Ambari集成Kerberos报错汇总
Ambari集成Kerberos报错汇总
java
做者:尹正杰 node
版权声明:原创做品,谢绝转载!不然将追究法律责任。mysql
一.查看报错的配置信息步骤sql
1>.点击Test Kerberos Client,查看相应日志信息
apache
2>.查看具体是哪台机器出现问题json
3>.查看node101.yinzhengjie.org.cn的报错日志api
4>.查看对应的报错信息服务器
二.Error occured during stack advisor command invocation: Cannot create /var/run/ambari-server/stack-recommendationssession
报错分析:app
根据报错的提示信息,说是没法建立对应的文件或者目录!
解决方案:
既然他无法建立的话,那咱们手动帮他一把呗!咱们登陆到报错的服务器,而后手动帮他一把!
[root@node101 ~]# mkdir /var/run/ambari-server/stack-recommendations #根据报错日志的提示信息,建立对应的目录 [root@node101 ~]# [root@node101 ~]# chmod 777 /var/run/ambari-server/stack-recommendations -R #你们千万要记住,这个受权操做是必需要作了的哟!不然你会发现一些奇葩的坑!他会不断重复的在上面咱们建立好的目录下建立子目录。 [root@node101 ~]#
三.STDERR: ipa: ERROR: The host 'node101.yinzhengjie.org.cn' does not exist to add a service to.
报错分析:
根据报错的提示的信息说是对应的“node101.yinzhengjie.org.cn”是否存在。一开始我觉得是KDC服务器没有配置“/etc/hosts”对应的本地解析记录呢。 添加对应的解析后,充实此步的按照步骤发现问题依旧没有获得很好的解决,那究竟是由于啥?仔细一想,既然这是Kerberos配置的话,是否是意味着Kerberos服务器中必须得有该服务器的凭据呢?我去查阅了一些,发现果然没有啊!具体操做以下(须要登陆Kerberos服务器操做):
[root@node100 ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: admin@YINZHENGJIE.COM Valid starting Expires Service principal 12/12/2018 06:53:24 12/13/2018 06:53:22 krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM [root@node100 ~]# [root@node100 ~]# kadmin.local Authenticating as principal admin/admin@YINZHENGJIE.COM with password. kadmin.local: listprincs admin@YINZHENGJIE.COM K/M@YINZHENGJIE.COM krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM kadmin/node100.yinzhengjie.com@YINZHENGJIE.COM kadmin/admin@YINZHENGJIE.COM kadmin/changepw@YINZHENGJIE.COM kiprop/node100.yinzhengjie.com@YINZHENGJIE.COM ldap/node100.yinzhengjie.com@YINZHENGJIE.COM host/node100.yinzhengjie.com@YINZHENGJIE.COM WELLKNOWN/ANONYMOUS@YINZHENGJIE.COM dogtag/node100.yinzhengjie.com@YINZHENGJIE.COM HTTP/node100.yinzhengjie.com@YINZHENGJIE.COM DNS/node100.yinzhengjie.com@YINZHENGJIE.COM ipa-dnskeysyncd/node100.yinzhengjie.com@YINZHENGJIE.COM yinzhengjie-kerberos@YINZHENGJIE.COM host/node103.yinzhengjie.org.cn@YINZHENGJIE.COM host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM kadmin.local:
解决方法:
既然没有的话,那咱们就让他有呗,具体操做以下:
[root@node102 ~]# ipa-client-install --domain=YINZHENGJIE.COM --server=node100.yinzhengjie.com --realm=YINZHENGJIE.COM --principal=admin@YINZHENGJIE.COM --enable-dns-updates #开始安装客户端程序,参数意思下面会详细解释! WARNING: ntpd time&date synchronization service will not be configured as conflicting service (chronyd) is enabled Use --force-ntpd option to disable it and force configuration of ntpd Autodiscovery of servers for failover cannot work with this configuration. If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure. Proceed with fixed values and no DNS discovery? [no]: yes #注意,这里须要输入的是yes哟! Client hostname: node102.yinzhengjie.org.cn Realm: YINZHENGJIE.COM DNS Domain: yinzhengjie.com IPA Server: node100.yinzhengjie.com BaseDN: dc=yinzhengjie,dc=com Continue to configure the system with these values? [no]: yes #注意,这里须要输入的是yes哟! Skipping synchronizing time with NTP server. Password for admin@YINZHENGJIE.COM: #对面的小哥哥小姐姐往这里看,这里是须要你输入管理员的用户名密码,也就是你在安装IPA-Server时配置的密码!