You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Looks like a great script. I can execute it by hand and see it should do the trick. However, I'm curious to know the versions of Cloudera where you've used this successfully.
The problem I have on CDH 5.10 is that I can't even get to the point where I could use this script. During the Kerberos wizard step "Import Kerberos Account Manager Credentials," I input the FreeIPA admin user and password that I created for creating services, generating/retrieving keytabs, etc. CDH then uses a script at /usr/share/cmf/bin/import_credentials.sh to create a keytab for that user using ktutil. However, I've never been able to create a keytab with ktutil that works with FreeIPA. I can use FreeIPA's ipa-getkeytab to get a perfectly usable keytab for the user, but not ktutil. So CDH's import_credentials.sh always fails when doing a kinit with the ktutil-generated keytab, like
I even rewrote the script at /usr/share/cmf/bin/import_credentials.sh to simply copy a keytab I've already retrieved via ipa-getkeytab from a location on disk to wherever CDH wants to put it (a generated file name like /var/log/cloudera-scm-server/cmf7298331290349355677.keytab). After that point, I guess CDH copes the keytab into its DB, because the keytab in /var/log/cloudera-scm-server disappears (or else it must copy the password into the db in order to generate another keytab next time). However, when I get to the "Generate Credentials" step where it should use your keytab retrieval script, it fails with messages like
My best guess is CDH pulls the keytab or password out of its db that it saved in the previous step, uses this to create a randomized name for the keytab in /var/run/cloudera-scm-server and then uses that keytab with the keytab retrieval script. I'm using the password-based kinit in your script, so we wouldn't even need a keytab, but of course, CDH doesn't know that, so it's dying at this point where it doesn't have a keytab.
I'm using FreeIPA 4.4.0 and CDH 5.10.0. Did you experience this problem? Ever tried CDH 5.10?
The text was updated successfully, but these errors were encountered:
Looks like a great script. I can execute it by hand and see it should do the trick. However, I'm curious to know the versions of Cloudera where you've used this successfully.
The problem I have on CDH 5.10 is that I can't even get to the point where I could use this script. During the Kerberos wizard step "Import Kerberos Account Manager Credentials," I input the FreeIPA admin user and password that I created for creating services, generating/retrieving keytabs, etc. CDH then uses a script at /usr/share/cmf/bin/import_credentials.sh to create a keytab for that user using ktutil. However, I've never been able to create a keytab with ktutil that works with FreeIPA. I can use FreeIPA's ipa-getkeytab to get a perfectly usable keytab for the user, but not ktutil. So CDH's import_credentials.sh always fails when doing a kinit with the ktutil-generated keytab, like
I even rewrote the script at /usr/share/cmf/bin/import_credentials.sh to simply copy a keytab I've already retrieved via ipa-getkeytab from a location on disk to wherever CDH wants to put it (a generated file name like /var/log/cloudera-scm-server/cmf7298331290349355677.keytab). After that point, I guess CDH copes the keytab into its DB, because the keytab in /var/log/cloudera-scm-server disappears (or else it must copy the password into the db in order to generate another keytab next time). However, when I get to the "Generate Credentials" step where it should use your keytab retrieval script, it fails with messages like
My best guess is CDH pulls the keytab or password out of its db that it saved in the previous step, uses this to create a randomized name for the keytab in /var/run/cloudera-scm-server and then uses that keytab with the keytab retrieval script. I'm using the password-based kinit in your script, so we wouldn't even need a keytab, but of course, CDH doesn't know that, so it's dying at this point where it doesn't have a keytab.
I'm using FreeIPA 4.4.0 and CDH 5.10.0. Did you experience this problem? Ever tried CDH 5.10?
The text was updated successfully, but these errors were encountered: