The createkeytabs script of the KAVE FreeIPA implementation fails

[capdaha]

The createkeytabs.py script run according to "KAVE: Kerberizing an HDP 2.4.KAVE cluster with FreeIPA" guide (https://www.youtube.com/watch?v=hL1yiMlgg0E) on HDP 2.5.3.0.KAVE on Azure fails with an error "IOError: file to copy must exist /etc/security/keytabs/spnego.service.keytabHTTP_amb-001.{realm}".

Directory /etc/security/keytabs/ is empty.

Log attached. error.txt

Steps to reproduce (from the guide):

1. Enable Kerberos in Ambari, download csv file and copy to ambari node.
2. Copy createkeytabs.py script from ipa node to ambari node.
3. Login to ambari node as a root.
4. kinit admin
5. run ./createkeytabs.py kerberos.csv.

[rwlambert]

Hi capdaha,

Great that you're using KAVE. If I had to guess at this stage, looks to me like the realm was not defined correctly in the kerberos parameters you are using when you are obtaining the kerberos.csv .

Examples of what the kerberos.csv should look like appear here:

https://github.com/KaveIO/AmbariKave/blob/master/tests/integration/kerberostest.csv https://github.com/KaveIO/AmbariKave/blob/master/tests/service/kerberostest.csv

Could you give us the equivalent of what appears in your kerberos.csv? It should be very similar, and crucially not have anything like "{realm}" appearing. Is it possible that what is entered in your realm in kerberos configuration does not agree with the realm in the FreeIPA settings, or perhaps that it is left unset?

Probably we should add some protection in the createkeytabs.py script to prevent and/or notify you when there are unexpected special characters in the realm. To give you some piece of mind, in our automated test for this version we check that a csv file which looks like these are working with this HDP and FreeIPA combination.

Best,

Rob