ambari-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Levas <rle...@hortonworks.com>
Subject Re: question on automating kerberization
Date Tue, 16 Feb 2016 14:15:57 GMT
Fay….

We can see if Ambari even attempted to distribute the keytabs to the hosts that do not have
them.  We can do this by grepping for SET_KEY in the command-*.json files in the ambari-agent
lib directory

grep SET_KEY /var/lib/ambari-agent/data/command-*.json

This should come up with a few files that contain this string.  If not, than no attempt was
made to distribute the keytabs or maybe the request never made it to the hosts – which I
have seen happen in at least one instance and have a task to investigate what could have gone
wrong.  However in that case, the keytab files were eventually distributed after what I assume
to be a retry of the request (from the Ambari server).

The than that, I am out of ideas.  You can try to regenerate the missing keytab files and
hope they are distributed this time.  This can be done via the API using the following

PUT /api/v1/clusters/CLUSTER_NAME?regenerate_keytabs=missing
{
  "Clusters" : {
    "security_type" : "KERBEROS"
  }
}

Rob


From: Fay Wang <faywang300@yahoo.com<mailto:faywang300@yahoo.com>>
Reply-To: "user@ambari.apache.org<mailto:user@ambari.apache.org>" <user@ambari.apache.org<mailto:user@ambari.apache.org>>,
Fay Wang <faywang300@yahoo.com<mailto:faywang300@yahoo.com>>
Date: Sunday, February 14, 2016 at 5:28 PM
To: Robert Levas <rlevas@hortonworks.com<mailto:rlevas@hortonworks.com>>, "user@ambari.apache.org<mailto:user@ambari.apache.org>"
<user@ambari.apache.org<mailto:user@ambari.apache.org>>
Subject: Re: question on automating kerberization

Hi Rob,

The principals are created, and I did not see any exception/error in the ambari-server.log.
Is there any other way for further investigation?


On Sunday, February 14, 2016 5:31 AM, Robert Levas <rlevas@hortonworks.com<mailto:rlevas@hortonworks.com>>
wrote:


Hi Fay…

This is the first that I have heard of this issue. Have you noticed a pattern as to which
keytab files are not being created?  Did you look in the ambari-server.log file to see if
any errors are logged?  Have you looked in the KDC (or Active Directory) to see if the principal
had been created?

Rob


From: Fay Wang <faywang300@yahoo.com<mailto:faywang300@yahoo.com>>
Reply-To: "user@ambari.apache.org<mailto:user@ambari.apache.org>" <user@ambari.apache.org<mailto:user@ambari.apache.org>>,
Fay Wang <faywang300@yahoo.com<mailto:faywang300@yahoo.com>>
Date: Friday, February 12, 2016 at 8:01 PM
To: "user@ambari.apache.org<mailto:user@ambari.apache.org>" <user@ambari.apache.org<mailto:user@ambari.apache.org>>
Subject: question on automating kerberization

Hi,
    I am able to call Ambari REST API to kerberize my cluster without going through Ambari
UI. It works most of the time. However, sometime, the keytabs in a particular node of the
cluster are not generated at all, causing the grief when starting the services. Although I
can always regenerate keytabs afterwards, but this is truly annoying. It is a known issue?
Please advise...

Thanks,
-fay


Mime
View raw message