Sorry. It was a configuration issue. I had ipaserver name in my ansible configuration file and ambari blueprint. My ambari blueprint was pointing to an old ipaserver. 

Thanks very much for your time. 

Thanks, Deepak 

On Tue, Jul 16, 2019 at 5:05 AM Alexander Bokovoy <abokovoy@redhat.com> wrote:
On ma, 15 heinä 2019, Deepak Subhramanian via FreeIPA-users wrote:
>Hi Rob,
>
>Thanks for the quick follow up.
>
>I am getting this error in Ambari - Management tool for Hadoop cluster when
>it tries to generate the key tabs for all the principals it create for the
>services in each node.  This is actually invoked by some java code in
>Ambari. I tried to simulate the error using ipa getkeytab command. It is
>basically running ipagetkeytab command
>https://github.com/apache/ambari/blob/c17ecd1b2d5e41e66533266c9f4d5880ef5bd948/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/IPAKerberosOperationHandler.java
>String[] createKeytabFileCommand = (StringUtils.isEmpty(encryptionTypeSpec))
>
>? new String[]{executableIpaGetKeytab, "-s", getAdminServerHost(true), "-p",
>principal, "-k", keytabFileDestinationPath}
>
>2019-07-15 04:27:00,428  INFO [pool-34-thread-1]
>CreatePrincipalsServerAction:224 - Processing principal,
>ambari-qa-hdp31ipa37bp@MIA.CLOUD.NET
>
>2019-07-15 04:27:02,010  WARN [pool-34-thread-1]
>IPAKerberosOperationHandler:289 - Failed to export the keytab file for
>ambari-qa-hdp31ipa37bp@MIA.CLOUD.NET:
>
>        ExitCode: 9
>
>        STDOUT:
>
>        STDERR: SASL Bind failed Can't contact LDAP server (-1) !
>
>Failed to bind to server!
>
>Retrying with pre-4.0 keytab retrieval method...
>
>SASL Bind failed Can't contact LDAP server (-1) !
If it couldn't contact the LDAP server, you need to look at what is
happening there in the directory server logs.

SASL Bind Failed might also happen because there was no actual
credentials cache with active ticket for the user whose identity is used
to retrieve the keys.

