2pk03 / freeipa Goto Github PK

Looks like a great script. I can execute it by hand and see it should do the trick. However, I'm curious to know the versions of Cloudera where you've used this successfully.

The problem I have on CDH 5.10 is that I can't even get to the point where I could use this script. During the Kerberos wizard step "Import Kerberos Account Manager Credentials," I input the FreeIPA admin user and password that I created for creating services, generating/retrieving keytabs, etc. CDH then uses a script at /usr/share/cmf/bin/import_credentials.sh to create a keytab for that user using ktutil. However, I've never been able to create a keytab with ktutil that works with FreeIPA. I can use FreeIPA's ipa-getkeytab to get a perfectly usable keytab for the user, but not ktutil. So CDH's import_credentials.sh always fails when doing a kinit with the ktutil-generated keytab, like

+ kinit -k -t /var/run/cloudera-scm-server/cmf2084617222939901509.keytab [email protected]
kinit: Password incorrect while getting initial credentials

I even rewrote the script at /usr/share/cmf/bin/import_credentials.sh to simply copy a keytab I've already retrieved via ipa-getkeytab from a location on disk to wherever CDH wants to put it (a generated file name like /var/log/cloudera-scm-server/cmf7298331290349355677.keytab). After that point, I guess CDH copes the keytab into its DB, because the keytab in /var/log/cloudera-scm-server disappears (or else it must copy the password into the db in order to generate another keytab next time). However, when I get to the "Generate Credentials" step where it should use your keytab retrieval script, it fails with messages like

2017-08-11 17:27:51,069 ERROR CommandPusher:com.cloudera.cmf.command.CommandHelpers: GenerateCredentials - Execution error:
java.io.IOException: Encountered error with /opt/cloudera/kerberos/script.sh: Cannot access generated keytab file /var/run/cloudera-scm-server/cmf8688016314221592986.keytab

My best guess is CDH pulls the keytab or password out of its db that it saved in the previous step, uses this to create a randomized name for the keytab in /var/run/cloudera-scm-server and then uses that keytab with the keytab retrieval script. I'm using the password-based kinit in your script, so we wouldn't even need a keytab, but of course, CDH doesn't know that, so it's dying at this point where it doesn't have a keytab.

I'm using FreeIPA 4.4.0 and CDH 5.10.0. Did you experience this problem? Ever tried CDH 5.10?