Ambari集成Kerberos報錯彙總
Ambari集成Kerberos報錯彙總
java
做者:尹正傑 node
版權聲明:原創做品,謝絕轉載!不然將追究法律責任。mysql
一.查看報錯的配置信息步驟sql
1>.點擊Test Kerberos Client,查看相應日誌信息
apache
2>.查看具體是哪臺機器出現問題json
3>.查看node101.yinzhengjie.org.cn的報錯日誌api
4>.查看對應的報錯信息服務器
二.Error occured during stack advisor command invocation: Cannot create /var/run/ambari-server/stack-recommendationssession
報錯分析:app
根據報錯的提示信息,說是沒法建立對應的文件或者目錄!
解決方案:
既然他無法建立的話,那咱們手動幫他一把唄!咱們登陸到報錯的服務器,而後手動幫他一把!
[root@node101 ~]# mkdir /var/run/ambari-server/stack-recommendations #根據報錯日誌的提示信息,建立對應的目錄 [root@node101 ~]# [root@node101 ~]# chmod 777 /var/run/ambari-server/stack-recommendations -R #你們千萬要記住,這個受權操做是必需要作了的喲!不然你會發現一些奇葩的坑!他會不斷重複的在上面咱們建立好的目錄下建立子目錄。 [root@node101 ~]#
三.STDERR: ipa: ERROR: The host 'node101.yinzhengjie.org.cn' does not exist to add a service to.
報錯分析:
根據報錯的提示的信息說是對應的「node101.yinzhengjie.org.cn」是否存在。一開始我覺得是KDC服務器沒有配置「/etc/hosts」對應的本地解析記錄呢。 添加對應的解析後,充實此步的按照步驟發現問題依舊沒有獲得很好的解決,那究竟是由於啥?仔細一想,既然這是Kerberos配置的話,是否是意味着Kerberos服務器中必須得有該服務器的憑據呢?我去查閱了一些,發現果然沒有啊!具體操做以下(須要登陸Kerberos服務器操做):
[root@node100 ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: admin@YINZHENGJIE.COM Valid starting Expires Service principal 12/12/2018 06:53:24 12/13/2018 06:53:22 krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM [root@node100 ~]# [root@node100 ~]# kadmin.local Authenticating as principal admin/admin@YINZHENGJIE.COM with password. kadmin.local: listprincs admin@YINZHENGJIE.COM K/M@YINZHENGJIE.COM krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM kadmin/node100.yinzhengjie.com@YINZHENGJIE.COM kadmin/admin@YINZHENGJIE.COM kadmin/changepw@YINZHENGJIE.COM kiprop/node100.yinzhengjie.com@YINZHENGJIE.COM ldap/node100.yinzhengjie.com@YINZHENGJIE.COM host/node100.yinzhengjie.com@YINZHENGJIE.COM WELLKNOWN/ANONYMOUS@YINZHENGJIE.COM dogtag/node100.yinzhengjie.com@YINZHENGJIE.COM HTTP/node100.yinzhengjie.com@YINZHENGJIE.COM DNS/node100.yinzhengjie.com@YINZHENGJIE.COM ipa-dnskeysyncd/node100.yinzhengjie.com@YINZHENGJIE.COM yinzhengjie-kerberos@YINZHENGJIE.COM host/node103.yinzhengjie.org.cn@YINZHENGJIE.COM host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM kadmin.local:
解決方法:
既然沒有的話,那咱們就讓他有唄,具體操做以下:
[root@node102 ~]# ipa-client-install --domain=YINZHENGJIE.COM --server=node100.yinzhengjie.com --realm=YINZHENGJIE.COM --principal=admin@YINZHENGJIE.COM --enable-dns-updates #開始安裝客戶端程序,參數意思下面會詳細解釋! WARNING: ntpd time&date synchronization service will not be configured as conflicting service (chronyd) is enabled Use --force-ntpd option to disable it and force configuration of ntpd Autodiscovery of servers for failover cannot work with this configuration. If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure. Proceed with fixed values and no DNS discovery? [no]: yes #注意,這裏須要輸入的是yes喲! Client hostname: node102.yinzhengjie.org.cn Realm: YINZHENGJIE.COM DNS Domain: yinzhengjie.com IPA Server: node100.yinzhengjie.com BaseDN: dc=yinzhengjie,dc=com Continue to configure the system with these values? [no]: yes #注意,這裏須要輸入的是yes喲! Skipping synchronizing time with NTP server. Password for admin@YINZHENGJIE.COM: #對面的小哥哥小姐姐往這裏看,這裏是須要你輸入管理員的用戶名密碼,也就是你在安裝IPA-Server時配置的密碼!