ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Levas (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (AMBARI-9295) Remove toLower() from userPrincipalName in default Kerberos principal create template
Date Fri, 23 Jan 2015 12:09:34 GMT

     [ https://issues.apache.org/jira/browse/AMBARI-9295?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Robert Levas updated AMBARI-9295:
---------------------------------
    Description: 
Remove toLower() from userPrincipalName in default Kerberos principal create template. This
is creating an issue with principals that have upper-cased characters and Active Directory
such that when kinit-ing, authenticating fails:

{code:title=kinit -V -k -t /etc/security/keytabs/spnego.service.keytab }
HTTP/c6501.ambari.apache.org
Using default cache: /tmp/krb5cc_0
Using principal: HTTP/c6501.ambari.apache.org@HDP01.LOCAL
Using keytab: /etc/security/keytabs/spnego.service.keytab
kinit: Preauthentication failed while getting initial credentials
{code}

An example of the offending template is as follows:
{code:title=from kerberos-env.xml}
{
  "objectClass": ["top", "person", "organizationalPerson", "user"],
  "cn": "$principal_name",
  #if( $is_service )
  "servicePrincipalName": "$principal_name",
  #end
  "userPrincipalName": "$normalized_principal.toLowerCase()",
  "unicodePwd": "$password",
  "accountExpires": "0",
  "userAccountControl": "66048"
}
{code}

  was:
Remove toLower() from userPrincipalName in default Kerberos principal create template. This
is creating an issue with principals that have upper-cased characters and Active Directory
such that when kinit-ing, authenticating fails:

{code:title=kinit -V -k -t /etc/security/keytabs/spnego.service.keytab }
HTTP/c6501.ambari.apache.org
Using default cache: /tmp/krb5cc_0
Using principal: HTTP/c6501.ambari.apache.org@HDP01.LOCAL
Using keytab: /etc/security/keytabs/spnego.service.keytab
kinit: Preauthentication failed while getting initial credentials
{code}


> Remove toLower() from userPrincipalName in default Kerberos principal create template
> -------------------------------------------------------------------------------------
>
>                 Key: AMBARI-9295
>                 URL: https://issues.apache.org/jira/browse/AMBARI-9295
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server, stacks
>    Affects Versions: 2.0.0
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>              Labels: active-directory, active_directory, kerberos
>             Fix For: 2.0.0
>
>
> Remove toLower() from userPrincipalName in default Kerberos principal create template.
This is creating an issue with principals that have upper-cased characters and Active Directory
such that when kinit-ing, authenticating fails:
> {code:title=kinit -V -k -t /etc/security/keytabs/spnego.service.keytab }
> HTTP/c6501.ambari.apache.org
> Using default cache: /tmp/krb5cc_0
> Using principal: HTTP/c6501.ambari.apache.org@HDP01.LOCAL
> Using keytab: /etc/security/keytabs/spnego.service.keytab
> kinit: Preauthentication failed while getting initial credentials
> {code}
> An example of the offending template is as follows:
> {code:title=from kerberos-env.xml}
> {
>   "objectClass": ["top", "person", "organizationalPerson", "user"],
>   "cn": "$principal_name",
>   #if( $is_service )
>   "servicePrincipalName": "$principal_name",
>   #end
>   "userPrincipalName": "$normalized_principal.toLowerCase()",
>   "unicodePwd": "$password",
>   "accountExpires": "0",
>   "userAccountControl": "66048"
> }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message