如今知道为何我当时如此强调要记住他的缘由了吧! Successfully retrieved CA cert Subject: CN=Certificate Authority,O=YINZHENGJIE.COM Issuer: CN=Certificate Authority,O=YINZHENGJIE.COM Valid From: 2018-12-12 11:15:53 Valid Until: 2038-12-12 11:15:53 Enrolled in IPA realm YINZHENGJIE.COM Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm YINZHENGJIE.COM trying https://node100.yinzhengjie.com/ipa/json [try 1]: Forwarding 'schema' to json server 'https://node100.yinzhengjie.com/ipa/json' trying https://node100.yinzhengjie.com/ipa/session/json [try 1]: Forwarding 'ping' to json server 'https://node100.yinzhengjie.com/ipa/session/json' [try 1]: Forwarding 'ca_is_enabled' to json server 'https://node100.yinzhengjie.com/ipa/session/json' Systemwide CA database updated. Hostname (node102.yinzhengjie.org.cn) does not have A/AAAA record. Failed to update DNS records. Missing A/AAAA record(s) for host node102.yinzhengjie.org.cn: 172.30.1.102. Missing reverse record(s) for address(es): 172.30.1.102. Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub [try 1]: Forwarding 'host_mod' to json server 'https://node100.yinzhengjie.com/ipa/session/json' Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring yinzhengjie.com as NIS domain. Client configuration complete. The ipa-client-install command was successful You have new mail in /var/spool/mail/root [root@node102 ~]#
[root@node100 ~]# kadmin.local Authenticating as principal admin/admin@YINZHENGJIE.COM with password. kadmin.local: listprincs #上述操做以前查看全部用户信息以下 admin@YINZHENGJIE.COM K/M@YINZHENGJIE.COM krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM kadmin/node100.yinzhengjie.com@YINZHENGJIE.COM kadmin/admin@YINZHENGJIE.COM kadmin/changepw@YINZHENGJIE.COM kiprop/node100.yinzhengjie.com@YINZHENGJIE.COM ldap/node100.yinzhengjie.com@YINZHENGJIE.COM host/node100.yinzhengjie.com@YINZHENGJIE.COM WELLKNOWN/ANONYMOUS@YINZHENGJIE.COM dogtag/node100.yinzhengjie.com@YINZHENGJIE.COM HTTP/node100.yinzhengjie.com@YINZHENGJIE.COM DNS/node100.yinzhengjie.com@YINZHENGJIE.COM ipa-dnskeysyncd/node100.yinzhengjie.com@YINZHENGJIE.COM yinzhengjie-kerberos@YINZHENGJIE.COM host/node103.yinzhengjie.org.cn@YINZHENGJIE.COM host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM kadmin.local: kadmin.local: kadmin.local: listprincs #通过上述操做以后,发现node101.yinzhengjie.org.cn的凭据出现了,具体信息以下: admin@YINZHENGJIE.COM K/M@YINZHENGJIE.COM krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM kadmin/node100.yinzhengjie.com@YINZHENGJIE.COM kadmin/admin@YINZHENGJIE.COM kadmin/changepw@YINZHENGJIE.COM kiprop/node100.yinzhengjie.com@YINZHENGJIE.COM ldap/node100.yinzhengjie.com@YINZHENGJIE.COM host/node100.yinzhengjie.com@YINZHENGJIE.COM WELLKNOWN/ANONYMOUS@YINZHENGJIE.COM dogtag/node100.yinzhengjie.com@YINZHENGJIE.COM HTTP/node100.yinzhengjie.com@YINZHENGJIE.COM DNS/node100.yinzhengjie.com@YINZHENGJIE.COM ipa-dnskeysyncd/node100.yinzhengjie.com@YINZHENGJIE.COM yinzhengjie-kerberos@YINZHENGJIE.COM host/node103.yinzhengjie.org.cn@YINZHENGJIE.COM host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM kadmin.local:
四.STDERR: ipa: ERROR: Host 'node101.yinzhengjie.org.cn' does not have corresponding DNS A/AAAA record
错误分析:
根据上述的问题描述,说明DNS并无对应的解析记录,这个时候咱们须要上DNS服务器上手动建立对应的zone文件。默认状况下IPA已经帮咱们搭建好了DNS服务器,咱们只须要修改对应的配置文件便可。