>I tried to simulate the error using ipagetkeytab command . But getting a
>different error related to access rights even though it works when it retry
>with pre-4.0 key tab method. I am trying to recreate the SASL Bind error
>from command line and see what is causing the issue.
>
>
>root@hdp31ipa37bp-hdp-management:/var/log/ambari-server# kinit hadoopadmin
>
>Password for hadoopadmin@MIA.CLOUD.NET:
>
>root@hdp31ipa37bp-hdp-management:/var/log/ambari-server# ipa-getkeytab -s
>dev8-ipa-server.mia.cloud.net   -p test@MIA.CLOUD.NET   -k /tmp/ipa.keytab
>
>Failed to parse result: Insufficient access rights
>
>
>Retrying with pre-4.0 keytab retrieval method...
>
>Keytab successfully retrieved and stored in: /tmp/ipa.keytab
>
>I see it is creating ldap/dev8-ipa-server.mia.cloud.net@  .
>
>root@hdp31ipa37bp-hdp-management:/var/log/ambari-server# klist
>
>Ticket cache: FILE:/tmp/krb5cc_0
>
>Default principal: hadoopadmin@MIA.CLOUD.NET
>
>
>Valid starting       Expires              Service principal
>
>07/15/2019 22:23:51  07/16/2019 22:23:46  krbtgt/MIA.CLOUD.NET@MIA.CLOUD.NET
>
>renew until 07/22/2019 22:23:46
>
>07/15/2019 22:23:53  07/16/2019 22:23:46
>ldap/dev8-ipa-server.mia.cloud.net@
>
>renew until 07/22/2019 22:23:46
>
>07/15/2019 22:23:53  07/16/2019 22:23:46  ldap/
>dev8-ipa-server.mia.cloud.net@MIA.CLOUD.NET
>
>renew until 07/22/2019 22:23:46
>
>
>On Mon, Jul 15, 2019 at 1:22 PM Rob Crittenden <rcritten@redhat.com> wrote:
>
>> Deepak Subhramanian via FreeIPA-users wrote:
>> > I am getting this error when key tabs are generated for my Hadoop
>> > Cluster. I am getting an access error when I create key tabs with IPA
>> > commands -
>> >
>> > User has these permissions
>> >
>> > ipa role-add hadoopadminrole
>> > ipa role-add-privilege hadoopadminrole --privileges="User
>> Administrators"
>> > ipa role-add-privilege hadoopadminrole --privileges="Service
>> Administrators"
>> >
>> > root@hdp31ipa37bp-hdp-worker:/home/ubuntu# ipa-getkeytab -s
>> > dev8-ipa-server.mia.cloud.net <http://dev8-ipa-server.mia.cloud.net> -p
>> > test@MIA.CLOUD.NET <mailto:test@MIA.CLOUD.NET> -k /tmp/ipa.keytab
>> >
>> > Failed to parse result: Insufficient access rights
>> >
>> >
>> >
>> > 2019-07-15 04:39:33,221 - Failed to create keytab file for
>> > kafka/hdp31ipa37bp-hdp-masternode-03.mia.cloud.net@MIA.CLOUD.NET
>> > <mailto:hdp31ipa37bp-hdp-masternode-03.mia.cloud.net@MIA.CLOUD.NET> -
>> > Failed to export the keytab file for
>> > kafka/hdp31ipa37bp-hdp-masternode-03.mia.cloud.net@MIA.CLOUD.NET
>> > <mailto:hdp31ipa37bp-hdp-masternode-03.mia.cloud.net@MIA.CLOUD.NET>:
>> > ExitCode: 9
>> > STDOUT:
>> > STDERR: SASL Bind failed Can't contact LDAP server (-1) !
>> > Failed to bind to server!
>> > Retrying with pre-4.0 keytab retrieval method...
>> > SASL Bind failed Can't contact LDAP server (-1) !
>> > Failed to bind to server!
>> > Failed to get keytab
>> >
>> > root@hdp31ipa37bp-hdp-worker:/home/ubuntu# ipa user-add  test
>> >
>> > First name: Test
>> >
>> > Last name: Test
>> >
>> > -----------------
>> >
>> > Added user "test"
>> >
>> > -----------------
>> >
>> >   User login: test
>> >
>> >   First name: Test
>> >
>> >   Last name: Test
>> >
>> >   Full name: Test Test
>> >
>> >   Display name: Test Test
>> >
>> >   Initials: TT
>> >
>> >   Home directory: /home/test
>> >
>> >   GECOS: Test Test
>> >
>> >   Login shell: /bin/sh
>> >
>> >   Kerberos principal: test@MIA.CLOUD.NET <mailto:test@MIA.CLOUD.NET>
>> >
>> >   Email address: test@mia.cloud.net <mailto:test@mia.cloud.net>
>> >
>> >   UID: 1818200036
>> >
>> >   GID: 1818200036
>> >
>> >   Password: False
>> >
>> >   Member of groups: ipausers
>> >
>> >   Kerberos keys available: False
>> >
>> > root@hdp31ipa37bp-hdp-worker:/home/ubuntu# ipa-getkeytab -s
>> > dev8-ipa-server.mia.cloud.net <http://dev8-ipa-server.mia.cloud.net> -p
>> > test@MIA.CLOUD.NET <mailto:test@MIA.CLOUD.NET> -k /tmp/ipa.keytab
>> >
>> > Failed to parse result: Insufficient access rights
>> >
>> >
>> > Retrying with pre-4.0 keytab retrieval method...
>> >
>> > Keytab successfully retrieved and stored in: /tmp/ipa.keytab
>>
>> This output is very confusing. It begins with getting a keytab for a
>> user which doesn't exist? Then an error message for getting a service
>> keytab for the service kafka but no ipa-getkeytab is shown, then
>> creating the user and fetching the keytab succeeds.
>>
>> Can you clarify what you are doing?
>>
>> rob
>>
>
>
>--
>Deepak Subhramanian

>_______________________________________________
>FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
>Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland


--
Deepak Subhramanian