Deepak Subhramanian via FreeIPA-users wrote:
I am getting this error when key tabs are generated for my Hadoop
Cluster. I am getting an access error when I create key tabs with IPA
commands -
User has these permissions
ipa role-add hadoopadminrole
ipa role-add-privilege hadoopadminrole --privileges="User Administrators"
ipa role-add-privilege hadoopadminrole --privileges="Service Administrators"
root@hdp31ipa37bp-hdp-worker:/home/ubuntu# ipa-getkeytab -s
dev8-ipa-server.mia.cloud.net <
http://dev8-ipa-server.mia.cloud.net> -p
test(a)MIA.CLOUD.NET <mailto:test@MIA.CLOUD.NET> -k /tmp/ipa.keytab
Failed to parse result: Insufficient access rights
2019-07-15 04:39:33,221 - Failed to create keytab file for
kafka/hdp31ipa37bp-hdp-masternode-03.mia.cloud.net(a)MIA.CLOUD.NET
<mailto:hdp31ipa37bp-hdp-masternode-03.mia.cloud.net@MIA.CLOUD.NET> -
Failed to export the keytab file for
kafka/hdp31ipa37bp-hdp-masternode-03.mia.cloud.net(a)MIA.CLOUD.NET
<mailto:hdp31ipa37bp-hdp-masternode-03.mia.cloud.net@MIA.CLOUD.NET>:
ExitCode: 9
STDOUT:
STDERR: SASL Bind failed Can't contact LDAP server (-1) !
Failed to bind to server!
Retrying with pre-4.0 keytab retrieval method...
SASL Bind failed Can't contact LDAP server (-1) !
Failed to bind to server!
Failed to get keytab
root@hdp31ipa37bp-hdp-worker:/home/ubuntu# ipa user-add test
First name: Test
Last name: Test
-----------------
Added user "test"
-----------------
User login: test
First name: Test
Last name: Test
Full name: Test Test
Display name: Test Test
Initials: TT
Home directory: /home/test
GECOS: Test Test
Login shell: /bin/sh
Kerberos principal: test(a)MIA.CLOUD.NET <mailto:test@MIA.CLOUD.NET>
Email address: test(a)mia.cloud.net <mailto:test@mia.cloud.net>
UID: 1818200036
GID: 1818200036
Password: False
Member of groups: ipausers
Kerberos keys available: False
root@hdp31ipa37bp-hdp-worker:/home/ubuntu# ipa-getkeytab -s
dev8-ipa-server.mia.cloud.net <
http://dev8-ipa-server.mia.cloud.net> -p
test(a)MIA.CLOUD.NET <mailto:test@MIA.CLOUD.NET> -k /tmp/ipa.keytab
Failed to parse result: Insufficient access rights
Retrying with pre-4.0 keytab retrieval method...
Keytab successfully retrieved and stored in: /tmp/ipa.keytab
This output is very confusing. It begins with getting a keytab for a
user which doesn't exist? Then an error message for getting a service
keytab for the service kafka but no ipa-getkeytab is shown, then
creating the user and fetching the keytab succeeds.
Can you clarify what you are doing?
rob