2pk03 / freeipa Goto Github PK
View Code? Open in Web Editor NEWFreeIPA scripts
FreeIPA scripts
Looks like a great script. I can execute it by hand and see it should do the trick. However, I'm curious to know the versions of Cloudera where you've used this successfully.
The problem I have on CDH 5.10 is that I can't even get to the point where I could use this script. During the Kerberos wizard step "Import Kerberos Account Manager Credentials," I input the FreeIPA admin user and password that I created for creating services, generating/retrieving keytabs, etc. CDH then uses a script at /usr/share/cmf/bin/import_credentials.sh to create a keytab for that user using ktutil. However, I've never been able to create a keytab with ktutil that works with FreeIPA. I can use FreeIPA's ipa-getkeytab to get a perfectly usable keytab for the user, but not ktutil. So CDH's import_credentials.sh always fails when doing a kinit with the ktutil-generated keytab, like
+ kinit -k -t /var/run/cloudera-scm-server/cmf2084617222939901509.keytab [email protected]
kinit: Password incorrect while getting initial credentials
I even rewrote the script at /usr/share/cmf/bin/import_credentials.sh to simply copy a keytab I've already retrieved via ipa-getkeytab from a location on disk to wherever CDH wants to put it (a generated file name like /var/log/cloudera-scm-server/cmf7298331290349355677.keytab). After that point, I guess CDH copes the keytab into its DB, because the keytab in /var/log/cloudera-scm-server disappears (or else it must copy the password into the db in order to generate another keytab next time). However, when I get to the "Generate Credentials" step where it should use your keytab retrieval script, it fails with messages like
2017-08-11 17:27:51,069 ERROR CommandPusher:com.cloudera.cmf.command.CommandHelpers: GenerateCredentials - Execution error:
java.io.IOException: Encountered error with /opt/cloudera/kerberos/script.sh: Cannot access generated keytab file /var/run/cloudera-scm-server/cmf8688016314221592986.keytab
My best guess is CDH pulls the keytab or password out of its db that it saved in the previous step, uses this to create a randomized name for the keytab in /var/run/cloudera-scm-server and then uses that keytab with the keytab retrieval script. I'm using the password-based kinit in your script, so we wouldn't even need a keytab, but of course, CDH doesn't know that, so it's dying at this point where it doesn't have a keytab.
I'm using FreeIPA 4.4.0 and CDH 5.10.0. Did you experience this problem? Ever tried CDH 5.10?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.