[ https://issues.apache.org/jira/browse/AMBARI-23431?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
ASF GitHub Bot updated AMBARI-23431: ------------------------------------ Labels: kerberos pull-request-available security (was: kerberos security) > After enabling Kerberos, the Ambari JAAS file is not updated > ------------------------------------------------------------ > > Key: AMBARI-23431 > URL: https://issues.apache.org/jira/browse/AMBARI-23431 > Project: Ambari > Issue Type: Bug > Components: ambari-server > Affects Versions: 2.7.0 > Reporter: Sandor Molnar > Assignee: Sandor Molnar > Priority: Critical > Labels: kerberos, pull-request-available, security > Fix For: 2.7.0 > > > After enabling Kerberos, the Ambari JAAS file is not updated. This leads to > various errors like collecting JXM data from services: > {noformat} > 28 Mar 2018 15:40:29,041 WARN [ambari-metrics-retrieval-service-thread-4] > RequestTargetAuthentication:88 - NEGOTIATE authentication error: No valid > credentials provided (Mechanism level: No valid credentials provided > (Mechanism level: Attempt to obtain new INITIATE credentials fai > led! (null))) > 28 Mar 2018 15:40:29,042 ERROR [ambari-metrics-retrieval-service-thread-4] > AppCookieManager:122 - SPNego authentication failed, can not get hadoop.auth > cookie for URL: http://c7401.ambari.apache.org:50070/jmx > 28 Mar 2018 15:40:29,042 ERROR [ambari-metrics-retrieval-service-thread-5] > AppCookieManager:122 - SPNego authentication failed, can not get hadoop.auth > cookie for URL: > http://c7401.ambari.apache.org:50070/jmx?get=Hadoop:service=NameNode,name=FSNamesystem::tag.HAState > 2 > {noformat} > The JAAS file as {{/etc/ambari-server/conf/krb5JAASLogin.conf}} is expected > to be updated to match the created Kerberos identity for the Ambari server, > but is not: > The default values of > {noformat} > ... > keyTab="/etc/security/keytabs/ambari.keytab" > principal="amb...@example.com" > ... > {noformat} > Should have been changed to > {noformat} > ... > keyTab="/etc/security/keytabs/ambari.server.keytab" > principal="ambari-server...@example.com" > ... > {noformat} > After manually fixing this and restarting Ambari, the JMX requests > authenticated properly. -- This message was sent by Atlassian JIRA (v7.6.3#76005)