[root@node100 named]# cat /etc/named.conf options { // turns on IPv6 for port 53, IPv4 is on by default for all ifaces listen-on-v6 {any;}; listen-on port 53 { any; }; // Put files that named is allowed to write in the data/ directory: directory "/var/named"; // the default dump-file "data/cache_dump.db"; statistics-file "data/named_stats.txt"; memstatistics-file "data/named_mem_stats.txt"; // Any host is permitted to issue recursive queries #allow-recursion { any; }; allow-query { any; }; tkey-gssapi-keytab "/etc/named.keytab"; pid-file "/run/named/named.pid"; dnssec-enable yes; dnssec-validation no; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; /* If you want to enable debugging, eg. using the 'rndc trace' command, * By default, SELinux policy does not allow named to modify the /var/named directory, * so put the default debug log file in data/ : */ logging { channel default_debug { file "data/named.run"; severity dynamic; print-time yes; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; /* WARNING: This part of the config file is IPA-managed. * Modifications may break IPA setup or upgrades. */ dyndb "ipa" "/usr/lib64/bind/ldap.so" { uri "ldapi://%2fvar%2frun%2fslapd-YINZHENGJIE-COM.socket"; base "cn=dns, dc=yinzhengjie,dc=com"; server_id "node100.yinzhengjie.com"; auth_method "sasl"; sasl_mech "GSSAPI"; sasl_user "DNS/node100.yinzhengjie.com"; }; /* End of IPA-managed part. */ [root@node100 named]#
解决方案:
既然咱们肯定了问题的方向,咱们能够经过上面的“/etc/named.conf”的配置文件能够明显的看出来有一个叫"/etc/named.rfc1912.zones"的配置文件。咱们须要编辑他,指定对应的域名文件。
[root@node100 named]# cat /etc/named.rfc1912.zones // named.rfc1912.zones: // // Provided by Red Hat caching-nameserver package // // ISC BIND named zone configuration for zones recommended by // RFC 1912 section 4.1 : localhost TLDs and address zones // and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt // (c)2007 R W Franks // // See /usr/share/doc/bind*/sample/ for example named configuration files. // zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; }; }; zone "yinzhengjie.org.cn" IN { type master; file "yinzhengjie.org.cn.zone"; }; zone "1.30.172.in-addr.arpa" IN { type master; file "172.30.1.zone"; }; [root@node100 named]#
编辑上述的配置文件后,咱们会发现得去“/var/named”(DNS默认的zone文件的存放路径)中建立对应的"yinzhengjie.org.cn.zone"和"172.30.1.zone"这两个配置文件。具体内容以下:
[root@node100 named]# cat 172.30.1.zone $TTL 1D @ IN SOA @ node100.yinzhengjie.org.cn ( 20181201; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS @ A 127.0.0.1 AAAA ::1 101 IN PTR node101.yinzhengjie.org.cn. 102 IN PTR node102.yinzhengjie.org.cn. 103 IN PTR node103.yinzhengjie.org.cn. [root@node100 named]#
[root@node100 named]# cat yinzhengjie.org.cn.zone $TTL 1D @ IN SOA @ yinzhengjie.org.cn. ( 20181201; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS ns.yinzhengjie.org.cn. ns IN A 172.30.1.100 node101 IN A 172.30.1.101 node102 IN A 172.30.1.102 node103 IN A 172.30.1.103 [root@node100 named]#
除了手动修改配置文件,咱们还能够在IPA Server的Web UI界面修改DNS的反向解析,以下图所示:
五. STDERR: ipa: ERROR: All nameservers failed to answer the query node101.yinzhengjie.org.cn. IN A: Server 127.0.0.1 UDP port 53 answered SERVFAIL
报错分析:
据上图报错所述,查询“node101.yinzhengjie.org.cn”的解析失败啦!
解决方案:
这个时候咱们须要登陆IPA-Server的Web UI界面,查看相应的DNS记录是否更新,若是没有更新须要我们手动点击更新一下哟!更新以后,咱们在第五步的哪一个报错时的数据信息都会同步过来,以下图所示:
六.ERROR: service with name "HTTP/node101.yinzhengjie.org.cn@YINZHENGJIE.COM" already exists
错误分析:
根据报错信息提示说是凭据已经存在啦!
