Ambari集成Kerberos报错汇总
Ambari集成Kerberos报错汇总
作者:尹正杰
版权声明:原创作品,谢绝转载!否则将追究法律责任。
一.查看报错的配置信息步骤
1>.点击Test Kerberos Client,查看相应日志信息
2>.查看具体是哪台机器出现问题
3>.查看node101.yinzhengjie.org.cn的报错日志
4>.查看对应的报错信息
二.Error occured during stack advisor command invocation: Cannot create /var/run/ambari-server/stack-recommendations
报错分析:
根据报错的提示信息,说是无法创建对应的文件或者目录!
解决方案:
既然他没法创建的话,那我们手动帮他一把呗!我们登录到报错的服务器,然后手动帮他一把!
[root@node101 ~]# mkdir /var/run/ambari-server/stack-recommendations #根据报错日志的提示信息,创建对应的目录
[root@node101 ~]#
[root@node101 ~]# chmod /var/run/ambari-server/stack-recommendations -R #大家千万要记住,这个授权操作是必须要做了的哟!否则你会发现一些奇葩的坑!他会不断重复的在上面我们创建好的目录下创建子目录。
[root@node101 ~]#
三.STDERR: ipa: ERROR: The host 'node101.yinzhengjie.org.cn' does not exist to add a service to.
报错分析:
根据报错的提示的信息说是对应的“node101.yinzhengjie.org.cn”是否存在。一开始我以为是KDC服务器没有配置“/etc/hosts”对应的本地解析记录呢。 添加对应的解析后,充实此步的按照步骤发现问题依旧没有得到很好的解决,那到底是因为啥?仔细一想,既然这是Kerberos配置的话,是不是意味着Kerberos服务器中必须得有该服务器的凭据呢?我去查阅了一些,发现果真没有啊!具体操作如下(需要登录Kerberos服务器操作):
[root@node100 ~]# klist
Ticket cache: KEYRING:persistent::
Default principal: admin@YINZHENGJIE.COM Valid starting Expires Service principal
// :: // :: krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
[root@node100 ~]#
[root@node100 ~]# kadmin.local
Authenticating as principal admin/admin@YINZHENGJIE.COM with password.
kadmin.local: listprincs
admin@YINZHENGJIE.COM
K/M@YINZHENGJIE.COM
krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
kadmin/node100.yinzhengjie.com@YINZHENGJIE.COM
kadmin/admin@YINZHENGJIE.COM
kadmin/changepw@YINZHENGJIE.COM
kiprop/node100.yinzhengjie.com@YINZHENGJIE.COM
ldap/node100.yinzhengjie.com@YINZHENGJIE.COM
host/node100.yinzhengjie.com@YINZHENGJIE.COM
WELLKNOWN/ANONYMOUS@YINZHENGJIE.COM
dogtag/node100.yinzhengjie.com@YINZHENGJIE.COM
HTTP/node100.yinzhengjie.com@YINZHENGJIE.COM
DNS/node100.yinzhengjie.com@YINZHENGJIE.COM
ipa-dnskeysyncd/node100.yinzhengjie.com@YINZHENGJIE.COM
yinzhengjie-kerberos@YINZHENGJIE.COM
host/node103.yinzhengjie.org.cn@YINZHENGJIE.COM
host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM
kadmin.local:
解决方法:
既然没有的话,那我们就让他有呗,具体操作如下:
[root@node102 ~]# ipa-client-install --domain=YINZHENGJIE.COM --server=node100.yinzhengjie.com --realm=YINZHENGJIE.COM --principal=admin@YINZHENGJIE.COM --enable-dns-updates #开始安装客户端程序,参数意思下面会详细解释!
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes #注意,这里需要输入的是yes哟!
Client hostname: node102.yinzhengjie.org.cn
Realm: YINZHENGJIE.COM
DNS Domain: yinzhengjie.com
IPA Server: node100.yinzhengjie.com
BaseDN: dc=yinzhengjie,dc=com Continue to configure the system with these values? [no]: yes #注意,这里需要输入的是yes哟!
Skipping synchronizing time with NTP server.
