Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Duplicate
-
None
-
None
-
None
Description
When enabling Kerberos on a non-root Ambari 2.0.0-151 setup, the Check
Kerberos step fails during the Test Kerberos Client task.
The problem in the tasks stderr is:
Fail: Execution of '/usr/bin/kinit -c /var/lib/ambari-agent/data/tmp/kerberos_service_check_cc_30399f1839f2d5ac0ada0c280b95657e -kt /etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab ambari-qa_rghrcfxx@EXAMPLE.COM' returned 1. kinit: Permission denied while getting initial credentials
When capturing that keytab with 'cp -a' and trying to use it, I fail to
authenticate:
[root@revo4 ~]# ls -l /etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab
rw-r----. 1 ambari-qa hadoop 358 Jun 1 15:22 /etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab
[root@revo4 ~]# klist -ket /etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab
Keytab name: FILE:/etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
1 06/01/15 15:22:01 ambari-qa_pfrlxjlh@EXAMPLE.COM (arcfour-hmac)
1 06/01/15 15:22:01 ambari-qa_pfrlxjlh@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
1 06/01/15 15:22:01 ambari-qa_pfrlxjlh@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
1 06/01/15 15:22:01 ambari-qa_pfrlxjlh@EXAMPLE.COM (des-cbc-md5)
1 06/01/15 15:22:01 ambari-qa_pfrlxjlh@EXAMPLE.COM (des3-cbc-sha1)
[root@revo4 ~]# kinit -kt /etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab ambari-qa_pfrlxjlh@EXAMPLE.COM
kinit: Client not found in Kerberos database while getting initial credentials
I validated that this kinit call is not run through sudo as there are no
entries in /var/log/secure denying the action, and there are no instances in
which ambari-sudo.sh is being called in regards to this command that I could
find.
So, I need help in identifying why this is happening during the Check Kerberos
step, and why the captured keytab isn't usable.