ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emil Anca" <>
Subject Re: Review Request 34803: Kerberos: using realm name with mixed case, /etc/krb5.conf's default realm was forced to uppercase
Date Fri, 29 May 2015 13:37:22 GMT

This is an automatically generated e-mail. To reply, visit:

(Updated May 29, 2015, 1:37 p.m.)

Review request for Ambari, Robert Levas and Yusaku Sako.

Bugs: AMBARI-11524

Repository: ambari

Description (updated)

I've set up a KDC with the default realm and realm as in /etc/krb5.conf, created
the kdc database, created admin principal admin/, made sure I can run kadmin
(and not just kadmin.local) and create new principals using the admin principal by editing
/var/kerberos/krb5kdc/kadm5.acl and restarting the kdc/kadmin services.
Also, with this set up, I verified that I can run "kinit" without the explicit realm name
of, as it is the default realm (e.g., "kinit testuser" kinits as

I ran the Kerberos Wizard and faced some issues, because
the default krb5 template forces uppercase for the default_realm in /etc/krb5.conf.  Also,
it looks like it forces uppercasing on domain entries in case these are specified, though
I did not test the latter:

  renew_lifetime = 7d
  forwardable = true
  default_realm = {{realm|upper()}}  <-- FORCES UPPERCASE
  ticket_lifetime = 24h
  dns_lookup_realm = false
  dns_lookup_kdc = false
  #default_tgs_enctypes = {{encryption_types}}
  #default_tkt_enctypes = {{encryption_types}}

{% if domains %}
{% for domain in domains.split(',') %}
  {{domain}} = {{realm|upper()}}   <-- FORCES UPPERCASE
{% endfor %}
{% endif %}

  default = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
  kdc = FILE:/var/log/krb5kdc.log

  {{realm}} = {  <-- UPPERCASE NOT FORCED (AS DESIRED)
    admin_server = {{admin_server_host|default(kdc_host, True)}}
    kdc = {{kdc_host}}

{# Append additional realm declarations below #}

I observed two issues.
1. My /etc/krb5.conf entry *default_realm =* was overwritten by Ambari as  *default_realm
= CUSTOM.COM*.  So after the wizard ran, the default realm is set to a non-existent realm.
 So kerberos commands now require an explicit for kinit, etc.  This is an undesired
and unexpected side effect.
My /etc/krb5.conf looked like the following after being modified via Ambari:

  renew_lifetime = 7d
  forwardable = true
  ticket_lifetime = 24h
  dns_lookup_realm = false
  dns_lookup_kdc = false
  #default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
  #default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5

  default = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
  kdc = FILE:/var/log/krb5kdc.log

    admin_server = y2-1.c.pramod-thangali.internal
    kdc = y2-1.c.pramod-thangali.internal

2. Because of the above, for the admin principal name in the UI, you have to type "admin/"
where as if you had all uppercase realm, like CUSTOM.COM, then you can just type "admin/admin".

It seems like we should not be forcing uppercase on the default realm in the template.  If
upper() is removed from the template, this problem does not occur, and it works the same way
as in the case where the realm name was all uppercase.

3. I just used the admin/ for the admin principal (note the explicit realm
name) and was able to pass Test Kerberos step with realm.  However, in the Start
and Test Services part of the Wizard, it failed at Check ZooKeeper.  
I'm not sure if this is because of the mixed case or the default realm being wrong.  I was
running a kerberization test in parallel with the same Ambari/HDP build, and I did not hit
any issues (I just used the default EXAMPLE.COM for the one that succeeded).

Succeeded cluster with EXAMPLE.COM:
y1-1.c.pramod-thangali.internal   4h <- Ambari server
y1-2.c.pramod-thangali.internal   4h
y1-3.c.pramod-thangali.internal   4h

Failed cluster with
y2-1.c.pramod-thangali.internal   4h  <- Ambari server
y2-2.c.pramod-thangali.internal   4h
y2-3.c.pramod-thangali.internal   4h

## Problem: The krb5conf template was forcing upper case on realm name
## Solution: Remove realm name upper forcing from the template





mvn clean test -pl ambari-server

* Kerberized/Unkerberized cluster using mixed case/all caps/all lower realm name


Emil Anca

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message