Mailing-List: contact dev-help@ambari.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@ambari.apache.org
Date: Fri, 29 May 2015 09:57:18 +0000 (UTC)
From: "Emil Anca (JIRA)" <jira@apache.org>
To: dev@ambari.apache.org
Message-ID: <JIRA.12833730.1432892710000.64384.1432893438198@Atlassian.JIRA>
In-Reply-To: <JIRA.12833730.1432892710000@Atlassian.JIRA>
References: <JIRA.12833730.1432892710000@Atlassian.JIRA>
 <JIRA.12833730.1432892710936@arcas>
Subject: [jira] [Updated] (AMBARI-11524) Kerberos: using realm name with
 mixed case, /etc/krb5.conf's default realm was forced to uppercase
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit


     [ https://issues.apache.org/jira/browse/AMBARI-11524?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Emil Anca updated AMBARI-11524:
-------------------------------
    Attachment: AMBARI-11524_01.patch

> Kerberos: using realm name with mixed case, /etc/krb5.conf's default realm was forced to uppercase
> --------------------------------------------------------------------------------------------------
>
>                 Key: AMBARI-11524
>                 URL: https://issues.apache.org/jira/browse/AMBARI-11524
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.0.0
>            Reporter: Emil Anca
>            Assignee: Emil Anca
>            Priority: Critical
>             Fix For: 2.1.0
>
>         Attachments: AMBARI-11524_01.patch
>
>
> I've set up a KDC with the default realm and realm as CUSTOM.com in /etc/krb5.conf, created the kdc database, created admin principal admin/admin@CUSTOM.com, made sure I can run kadmin (and not just kadmin.local) and create new principals using the admin principal by editing /var/kerberos/krb5kdc/kadm5.acl and restarting the kdc/kadmin services.
> Also, with this set up, I verified that I can run "kinit" without the explicit realm name of CUSTOM.com, as it is the default realm (e.g., "kinit testuser" kinits as testuser@CUSTOM.com)
> I ran the Kerberos Wizard and faced some issues, because
> the default krb5 template forces uppercase for the default_realm in /etc/krb5.conf.  Also, it looks like it forces uppercasing on domain entries in case these are specified, though I did not test the latter:
> {code}
> [libdefaults]
>   renew_lifetime = 7d
>   forwardable = true
>   default_realm = {{realm|upper()}}  <-- FORCES UPPERCASE
>   ticket_lifetime = 24h
>   dns_lookup_realm = false
>   dns_lookup_kdc = false
>   #default_tgs_enctypes = {{encryption_types}}
>   #default_tkt_enctypes = {{encryption_types}}
> {% if domains %}
> [domain_realm]
> {% for domain in domains.split(',') %}
>   {{domain}} = {{realm|upper()}}   <-- FORCES UPPERCASE
> {% endfor %}
> {% endif %}
> [logging]
>   default = FILE:/var/log/krb5kdc.log
>   admin_server = FILE:/var/log/kadmind.log
>   kdc = FILE:/var/log/krb5kdc.log
> [realms]
>   {{realm}} = {  <-- UPPERCASE NOT FORCED (AS DESIRED)
>     admin_server = {{admin_server_host|default(kdc_host, True)}}
>     kdc = {{kdc_host}}
>   }
> {# Append additional realm declarations below #}
> {code}
> I observed two issues.
> 1. My /etc/krb5.conf entry *default_realm = CUSTOM.com* was overwritten by Ambari as  *default_realm = CUSTOM.COM*.  So after the wizard ran, the default realm is set to a non-existent realm.  So kerberos commands now require an explicit @CUSTOM.com for kinit, etc.  This is an undesired and unexpected side effect.
> My /etc/krb5.conf looked like the following after being modified via Ambari:
> {code}
> [libdefaults]
>   renew_lifetime = 7d
>   forwardable = true
>   default_realm = CUSTOM.COM  <-- FORCED TO UPPERCASE.  CUSTOM.COM DOES NOT EXIST
>   ticket_lifetime = 24h
>   dns_lookup_realm = false
>   dns_lookup_kdc = false
>   #default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
>   #default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
> [logging]
>   default = FILE:/var/log/krb5kdc.log
>   admin_server = FILE:/var/log/kadmind.log
>   kdc = FILE:/var/log/krb5kdc.log
> [realms]
>   CUSTOM.com = {  <-- WAS NOT FORCED TO UPPERCASE (GOOD)
>     admin_server = y2-1.c.pramod-thangali.internal
>     kdc = y2-1.c.pramod-thangali.internal
>   }
> {code}
> 2. Because of the above, for the admin principal name in the UI, you have to type "admin/admin@CUSTOM.com" where as if you had all uppercase realm, like CUSTOM.COM, then you can just type "admin/admin".
> It seems like we should not be forcing uppercase on the default realm in the template.  If upper() is removed from the template, this problem does not occur, and it works the same way as in the case where the realm name was all uppercase.
> 3. I just used the admin/admin@CUSTOM.com for the admin principal (note the explicit realm name) and was able to pass Test Kerberos step with CUSTOM.com realm.  However, in the Start and Test Services part of the Wizard, it failed at Check ZooKeeper.  
> I'm not sure if this is because of the mixed case or the default realm being wrong.  I was running a kerberization test in parallel with the same Ambari/HDP build, and I did not hit any issues (I just used the default EXAMPLE.COM for the one that succeeded).
> Succeeded cluster with EXAMPLE.COM:
> y1-1.c.pramod-thangali.internal   104.196.80.112   10.240.164.253   4h <- Ambari server
> y1-2.c.pramod-thangali.internal   104.196.89.113   10.240.143.145   4h
> y1-3.c.pramod-thangali.internal   104.196.83.169   10.240.232.100   4h
> Failed cluster with CUSTOM.com:
> y2-1.c.pramod-thangali.internal   104.196.91.17   10.240.33.220   4h  <- Ambari server
> y2-2.c.pramod-thangali.internal   104.196.90.52   10.240.67.205   4h
> y2-3.c.pramod-thangali.internal   104.196.82.69   10.240.90.190   4h


--
This message was sent by Atlassian JIRA
(v6.3.4#6332)