如今知道爲何我當時如此強調要記住他的緣由了吧! Successfully retrieved CA cert Subject: CN=Certificate Authority,O=YINZHENGJIE.COM Issuer: CN=Certificate Authority,O=YINZHENGJIE.COM Valid From: 2018-12-12 11:15:53 Valid Until: 2038-12-12 11:15:53 Enrolled in IPA realm YINZHENGJIE.COM Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm YINZHENGJIE.COM trying https://node100.yinzhengjie.com/ipa/json [try 1]: Forwarding 'schema' to json server 'https://node100.yinzhengjie.com/ipa/json' trying https://node100.yinzhengjie.com/ipa/session/json [try 1]: Forwarding 'ping' to json server 'https://node100.yinzhengjie.com/ipa/session/json' [try 1]: Forwarding 'ca_is_enabled' to json server 'https://node100.yinzhengjie.com/ipa/session/json' Systemwide CA database updated. Hostname (node102.yinzhengjie.org.cn) does not have A/AAAA record. Failed to update DNS records. Missing A/AAAA record(s) for host node102.yinzhengjie.org.cn: 172.30.1.102. Missing reverse record(s) for address(es): 172.30.1.102. Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub [try 1]: Forwarding 'host_mod' to json server 'https://node100.yinzhengjie.com/ipa/session/json' Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring yinzhengjie.com as NIS domain. Client configuration complete. The ipa-client-install command was successful You have new mail in /var/spool/mail/root [root@node102 ~]#
[root@node100 ~]# kadmin.local Authenticating as principal admin/admin@YINZHENGJIE.COM with password. kadmin.local: listprincs #上述操做以前查看全部用戶信息以下 admin@YINZHENGJIE.COM K/M@YINZHENGJIE.COM krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM kadmin/node100.yinzhengjie.com@YINZHENGJIE.COM kadmin/admin@YINZHENGJIE.COM kadmin/changepw@YINZHENGJIE.COM kiprop/node100.yinzhengjie.com@YINZHENGJIE.COM ldap/node100.yinzhengjie.com@YINZHENGJIE.COM host/node100.yinzhengjie.com@YINZHENGJIE.COM WELLKNOWN/ANONYMOUS@YINZHENGJIE.COM dogtag/node100.yinzhengjie.com@YINZHENGJIE.COM HTTP/node100.yinzhengjie.com@YINZHENGJIE.COM DNS/node100.yinzhengjie.com@YINZHENGJIE.COM ipa-dnskeysyncd/node100.yinzhengjie.com@YINZHENGJIE.COM yinzhengjie-kerberos@YINZHENGJIE.COM host/node103.yinzhengjie.org.cn@YINZHENGJIE.COM host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM kadmin.local: kadmin.local: kadmin.local: listprincs #通過上述操做以後,發現node101.yinzhengjie.org.cn的憑據出現了,具體信息以下: admin@YINZHENGJIE.COM K/M@YINZHENGJIE.COM krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM kadmin/node100.yinzhengjie.com@YINZHENGJIE.COM kadmin/admin@YINZHENGJIE.COM kadmin/changepw@YINZHENGJIE.COM kiprop/node100.yinzhengjie.com@YINZHENGJIE.COM ldap/node100.yinzhengjie.com@YINZHENGJIE.COM host/node100.yinzhengjie.com@YINZHENGJIE.COM WELLKNOWN/ANONYMOUS@YINZHENGJIE.COM dogtag/node100.yinzhengjie.com@YINZHENGJIE.COM HTTP/node100.yinzhengjie.com@YINZHENGJIE.COM DNS/node100.yinzhengjie.com@YINZHENGJIE.COM ipa-dnskeysyncd/node100.yinzhengjie.com@YINZHENGJIE.COM yinzhengjie-kerberos@YINZHENGJIE.COM host/node103.yinzhengjie.org.cn@YINZHENGJIE.COM host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM kadmin.local:
四.STDERR: ipa: ERROR: Host 'node101.yinzhengjie.org.cn' does not have corresponding DNS A/AAAA record
錯誤分析:
根據上述的問題描述,說明DNS並無對應的解析記錄,這個時候咱們須要上DNS服務器上手動建立對應的zone文件。默認狀況下IPA已經幫咱們搭建好了DNS服務器,咱們只須要修改對應的配置文件便可。
