search

eubnara / dockerize-ambari

Let's run Ambari using docker compose. (feat. FreeIPA)
8 stars 1 forks source link

krbtgt 로 서비스 티켓 발급 실패 (curl 로 spnego 접근 실패) #16

Closed eubnara closed 5 months ago

eubnara commented 5 months ago 
[hdfs@ambari-agent-2 keytabs]$ klist
Ticket cache: FILE:/tmp/krb5cc_1002
Default principal: hdfs-eub@EXAMPLE.COM

Valid starting       Expires              Service principal
04/13/2024 14:08:01  04/14/2024 14:08:01  krbtgt/EXAMPLE.COM@EXAMPLE.COM
[hdfs@ambari-agent-2 keytabs]$ KRB5_TRACE=/dev/stdout curl -iv -u : --negotiate 'http://ambari-agent-1.example.com:50070/webhdfs/v1/app-logs?op=GETFILESTATUS'
* About to connect() to ambari-agent-1.example.com port 50070 (#0)
*   Trying 172.27.0.5...
* Connected to ambari-agent-1.example.com (172.27.0.5) port 50070 (#0)
> GET /webhdfs/v1/app-logs?op=GETFILESTATUS HTTP/1.1
> User-Agent: curl/7.29.0
> Host: ambari-agent-1.example.com:50070
> Accept: */*
> 
< HTTP/1.1 401 Authentication required
HTTP/1.1 401 Authentication required
< Pragma: no-cache
Pragma: no-cache
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< X-FRAME-OPTIONS: SAMEORIGIN
X-FRAME-OPTIONS: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; mode=block
* gss_init_sec_context() failed: : Message stream modified
< WWW-Authenticate: Negotiate
WWW-Authenticate: Negotiate
< Set-Cookie: hadoop.auth=; Path=/; HttpOnly
Set-Cookie: hadoop.auth=; Path=/; HttpOnly
< Cache-Control: must-revalidate,no-cache,no-store
Cache-Control: must-revalidate,no-cache,no-store
< Content-Type: text/html;charset=iso-8859-1
Content-Type: text/html;charset=iso-8859-1
< Content-Length: 474
Content-Length: 474

< 
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 401 Authentication required</title>
</head>
<body><h2>HTTP ERROR 401 Authentication required</h2>
<table>
<tr><th>URI:</th><td>/webhdfs/v1/app-logs</td></tr>
<tr><th>STATUS:</th><td>401</td></tr>
<tr><th>MESSAGE:</th><td>Authentication required</td></tr>
<tr><th>SERVLET:</th><td>com.sun.jersey.spi.container.servlet.ServletContainer-34129c78</td></tr>
</table>

</body>
</html>
* Connection #0 to host ambari-agent-1.example.com left intact
* 
[hdfs@ambari-agent-2 keytabs]$ KRB5_TRACE=/dev/stdout kinit -R
kinit: Message stream modified while renewing credentials
eubnara commented 5 months ago

https://github.com/eubnara/dockerize-ambari?tab=readme-ov-file#enable-kerberos 절차를 잘 따라하지 않아서 그런듯.

eubnara commented 5 months ago

apacheds 컨테이너에도 /etc/hosts 세팅이 필요하다.

eubnara commented 5 months ago

kinit -R 이 실패한 이유는 renew_lifetime 을 주석해제 안해서.

[libdefaults]
  renew_lifetime = 7d