Password for admin@YINZHENGJIE.COM: #对面的小哥哥小姐姐往这里看,这里是需要你输入管理员的用户名密码,也就是你在安装IPA-Server时配置的密码!现在知道为什么我当时如此强调要记住他的原因了吧!
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=YINZHENGJIE.COM
Issuer: CN=Certificate Authority,O=YINZHENGJIE.COM
Valid From: -- ::
Valid Until: -- :: Enrolled in IPA realm YINZHENGJIE.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm YINZHENGJIE.COM
trying https://node100.yinzhengjie.com/ipa/json
[try ]: Forwarding 'schema' to json server 'https://node100.yinzhengjie.com/ipa/json'
trying https://node100.yinzhengjie.com/ipa/session/json
[try ]: Forwarding 'ping' to json server 'https://node100.yinzhengjie.com/ipa/session/json'
[try ]: Forwarding 'ca_is_enabled' to json server 'https://node100.yinzhengjie.com/ipa/session/json'
Systemwide CA database updated.
Hostname (node102.yinzhengjie.org.cn) does not have A/AAAA record.
Failed to update DNS records.
Missing A/AAAA record(s) for host node102.yinzhengjie.org.cn: 172.30.1.102.
Missing reverse record(s) for address(es): 172.30.1.102.
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
[try ]: Forwarding 'host_mod' to json server 'https://node100.yinzhengjie.com/ipa/session/json'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring yinzhengjie.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
You have new mail in /var/spool/mail/root
[root@node102 ~]#
[root@node102 ~]# ipa-client-install --domain=YINZHENGJIE.COM --server=node100.yinzhengjie.com --realm=YINZHENGJIE.COM --principal=admin@YINZHENGJIE.COM --enable-dns-updates #开始安装客户端程序,参数意思下面会详细解释!
[root@node100 ~]# kadmin.local
Authenticating as principal admin/admin@YINZHENGJIE.COM with password.
kadmin.local: listprincs #上述操作之前查看所有用户信息如下
admin@YINZHENGJIE.COM
K/M@YINZHENGJIE.COM
krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
kadmin/node100.yinzhengjie.com@YINZHENGJIE.COM
kadmin/admin@YINZHENGJIE.COM
kadmin/changepw@YINZHENGJIE.COM
kiprop/node100.yinzhengjie.com@YINZHENGJIE.COM
ldap/node100.yinzhengjie.com@YINZHENGJIE.COM
host/node100.yinzhengjie.com@YINZHENGJIE.COM
WELLKNOWN/ANONYMOUS@YINZHENGJIE.COM
dogtag/node100.yinzhengjie.com@YINZHENGJIE.COM
HTTP/node100.yinzhengjie.com@YINZHENGJIE.COM
DNS/node100.yinzhengjie.com@YINZHENGJIE.COM
ipa-dnskeysyncd/node100.yinzhengjie.com@YINZHENGJIE.COM
yinzhengjie-kerberos@YINZHENGJIE.COM
host/node103.yinzhengjie.org.cn@YINZHENGJIE.COM
host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM
kadmin.local:
kadmin.local:
kadmin.local: listprincs #经过上述操作之后,发现node101.yinzhengjie.org.cn的凭据出现了,具体信息如下:
admin@YINZHENGJIE.COM
K/M@YINZHENGJIE.COM
krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
kadmin/node100.yinzhengjie.com@YINZHENGJIE.COM
kadmin/admin@YINZHENGJIE.COM
kadmin/changepw@YINZHENGJIE.COM
kiprop/node100.yinzhengjie.com@YINZHENGJIE.COM
ldap/node100.yinzhengjie.com@YINZHENGJIE.COM
host/node100.yinzhengjie.com@YINZHENGJIE.COM
WELLKNOWN/ANONYMOUS@YINZHENGJIE.COM
dogtag/node100.yinzhengjie.com@YINZHENGJIE.COM
HTTP/node100.yinzhengjie.com@YINZHENGJIE.COM
DNS/node100.yinzhengjie.com@YINZHENGJIE.COM
ipa-dnskeysyncd/node100.yinzhengjie.com@YINZHENGJIE.COM
yinzhengjie-kerberos@YINZHENGJIE.COM
host/node103.yinzhengjie.org.cn@YINZHENGJIE.COM
host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM
host/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
kadmin.local:
四.STDERR: ipa: ERROR: Host 'node101.yinzhengjie.org.cn' does not have corresponding DNS A/AAAA record
错误分析:
根据上述的问题描述,说明DNS并没有对应的解析记录,这个时候我们需要上DNS服务器上手动创建对应的zone文件。默认情况下IPA已经帮我们搭建好了DNS服务器,我们只需要修改对应的配置文件即可。
[root@node100 named]# cat /etc/named.conf
options {
// turns on IPv6 for port 53, IPv4 is on by default for all ifaces
listen-on-v6 {any;};
listen-on port { any; };
// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt"; // Any host is permitted to issue recursive queries
#allow-recursion { any; };
allow-query { any; }; tkey-gssapi-keytab "/etc/named.keytab";
pid-file "/run/named/named.pid"; dnssec-enable yes;
dnssec-validation no; /* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic";
}; /* If you want to enable debugging, eg. using the 'rndc trace' command,
* By default, SELinux policy does not allow named to modify the /var/named directory,
* so put the default debug log file in data/ :
*/
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
print-time yes;
};
}; zone "." IN {
type hint;
file "named.ca";
}; include "/etc/named.rfc1912.zones";
include "/etc/named.root.key"; /* WARNING: This part of the config file is IPA-managed.