[root@node100 named]# cat /etc/named.conf options { // turns on IPv6 for port 53, IPv4 is on by default for all ifaces listen-on-v6 {any;}; listen-on port 53 { any; }; // Put files that named is allowed to write in the data/ directory: directory "/var/named"; // the default dump-file "data/cache_dump.db"; statistics-file "data/named_stats.txt"; memstatistics-file "data/named_mem_stats.txt"; // Any host is permitted to issue recursive queries #allow-recursion { any; }; allow-query { any; }; tkey-gssapi-keytab "/etc/named.keytab"; pid-file "/run/named/named.pid"; dnssec-enable yes; dnssec-validation no; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; /* If you want to enable debugging, eg. using the 'rndc trace' command, * By default, SELinux policy does not allow named to modify the /var/named directory, * so put the default debug log file in data/ : */ logging { channel default_debug { file "data/named.run"; severity dynamic; print-time yes; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; /* WARNING: This part of the config file is IPA-managed. * Modifications may break IPA setup or upgrades. */ dyndb "ipa" "/usr/lib64/bind/ldap.so" { uri "ldapi://%2fvar%2frun%2fslapd-YINZHENGJIE-COM.socket"; base "cn=dns, dc=yinzhengjie,dc=com"; server_id "node100.yinzhengjie.com"; auth_method "sasl"; sasl_mech "GSSAPI"; sasl_user "DNS/node100.yinzhengjie.com"; }; /* End of IPA-managed part. */ [root@node100 named]#
解決方案:
既然咱們肯定了問題的方向,咱們能夠經過上面的「/etc/named.conf」的配置文件能夠明顯的看出來有一個叫"/etc/named.rfc1912.zones"的配置文件。咱們須要編輯他,指定對應的域名文件。
[root@node100 named]# cat /etc/named.rfc1912.zones // named.rfc1912.zones: // // Provided by Red Hat caching-nameserver package // // ISC BIND named zone configuration for zones recommended by // RFC 1912 section 4.1 : localhost TLDs and address zones // and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt // (c)2007 R W Franks // // See /usr/share/doc/bind*/sample/ for example named configuration files. // zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; }; }; zone "yinzhengjie.org.cn" IN { type master; file "yinzhengjie.org.cn.zone"; }; zone "1.30.172.in-addr.arpa" IN { type master; file "172.30.1.zone"; }; [root@node100 named]#
編輯上述的配置文件後,咱們會發現得去「/var/named」(DNS默認的zone文件的存放路徑)中建立對應的"yinzhengjie.org.cn.zone"和"172.30.1.zone"這兩個配置文件。具體內容以下:
[root@node100 named]# cat 172.30.1.zone $TTL 1D @ IN SOA @ node100.yinzhengjie.org.cn ( 20181201; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS @ A 127.0.0.1 AAAA ::1 101 IN PTR node101.yinzhengjie.org.cn. 102 IN PTR node102.yinzhengjie.org.cn. 103 IN PTR node103.yinzhengjie.org.cn. [root@node100 named]#
[root@node100 named]# cat yinzhengjie.org.cn.zone $TTL 1D @ IN SOA @ yinzhengjie.org.cn. ( 20181201; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS ns.yinzhengjie.org.cn. ns IN A 172.30.1.100 node101 IN A 172.30.1.101 node102 IN A 172.30.1.102 node103 IN A 172.30.1.103 [root@node100 named]#
除了手動修改配置文件,咱們還能夠在IPA Server的Web UI界面修改DNS的反向解析,以下圖所示:
五. STDERR: ipa: ERROR: All nameservers failed to answer the query node101.yinzhengjie.org.cn. IN A: Server 127.0.0.1 UDP port 53 answered SERVFAIL
報錯分析:
據上圖報錯所述,查詢「node101.yinzhengjie.org.cn」的解析失敗啦!
解決方案:
這個時候咱們須要登陸IPA-Server的Web UI界面,查看相應的DNS記錄是否更新,若是沒有更新須要我們手動點擊更新一下喲!更新以後,咱們在第五步的哪一個報錯時的數據信息都會同步過來,以下圖所示:
六.ERROR: service with name "HTTP/node101.yinzhengjie.org.cn@YINZHENGJIE.COM" already exists
錯誤分析:
根據報錯信息提示說是憑據已經存在啦!
