[ https://issues.apache.org/jira/browse/AMBARI-23431?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16432728#comment-16432728 ]
Hudson commented on AMBARI-23431: --------------------------------- FAILURE: Integrated in Jenkins build Ambari-trunk-Commit #9028 (See [https://builds.apache.org/job/Ambari-trunk-Commit/9028/]) [AMBARI-23431] Removing hostId condition in order to process AMBARI (rlevas: [https://gitbox.apache.org/repos/asf?p=ambari.git&a=commit&h=9b084bd1c14b9560b8db5bc6263021a974934361]) * (edit) ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ConfigureAmbariIdentitiesServerAction.java > After enabling Kerberos, the Ambari JAAS file is not updated > ------------------------------------------------------------ > > Key: AMBARI-23431 > URL: https://issues.apache.org/jira/browse/AMBARI-23431 > Project: Ambari > Issue Type: Bug > Components: ambari-server > Affects Versions: 2.7.0 > Reporter: Sandor Molnar > Assignee: Sandor Molnar > Priority: Critical > Labels: kerberos, pull-request-available, security > Fix For: 2.7.0 > > Time Spent: 1.5h > Remaining Estimate: 0h > > After enabling Kerberos, the Ambari JAAS file is not updated. This leads to > various errors like collecting JXM data from services: > {noformat} > 28 Mar 2018 15:40:29,041 WARN [ambari-metrics-retrieval-service-thread-4] > RequestTargetAuthentication:88 - NEGOTIATE authentication error: No valid > credentials provided (Mechanism level: No valid credentials provided > (Mechanism level: Attempt to obtain new INITIATE credentials fai > led! (null))) > 28 Mar 2018 15:40:29,042 ERROR [ambari-metrics-retrieval-service-thread-4] > AppCookieManager:122 - SPNego authentication failed, can not get hadoop.auth > cookie for URL: http://c7401.ambari.apache.org:50070/jmx > 28 Mar 2018 15:40:29,042 ERROR [ambari-metrics-retrieval-service-thread-5] > AppCookieManager:122 - SPNego authentication failed, can not get hadoop.auth > cookie for URL: > http://c7401.ambari.apache.org:50070/jmx?get=Hadoop:service=NameNode,name=FSNamesystem::tag.HAState > 2 > {noformat} > The JAAS file as {{/etc/ambari-server/conf/krb5JAASLogin.conf}} is expected > to be updated to match the created Kerberos identity for the Ambari server, > but is not: > The default values of > {noformat} > ... > keyTab="/etc/security/keytabs/ambari.keytab" > principal="amb...@example.com" > ... > {noformat} > Should have been changed to > {noformat} > ... > keyTab="/etc/security/keytabs/ambari.server.keytab" > principal="ambari-server...@example.com" > ... > {noformat} > After manually fixing this and restarting Ambari, the JMX requests > authenticated properly. -- This message was sent by Atlassian JIRA (v7.6.3#76005)