* Modifications may break IPA setup or upgrades.
*/
dyndb "ipa" "/usr/lib64/bind/ldap.so" {
uri "ldapi://%2fvar%2frun%2fslapd-YINZHENGJIE-COM.socket";
base "cn=dns, dc=yinzhengjie,dc=com";
server_id "node100.yinzhengjie.com";
auth_method "sasl";
sasl_mech "GSSAPI";
sasl_user "DNS/node100.yinzhengjie.com";
};
/* End of IPA-managed part. */
[root@node100 named]#
[root@node100 named]# cat /etc/named.conf
解决方案:
既然我们确定了问题的方向,我们可以通过上面的“/etc/named.conf”的配置文件可以明显的看出来有一个叫"/etc/named.rfc1912.zones"的配置文件。我们需要编辑他,指定对应的域名文件。
[root@node100 named]# cat /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
// zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
}; zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
}; zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
}; zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
}; zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
}; zone "yinzhengjie.org.cn" IN {
type master;
file "yinzhengjie.org.cn.zone";
}; zone "1.30.172.in-addr.arpa" IN {
type master;
file "172.30.1.zone";
};
[root@node100 named]#
[root@node100 named]# cat /etc/named.rfc1912.zones
编辑上述的配置文件后,我们会发现得去“/var/named”(DNS默认的zone文件的存放路径)中创建对应的"yinzhengjie.org.cn.zone"和"172.30.1.zone"这两个配置文件。具体内容如下:
[root@node100 named]# cat 172.30..zone
$TTL 1D
@ IN SOA @ node100.yinzhengjie.org.cn (
; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
AAAA ::
IN PTR node101.yinzhengjie.org.cn.
IN PTR node102.yinzhengjie.org.cn.
IN PTR node103.yinzhengjie.org.cn.
[root@node100 named]#
[root@node100 named]# cat 172.30.1.zone
[root@node100 named]# cat yinzhengjie.org.cn.zone
$TTL 1D
@ IN SOA @ yinzhengjie.org.cn. (
; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns.yinzhengjie.org.cn.
ns IN A 172.30.1.100
node101 IN A 172.30.1.101
node102 IN A 172.30.1.102
node103 IN A 172.30.1.103
[root@node100 named]#
[root@node100 named]# cat yinzhengjie.org.cn.zone
除了手动修改配置文件,我们还可以在IPA Server的Web UI界面修改DNS的反向解析,如下图所示:
五. STDERR: ipa: ERROR: All nameservers failed to answer the query node101.yinzhengjie.org.cn. IN A: Server 127.0.0.1 UDP port 53 answered SERVFAIL
报错分析:
据上图报错所述,查询“node101.yinzhengjie.org.cn”的解析失败啦!
解决方案:
这个时候我们需要登录IPA-Server的Web UI界面,查看相应的DNS记录是否更新,如果没有更新需要咱们手动点击更新一下哟!更新之后,我们在第五步的哪个报错时的数据信息都会同步过来,如下图所示:
六.ERROR: service with name "HTTP/node101.yinzhengjie.org.cn@YINZHENGJIE.COM" already exists
错误分析:
根据报错信息提示说是凭据已经存在啦!