解决方案:
这种解决办法有两个,第一就是去KDC服务器上删除对应的凭据,或者是从新启用Kerberos。恢复初始的配置信息。
七.ipa: ERROR: invalid 'login': can be at most 32 characters
错误分析:
这是因为服务器在建立凭据时,发现用户的字符串超过了32个字符。
解决方案:
咱们在部署的时候,咱们在进入到这一步报错以前,就应该注意设置的字符串长度是否会超出对应的长度,我以前就遇到过这样的问题,所以在配置时我特地修改了如下参数。
八.sudo: sorry, you must have a tty to run sudo
报错分析:
出现上述的报错信息,估计作运维的小伙伴一眼就知道是咋回事。意思就是sudo默认须要tty终端。注释掉就能够在后台执行了。
解决方案:
咱们须要编辑“/etc/sudoers”文件,具体操做以下所示:
[root@node101 ~]# grep "#Defaults" /etc/sudoers #Defaults requiretty #编辑上述文件,将改行加上注视便可! [root@node101 ~]# [root@node101 ~]# [root@node101 ~]# xrsync.sh /etc/sudoers =========== node102.yinzhengjie.org.cn : /etc/sudoers =========== 命令执行成功 =========== node103.yinzhengjie.org.cn : /etc/sudoers =========== 命令执行成功 [root@node101 ~]#
九.sudo: no tty present and no askpass program specified
报错分析:
上述这个是因为账号并无开启免密码致使的,这个时候你就得思考部署平台的用户是谁,默认状况下是ambari,若是你想确认的话也很简单,还记得咱们访问Ambari的端口是8080吗?咱们知道找到8080对应的进程的维护者是谁就知道这个帐号是谁啦!以下所示:
[root@node101 ~]# netstat -untalp | grep 8080 tcp6 0 0 :::8080 :::* LISTEN 4343/java tcp6 0 0 172.30.1.101:8080 172.30.1.2:54966 ESTABLISHED 4343/java tcp6 0 0 172.30.1.101:8080 172.30.1.2:54979 ESTABLISHED 4343/java [root@node101 ~]# [root@node101 ~]# [root@node101 ~]# ps -ef | grep 4343 ambari 4343 1 3 Dec17 ? 01:03:55 /yinzhengjie/softwares/jdk/bin/java -server -XX:NewRatio=3 -XX:+UseConcMarkSweepGC -XX:-UseGCOverheadLimit -XX:CMSInitiatingOccupancyFraction=60 -XX:+CMSClassUnloadingEnabled -Dsun.zip.disableMemoryMapping=true -Xms512m -Xmx2048m -XX:MaxPermSize=128m -Djava.security.auth.login.config=/etc/ambari-server/conf/krb5JAASLogin.conf -Djava.security.krb5.conf=/etc/krb5.conf -Djavax.security.auth.useSubjectCredsOnly=false -cp /etc/ambari-server/conf:/usr/lib/ambari-server/*:/usr/share/java/mysql-connector-java.jar org.apache.ambari.server.controller.AmbariServer root 21376 19024 0 13:40 pts/3 00:00:00 grep --color=auto 4343 [root@node101 ~]#
解决方案:
既然咱们已经知道了用户是谁,那就开始解决问题被,仍是须要编辑“/etc/sudoers”这个配置文件。
[root@node101 ~]# hostname node101.yinzhengjie.org.cn [root@node101 ~]# [root@node101 ~]# grep "#Defaults" /etc/sudoers #Defaults requiretty [root@node101 ~]# [root@node101 ~]# [root@node101 ~]# grep ambari /etc/sudoers ambari ALL=NOPASSWD:ALL [root@node101 ~]# [root@node101 ~]#
相关文章
- 1. Ambari启用Kerberos
- 2. 报错汇总
- 3. 基于ambari+hdfs 搭建Kerberos集群
- 4. kerberos集成ldap
- 5. Kerberos安装以及使用ambari开启HDP集群Kerberos认证
- 6. ambari集成flink
- 7. ambari集成hue4.20
- 8. ambari集成kibana
- 9. python报错汇总
- 10. ElementUI——报错汇总
- 更多相关文章...
- • Docker 资源汇总 - Docker教程
- • Web 词汇表 - 网站建设指南
- • ☆技术问答集锦(13)Java Instrument原理
- • 算法总结-双指针
相关标签/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. 「插件」Runner更新Pro版,帮助设计师远离996
- 2. 错误 707 Could not load file or assembly ‘Newtonsoft.Json, Version=12.0.0.0, Culture=neutral, PublicKe
- 3. Jenkins 2018 报告速览,Kubernetes使用率跃升235%!
- 4. TVI-Android技术篇之注解Annotation
- 5. android studio启动项目
- 6. Android的ADIL
- 7. Android卡顿的检测及优化方法汇总(线下+线上)
- 8. 登录注册的业务逻辑流程梳理
- 9. NDK(1)创建自己的C/C++文件
- 10. 小菜的系统框架界面设计-你的评估是我的决策
欢迎关注本站公众号,获取更多信息
相关文章