> On mrt 1, 2016, 1:51 a.m., Robert Levas wrote: > > ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/IPAKerberosOperationHandler.java, > > line 865 > > <https://reviews.apache.org/r/44148/diff/4/?file=1274675#file1274675line865> > > > > Why not use the default implemenation of this? It appears you are > > using the Ambari-generated password when creating the account, so the > > default impl should work fine.
A couple of reasons why not to use the default implementation 1) BLOCKING: In case not using the ambari-generated password, which can happen if using the "krbPasswordExpiry' attribute setting, this won't work per comments 2) I think it is better to use the supplied mechanisms for creating a keytab instead of rolling your own (see also point 1) and yes I have seen faulty keytabs being generated by Ambari due to assumptions not being correct. > On mrt 1, 2016, 1:51 a.m., Robert Levas wrote: > > ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/IPAKerberosOperationHandler.java, > > line 500 > > <https://reviews.apache.org/r/44148/diff/4/?file=1274675#file1274675line500> > > > > When executing kinit for this purpose, is the credential cache being > > storing in an alternate location, else will it overwrite the credential > > cache for Ambari itself? Good point. I will fix this. - Bolke ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/44148/#review121368 ----------------------------------------------------------- On feb 29, 2016, 9:49 p.m., Bolke de Bruin wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/44148/ > ----------------------------------------------------------- > > (Updated feb 29, 2016, 9:49 p.m.) > > > Review request for Ambari and Robert Levas. > > > Bugs: AMBARI-6432 > https://issues.apache.org/jira/browse/AMBARI-6432 > > > Repository: ambari > > > Description > ------- > > FreeIPA is the active directory equivalent for Linux. This patch adds support > for FreeIPA. It requires ipa-admintools to be installed on the ambari host. > In addition it either requires wite access to the krbPasswordPassword > attribute or a suitable password policy needs to be in place (ipa pwpolicy). > > It has been requested to have this implemented in several tickets. > > To test. > > * Have a working IPA server available > * Create a group "ambari-managed-principals" (configurable) > * Create a password policy for this group or make the krb5PasswordExpiry > attribute writable (not per se required for testing) > * Enroll all hosts into ipa > * make sure the ipa-admintools are available on the ambari host > > > Diffs > ----- > > > ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java > be6edc9 > > ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/IPAKerberosOperationHandler.java > PRE-CREATION > > ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KDCType.java > 5b1372a > > ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandler.java > 4cd050e > > ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/KerberosOperationHandlerFactory.java > bfd45b7 > > ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml > a03dea6 > > ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/IPAKerberosOperationHandlerTest.java > PRE-CREATION > ambari-web/app/controllers/main/admin/kerberos.js c021c89 > ambari-web/app/controllers/main/admin/kerberos/step1_controller.js b9056ed > ambari-web/app/controllers/main/admin/kerberos/step2_controller.js 9b411c6 > ambari-web/app/controllers/main/admin/kerberos/step5_controller.js 5aa4b8c > ambari-web/app/controllers/main/service/info/configs.js a22bb48 > ambari-web/app/data/HDP2/site_properties.js 3ea6c68 > ambari-web/app/messages.js 1cefce2 > ambari-web/app/views/common/controls_view.js d355ffe > > Diff: https://reviews.apache.org/r/44148/diff/ > > > Testing > ------- > > FreeIPA 4.2 on CentOS 7. Multiple times kerberization and de-kerberization. > > > Thanks, > > Bolke de Bruin > >
