Return-Path: X-Original-To: apmail-ambari-dev-archive@www.apache.org Delivered-To: apmail-ambari-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 3487017C6F for ; Wed, 3 Jun 2015 12:24:04 +0000 (UTC) Received: (qmail 44963 invoked by uid 500); 3 Jun 2015 12:24:03 -0000 Delivered-To: apmail-ambari-dev-archive@ambari.apache.org Received: (qmail 44935 invoked by uid 500); 3 Jun 2015 12:24:03 -0000 Mailing-List: contact dev-help@ambari.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ambari.apache.org Delivered-To: mailing list dev@ambari.apache.org Received: (qmail 44922 invoked by uid 99); 3 Jun 2015 12:24:03 -0000 Received: from reviews-vm.apache.org (HELO reviews.apache.org) (140.211.11.40) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 03 Jun 2015 12:24:03 +0000 Received: from reviews.apache.org (localhost [127.0.0.1]) by reviews.apache.org (Postfix) with ESMTP id 223901DF03B; Wed, 3 Jun 2015 12:24:03 +0000 (UTC) Content-Type: multipart/alternative; boundary="===============1178009965194583021==" MIME-Version: 1.0 Subject: Review Request 34998: Non-root Agent: Kerberos Wizard - Check Kerberos fails during Test Kerberos Client From: "Andrew Onischuk" To: "Robert Levas" Cc: "Andrew Onischuk" , "Ambari" Date: Wed, 03 Jun 2015 12:24:03 -0000 Message-ID: <20150603122403.7997.99367@reviews.apache.org> X-ReviewBoard-URL: https://reviews.apache.org/ Auto-Submitted: auto-generated Sender: "Andrew Onischuk" X-ReviewGroup: Ambari X-ReviewRequest-URL: https://reviews.apache.org/r/34998/ X-Sender: "Andrew Onischuk" Reply-To: "Andrew Onischuk" X-ReviewRequest-Repository: ambari --===============1178009965194583021== MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/34998/ ----------------------------------------------------------- Review request for Ambari and Robert Levas. Repository: ambari Description ------- When enabling Kerberos on a non-root Ambari 2.0.0-151 setup, the Check Kerberos step fails during the Test Kerberos Client task. The problem in the tasks stderr is: Fail: Execution of '/usr/bin/kinit -c /var/lib/ambari-agent/data/tmp/kerberos_service_check_cc_30399f1839f2d5ac0ada0c280b95657e -kt /etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab ambari-qa_rghrcfxx@EXAMPLE.COM' returned 1. kinit: Permission denied while getting initial credentials When capturing that keytab with 'cp -a' and trying to use it, I fail to authenticate: [root@revo4 ~]# ls -l /etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab -rw-r-----. 1 ambari-qa hadoop 358 Jun 1 15:22 /etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab [root@revo4 ~]# klist -ket /etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab Keytab name: FILE:/etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 1 06/01/15 15:22:01 ambari-qa_pfrlxjlh@EXAMPLE.COM (arcfour-hmac) 1 06/01/15 15:22:01 ambari-qa_pfrlxjlh@EXAMPLE.COM (aes256-cts-hmac-sha1-96) 1 06/01/15 15:22:01 ambari-qa_pfrlxjlh@EXAMPLE.COM (aes128-cts-hmac-sha1-96) 1 06/01/15 15:22:01 ambari-qa_pfrlxjlh@EXAMPLE.COM (des-cbc-md5) 1 06/01/15 15:22:01 ambari-qa_pfrlxjlh@EXAMPLE.COM (des3-cbc-sha1) [root@revo4 ~]# kinit -kt /etc/security/keytabs/kerberos.service_check.pfrlxjlh.keytab ambari-qa_pfrlxjlh@EXAMPLE.COM kinit: Client not found in Kerberos database while getting initial credentials I validated that this kinit call is not run through sudo as there are no entries in /var/log/secure denying the action, and there are no instances in which ambari-sudo.sh is being called in regards to this command that I could find. So, I need help in identifying why this is happening during the Check Kerberos step, and why the captured keytab isn't usable. Diffs ----- ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/package/scripts/service_check.py 412d12d Diff: https://reviews.apache.org/r/34998/diff/ Testing ------- 1. Install cluster with ambari-agent 2. Kerberize it also mvn clean test Thanks, Andrew Onischuk --===============1178009965194583021==--