ambari-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Levas <>
Subject Re: question on Kerberos
Date Mon, 02 May 2016 19:15:09 GMT
Hi Fay…

It seems like if you were switching KDCs, your best bet would have been to disable Kerberos
and then enable Kerberos using the new KDC.  In any case, I assume you have Ambari set up
to integrate with a KDC using the “manual” option where you are responsible for creating
the principals and then exporting and distributing the keytab files.

In nay case, it looks like there are 2 places where the realm name needs to be changed.

  1.  In the kerberos-env config using the property name “realm” (aka, kerberos-env/realm)
  2.  In the kerberos descriptor, under the “properties” item for the property named “realm”.

Technically, the kerberos descriptor should refer to the kerberos-env property… but it seems
to not always be the case.

The UI does not seem to allow the realm to be changed, so this needs to be done via the API.

So it appears that you already may the changes to the kerberos-env…. For the Kerberos descriptor,
you can take a look at
on how to get the Kerberos Descriptor.  Then modify the property/realm value and replace it
using information from

Once you do that, you need to get Ambari to rebuild the configs. This can be done by telling
it to regenerate the keytab files. However, since you are in “manual” mode, there is no
button on the UI to do this.  So you need to issue the following REST API CALL:

PUT /api/v1/clusters/c1?regenerate_keytabs=all
{"Clusters": {"security_type" : "KERBEROS"}}

Using curl, it may look like:

curl -H "X-Requested-By:ambari" -u admin:admin -i -X PUT -d '{"Clusters": {"security_type"
: "KERBEROS"}}' http://AMBARI_SERVER:8080/api/v1/clusters/CLUSTER_NAME?regenerate_keytabs=all

Once this has been issues, you need to take a look at the UI and wait for the background operations
to complete.  The stop and start the services to push the configs to the hosts.

Ideally this should solve your issue.


From: Fay Wang <<>>
Reply-To: "<>" <<>>,
Fay Wang <<>>
Date: Monday, May 2, 2016 at 2:07 PM
To: "<>" <<>>
Subject: question on Kerberos


I need to switch to use FreeIPA kerberos server and made all necessary changes for keytabs
and principals, but services can not be started:

resource_management.core.exceptions.Fail: Execution of '/usr/bin/kinit -kt /etc/security/keytabs/hdfs.headless.keytab
hdfs@FOO.COM<mailto:hdfs@FOO.COM>' returned 1. kinit: Keytab contains no suitable keys
for hdfs@FOO.COM<mailto:hdfs@FOO.COM> while getting initial credentials

Note that my realm is changed to "BAR.COM", and I also updated Ambari Kerberos configuration
for Realm name and KDS host name, which is verified in Ambari UI kerberos configuration. Not
sure why Ambari still use FOO.COM when doing the kinit.

Please note that I did not disable or enable kerberos. I simply added principals to IPA kerberos
server and retrieved keystabs from it by following the instruction below:

Manual Keytab / Principal creation for IPA to support Ambari Kerberos Wizard - Hortonworks<>

Any help is highly appreciated!



Manual Keytab / Principal creation for IPA to support Ambari Kerberos Wizar...
Forums, Q&A, Knowledgebase articles, gallery of the best GitHub repos for Hadoop, HDF,
Spark, HDP, IOT, Stre...

View raw message