then an error message for getting a service
keytab for the service kafka but no ipa-getkeytab is shown, then
creating the user and fetching the keytab succeeds.
Can you clarify what you are doing?
rob
--
Deepak Subhramanian