AnsweredAssumed Answered

CLB doesn't start after kerberization

Question asked by dmarszal on May 13, 2016
Latest reply on Aug 25, 2016 by mufeed

I have 3 nodes MapR Cluster, configured a single service principal mapr/mapr-node1.cluster.net@CLUSTER.NET"

 

 

/opt/mapr/server/configure.sh -K -P "mapr/mapr-node1.cluster.net@CLUSTER.NET" -C mapr-node1.cluster.net -Z mapr-node1.cluster.net, mapr-node2.cluster.net, mapr-node13.cluster.net -N mapr-cluster.cluster.net -secure -genkeys

 

Copied files below to /opt/mapr/conf/ :

 

 

/opt/mapr/conf/maprserverticket

 

/opt/mapr/conf/cldb.key

 

/opt/mapr/conf/ssl_keystore

 

/opt/mapr/conf/ssl_truststore

 

 

After that configured all remaining machines

 

/opt/mapr/server/configure.sh -K -P "mapr/mapr-node1.cluster.net@CLUSTER.NET" -C mapr-node1.cluster.net -Z mapr-node1.cluster.net, mapr-node2.cluster.net, mapr-node3.cluster.net -N mapr-cluster.cluster.net -secure

 

mapr-clusters.conf:

 

 

mapr-cluster.cluster.net secure=true kerberosEnable=true cldbPrincipal=mapr/mapr-node1.cluster.net@CLUSTER.NET mapr-node1.cluster.net:7222

 

 

mapr.login.conf has the right entries i.e.:

 

MAPR_SERVER_KERBEROS {

 

        com.sun.security.auth.module.Krb5LoginModule required

 

      refreshKrb5Config=true

 

      doNotPrompt=true

 

      useKeyTab=true

 

      storeKey=true

 

      keyTab="/opt/mapr/conf/mapr.keytab"

 

      isInitiator=false

 

      principal="mapr/mapr-node1.cluster.net@CLUSTER.NET";

 

};

 

MAPR_WEBSERVER_KERBEROS {

 

      com.sun.security.auth.module.Krb5LoginModule required

 

      refreshKrb5Config=true

 

      doNotPrompt=true

 

      useKeyTab=true

 

      storeKey=true

 

      keyTab="/opt/mapr/conf/mapr.keytab"

 

      isInitiator=false

 

      principal="mapr/mapr-node1.cluster.net@CLUSTER.NET";

 

};

 

Running java version "1.8.0_92" with JCE extensions.

 

After warder restart cldb starts I get erros in cldb.log

 

2016-05-13 18:12:57,4754 Unable to decrypt the ticket of type 12016-05-13 18:12:57,4754 Unable to decrypt server ticket from 144 using server key, ipAddress = 192.168.110.104 Err = 22

2016-05-13 18:12:57,6425 Unable to decrypt the ticket of type 02016-05-13 18:12:57,6425 Unable to decrypt server ticket from 144 using server key, ipAddress = 192.168.110.104 Err = 22

 

Anyone?

Outcomes