Re: use krb-conf section to set udp_preference_limit = 1

Robert Levas Mon, 07 May 2018 04:25:50 -0700

You can use Blueprints to customize the krb5.conf file.   It is a little messy 
due to the JSON structure, but it is not that hard.


This is done by setting the “content” property of the “krb5-conf” configuration 
type.  The default value is:

[libdefaults]
  renew_lifetime = 7d
  forwardable = true
  default_realm = {{realm}}
  ticket_lifetime = 24h
  dns_lookup_realm = false
  dns_lookup_kdc = false
  default_ccache_name = /tmp/krb5cc_%{uid}
  #default_tgs_enctypes = {{encryption_types}}
  #default_tkt_enctypes = {{encryption_types}}
{% if domains %}
[domain_realm]
{%- for domain in domains.split(',') %}
  {{domain|trim()}} = {{realm}}
{%- endfor %}
{% endif %}
[logging]
  default = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
  kdc = FILE:/var/log/krb5kdc.log

[realms]
  {{realm}} = {
{%- if master_kdc %}
    master_kdc = {{master_kdc|trim()}}
{%- endif -%}
{%- if kdc_hosts > 0 -%}
{%- set kdc_host_list = kdc_hosts.split(',')  -%}
{%- if kdc_host_list and kdc_host_list|length > 0 %}
    admin_server = {{admin_server_host|default(kdc_host_list[0]|trim(), True)}}
{%- if kdc_host_list -%}
{%- if master_kdc and (master_kdc not in kdc_host_list) %}
    kdc = {{master_kdc|trim()}}
{%- endif -%}
{% for kdc_host in kdc_host_list %}
    kdc = {{kdc_host|trim()}}
{%- endfor -%}
{% endif %}
{%- endif %}
{%- endif %}
  }

{# Append additional realm declarations below #}

You can set the udb_preference value by adding it to the [libdefaults] sections 
like:


[libdefaults]
  renew_lifetime = 7d
  forwardable = true
  default_realm = {{realm}}
  ticket_lifetime = 24h
  dns_lookup_realm = false
  dns_lookup_kdc = false
  default_ccache_name = /tmp/krb5cc_%{uid}
  #default_tgs_enctypes = {{encryption_types}}
  #default_tkt_enctypes = {{encryption_types}}
  udp_preference_limit = 1                          #### Added udp_ 
preference_limit line here ####

{% if domains %}
[domain_realm]
{%- for domain in domains.split(',') %}
  {{domain|trim()}} = {{realm}}
{%- endfor %}
{% endif %}
[logging]
  default = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
  kdc = FILE:/var/log/krb5kdc.log

[realms]
  {{realm}} = {
{%- if master_kdc %}
    master_kdc = {{master_kdc|trim()}}
{%- endif -%}
{%- if kdc_hosts > 0 -%}
{%- set kdc_host_list = kdc_hosts.split(',')  -%}
{%- if kdc_host_list and kdc_host_list|length > 0 %}
    admin_server = {{admin_server_host|default(kdc_host_list[0]|trim(), True)}}
{%- if kdc_host_list -%}
{%- if master_kdc and (master_kdc not in kdc_host_list) %}
    kdc = {{master_kdc|trim()}}
{%- endif -%}
{% for kdc_host in kdc_host_list %}
    kdc = {{kdc_host|trim()}}
{%- endfor -%}
{% endif %}
{%- endif %}
{%- endif %}
  }

{# Append additional realm declarations below #}

To get this into a Blueprint, you have to turn the value into a single line. 
This is the messy part.