解決方案:
這種解決辦法有兩個,第一就是去KDC服務器上刪除對應的憑據,或者是從新啓用Kerberos。恢復初始的配置信息。
七.ipa: ERROR: invalid 'login': can be at most 32 characters
錯誤分析:
這是因爲服務器在建立憑據時,發現用戶的字符串超過了32個字符。
解決方案:
咱們在部署的時候,咱們在進入到這一步報錯以前,就應該注意設置的字符串長度是否會超出對應的長度,我以前就遇到過這樣的問題,所以在配置時我特地修改瞭如下參數。
八.sudo: sorry, you must have a tty to run sudo
報錯分析:
出現上述的報錯信息,估計作運維的小夥伴一眼就知道是咋回事。意思就是sudo默認須要tty終端。註釋掉就能夠在後臺執行了。
解決方案:
咱們須要編輯「/etc/sudoers」文件,具體操做以下所示:
[root@node101 ~]# grep "#Defaults" /etc/sudoers #Defaults requiretty #編輯上述文件,將改行加上注視便可! [root@node101 ~]# [root@node101 ~]# [root@node101 ~]# xrsync.sh /etc/sudoers =========== node102.yinzhengjie.org.cn : /etc/sudoers =========== 命令執行成功 =========== node103.yinzhengjie.org.cn : /etc/sudoers =========== 命令執行成功 [root@node101 ~]#
九.sudo: no tty present and no askpass program specified
報錯分析:
上述這個是因爲賬號並無開啓免密碼致使的,這個時候你就得思考部署平臺的用戶是誰,默認狀況下是ambari,若是你想確認的話也很簡單,還記得咱們訪問Ambari的端口是8080嗎?咱們知道找到8080對應的進程的維護者是誰就知道這個帳號是誰啦!以下所示:
[root@node101 ~]# netstat -untalp | grep 8080 tcp6 0 0 :::8080 :::* LISTEN 4343/java tcp6 0 0 172.30.1.101:8080 172.30.1.2:54966 ESTABLISHED 4343/java tcp6 0 0 172.30.1.101:8080 172.30.1.2:54979 ESTABLISHED 4343/java [root@node101 ~]# [root@node101 ~]# [root@node101 ~]# ps -ef | grep 4343 ambari 4343 1 3 Dec17 ? 01:03:55 /yinzhengjie/softwares/jdk/bin/java -server -XX:NewRatio=3 -XX:+UseConcMarkSweepGC -XX:-UseGCOverheadLimit -XX:CMSInitiatingOccupancyFraction=60 -XX:+CMSClassUnloadingEnabled -Dsun.zip.disableMemoryMapping=true -Xms512m -Xmx2048m -XX:MaxPermSize=128m -Djava.security.auth.login.config=/etc/ambari-server/conf/krb5JAASLogin.conf -Djava.security.krb5.conf=/etc/krb5.conf -Djavax.security.auth.useSubjectCredsOnly=false -cp /etc/ambari-server/conf:/usr/lib/ambari-server/*:/usr/share/java/mysql-connector-java.jar org.apache.ambari.server.controller.AmbariServer root 21376 19024 0 13:40 pts/3 00:00:00 grep --color=auto 4343 [root@node101 ~]#
解決方案:
既然咱們已經知道了用戶是誰,那就開始解決問題被,仍是須要編輯「/etc/sudoers」這個配置文件。
[root@node101 ~]# hostname node101.yinzhengjie.org.cn [root@node101 ~]# [root@node101 ~]# grep "#Defaults" /etc/sudoers #Defaults requiretty [root@node101 ~]# [root@node101 ~]# [root@node101 ~]# grep ambari /etc/sudoers ambari ALL=NOPASSWD:ALL [root@node101 ~]# [root@node101 ~]#
相關文章
- 1. Ambari啓用Kerberos
- 2. 報錯彙總
- 3. 基於ambari+hdfs 搭建Kerberos集羣
- 4. kerberos集成ldap
- 5. Kerberos安裝以及使用ambari開啓HDP集羣Kerberos認證
- 6. ambari集成flink
- 7. ambari集成hue4.20
- 8. ambari集成kibana
- 9. python報錯彙總
- 10. ElementUI——報錯彙總
- 更多相關文章...
- • Docker 資源彙總 - Docker教程
- • Web 詞彙表 - 網站建設指南
- • ☆技術問答集錦(13)Java Instrument原理
- • 算法總結-雙指針
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. 外部其他進程嵌入到qt FindWindow獲得窗口句柄 報錯無法鏈接的外部符號 [email protected] 無法被([email protected]@[email protected]@@引用
- 2. UVa 11524 - InCircle
- 3. The Monocycle(bfs)
- 4. VEC-C滑窗
- 5. 堆排序的應用-TOPK問題
- 6. 實例演示ElasticSearch索引查詢term,match,match_phase,query_string之間的區別
- 7. 數學基礎知識 集合
- 8. amazeUI 復擇框問題解決
- 9. 揹包問題理解
- 10. 算數平均-幾何平均不等式的證明,從麥克勞林到柯西
歡迎關注本站公眾號,獲取更多信息
相關文章