[AMBARI-9359] Remove toLowerCase() from userPrincipalName in default Kerberos principal create template - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Task
Status: Resolved
Priority: Major
Resolution: Duplicate
Affects Version/s: 2.0.0
Fix Version/s: 2.0.0
Component/s: ambari-server, stacks
Labels:
- active_directory
- kerberos

Epic Link:
Ambari Automated Kerberization

Description

Remove toLowerCase() from userPrincipalName in default Kerberos principal create template. This is creating an issue with principals that have upper-cased characters and Active Directory such that when kinit-ing, authenticating fails:

kinit -V -k -t /etc/security/keytabs/spnego.service.keytab

HTTP/c6501.ambari.apache.org
Using default cache: /tmp/krb5cc_0
Using principal: HTTP/c6501.ambari.apache.org@HDP01.LOCAL
Using keytab: /etc/security/keytabs/spnego.service.keytab
kinit: Preauthentication failed while getting initial credentials

An example of the offending template is as follows:

from kerberos-env.xml

{
  "objectClass": ["top", "person", "organizationalPerson", "user"],
  "cn": "$principal_name",
  #if( $is_service )
  "servicePrincipalName": "$principal_name",
  #end
  "userPrincipalName": "$normalized_principal.toLowerCase()",
  "unicodePwd": "$password",
  "accountExpires": "0",
  "userAccountControl": "66048"
}

Attachments

Issue Links

is duplicated by

AMBARI-9295 Remove toLowerCase() from userPrincipalName in default Kerberos principal create template

Resolved

Activity

People

Assignee:: Robert Levas

Reporter:: Robert Levas

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 27/Jan/15 18:56

Updated:: 27/Jan/15 18:57

Resolved:: 27/Jan/15 18:57