\n[libdefaults]\n renew_lifetime = 7d\n forwardable = true\n default_realm = 
{{realm}}\n ticket_lifetime = 24h\n dns_lookup_realm = false\n dns_lookup_kdc = 
false\n default_ccache_name = /tmp/krb5cc_%{uid}\n #default_tgs_enctypes = 
{{encryption_types}}\n #default_tkt_enctypes = {{encryption_types}}\n 
udp_preference_limit = 1\n{% if domains %}\n[domain_realm]\n{%- for domain in 
domains.split(',') %}\n {{domain|trim()}} = {{realm}}\n{%- endfor %}\n{% endif 
%}\n[logging]\n default = FILE:/var/log/krb5kdc.log\n admin_server = 
FILE:/var/log/kadmind.log\n kdc = FILE:/var/log/krb5kdc.log\n\n[realms]\n 
{{realm}} = {\n{%- if master_kdc %}\n   master_kdc = {{master_kdc|trim()}}\n{%- 
endif -%}\n{%- if kdc_hosts > 0 -%}\n{%- set kdc_host_list = 
kdc_hosts.split(',')  -%}\n{%- if kdc_host_list and kdc_host_list|length > 0 
%}\n   admin_server = {{admin_server_host|default(kdc_host_list[0]|trim(), 
True)}}\n{%- if kdc_host_list -%}\n{%- if master_kdc and (master_kdc not in 
kdc_host_list) %}\n   kdc = {{master_kdc|trim()}}\n{%- endif -%}\n{% for 
kdc_host in kdc_host_list %}\n   kdc = {{kdc_host|trim()}}\n{%- endfor -%}\n{% 
endif %}\n{%- endif %}\n{%- endif %}\n  }\n{# Append additional realm 
declarations below #}

This value needs to be placed in the krb5-conf configuration block in the 
Blueprint. For example:

        "krb5-conf": {
            "domains": "",
            "manage_krb5_conf": "true",
            "content": "\n[libdefaults]\n renew_lifetime = 7d\n forwardable = 
true\n default_realm = {{realm}}\n ticket_lifetime = 24h\n dns_lookup_realm = 
false\n dns_lookup_kdc = false\n default_ccache_name = /tmp/krb5cc_%{uid}\n 
#default_tgs_enctypes = {{encryption_types}}\n #default_tkt_enctypes = 
{{encryption_types}}\n udp_preference_limit = 1\n{% if domains 
%}\n[domain_realm]\n{%- for domain in domains.split(',') %}\n {{domain|trim()}} 
= {{realm}}\n{%- endfor %}\n{% endif %}\n[logging]\n default = 
FILE:/var/log/krb5kdc.log\n admin_server = FILE:/var/log/kadmind.log\n kdc = 
FILE:/var/log/krb5kdc.log\n\n[realms]\n {{realm}} = {\n{%- if master_kdc %}\n   
master_kdc = {{master_kdc|trim()}}\n{%- endif -%}\n{%- if kdc_hosts > 0 
-%}\n{%- set kdc_host_list = kdc_hosts.split(',')  -%}\n{%- if kdc_host_list 
and kdc_host_list|length > 0 %}\n   admin_server = 
{{admin_server_host|default(kdc_host_list[0]|trim(), True)}}\n{%- if 
kdc_host_list -%}\n{%- if master_kdc and (master_kdc not in kdc_host_list) %}\n 
  kdc = {{master_kdc|trim()}}\n{%- endif -%}\n{% for kdc_host in kdc_host_list 
%}\n   kdc = {{kdc_host|trim()}}\n{%- endfor -%}\n{% endif %}\n{%- endif 
%}\n{%- endif %}\n  }\n{# Append additional realm declarations below #}",
            "conf_dir": "/etc"
        },

I hope this helps.

Rob


From: Lian Jiang <[email protected]>
Reply-To: "[email protected]" <[email protected]>
Date: Friday, May 4, 2018 at 6:34 PM
To: "[email protected]" <[email protected]>
Subject: Re: use krb-conf section to set udp_preference_limit = 1

Thanks. So the workaround for now is to use krb5.conf unmanaged by ambari?

On Fri, May 4, 2018 at 3:28 PM, Sandor Molnar 
<[email protected]<mailto:[email protected]>> wrote:
Hi,

To allow end users setting ‘udp_preference_limit’ to 1 we implemented the 
following change:
https://github.com/apache/ambari/pull/129

This will be available in 2.7.

Cheers,
Sandor

From: Lian Jiang <[email protected]<mailto:[email protected]>>
Reply-To: "[email protected]<mailto:[email protected]>" 
<[email protected]<mailto:[email protected]>>
Date: Friday, May 4, 2018 at 11:57 PM
To: "[email protected]<mailto:[email protected]>" 
<[email protected]<mailto:[email protected]>>
Subject: use krb-conf section to set udp_preference_limit = 1

Hi,

According to
https://community.hortonworks.com/content/supportkb/149955/errorcould-not-configure-server-because-sasl-confi.html,
 I need "udp_preference_limit = 1" for zookeeper to work with kerberos.
How can I set this property using krb5-conf section in ambari blueprint? Thanks 
for any hint.

Re: use krb-conf section to set udp_preference_limit = 1

Reply via email to