解决方案:
这种解决办法有两个,第一就是去KDC服务器上删除对应的凭据,或者是重新启用Kerberos。恢复初始的配置信息。
七.ipa: ERROR: invalid 'login': can be at most 32 characters
错误分析:
这是由于服务器在创建凭据时,发现用户的字符串超过了32个字符。
解决方案:
我们在部署的时候,我们在进入到这一步报错之前,就应该注意设置的字符串长度是否会超出对应的长度,我之前就遇到过这样的问题,因此在配置时我特意修改了以下参数。
八.sudo: sorry, you must have a tty to run sudo
报错分析:
出现上述的报错信息,估计做运维的小伙伴一眼就知道是咋回事。意思就是sudo默认需要tty终端。注释掉就可以在后台执行了。
解决方案:
我们需要编辑“/etc/sudoers”文件,具体操作如下所示:
[root@node101 ~]# grep "#Defaults" /etc/sudoers
#Defaults requiretty #编辑上述文件,将改行加上注视即可!
[root@node101 ~]#
[root@node101 ~]#
[root@node101 ~]# xrsync.sh /etc/sudoers
=========== node102.yinzhengjie.org.cn : /etc/sudoers ===========
命令执行成功
=========== node103.yinzhengjie.org.cn : /etc/sudoers ===========
命令执行成功
[root@node101 ~]#
九.sudo: no tty present and no askpass program specified
报错分析:
上述这个是由于帐号并没有开启免密码导致的,这个时候你就得思考部署平台的用户是谁,默认情况下是ambari,如果你想确认的话也很简单,还记得我们访问Ambari的端口是8080吗?我们知道找到8080对应的进程的维护者是谁就知道这个账号是谁啦!如下所示:
[root@node101 ~]# netstat -untalp | grep
tcp6 ::: :::* LISTEN /java
tcp6 172.30.1.101: 172.30.1.2: ESTABLISHED /java
tcp6 172.30.1.101: 172.30.1.2: ESTABLISHED /java
[root@node101 ~]#
[root@node101 ~]#
[root@node101 ~]# ps -ef | grep
ambari Dec17 ? :: /yinzhengjie/softwares/jdk/bin/java -server -XX:NewRatio= -XX:+UseConcMarkSweepGC -XX:-UseGCOverheadLimit -XX:CMSInitiatingOccupancyFraction= -XX:+CMSClassUnloadingEnabled -Dsun.zip.disableMemoryMapping=true -Xms512m -Xmx2048m -XX:MaxPermSize=128m -Djava.security.auth.login.config=/etc/ambari-server/conf/krb5JAASLogin.conf -Djava.security.krb5.conf=/etc/krb5.conf -Djavax.security.auth.useSubjectCredsOnly=false -cp /etc/ambari-server/conf:/usr/lib/ambari-server/*:/usr/share/java/mysql-connector-java.jar org.apache.ambari.server.controller.AmbariServer
root 21376 19024 0 13:40 pts/3 00:00:00 grep --color=auto 4343
[root@node101 ~]#
解决方案:
既然我们已经知道了用户是谁,那就开始解决问题被,还是需要编辑“/etc/sudoers”这个配置文件。
[root@node101 ~]# hostname
node101.yinzhengjie.org.cn
[root@node101 ~]#
[root@node101 ~]# grep "#Defaults" /etc/sudoers
#Defaults requiretty
[root@node101 ~]#
[root@node101 ~]#
[root@node101 ~]# grep ambari /etc/sudoers
ambari ALL=NOPASSWD:ALL
[root@node101 ~]#
[root@node101 ~]#
Ambari集成Kerberos报错汇总的更多相关文章
- Python_环境部署及报错汇总(0)
一.安装Anaconda Anaconda是一个开源的包.环境管理器,可以用于在同一个机器上安装不同版本的软件包及其依赖,并能够在不同的环境之间切换. Anaconda包括Conda.Python以及 ...
- Eclipse集成Tomcat报错:java.lang.OutOfMemoryError: PermGen space
Eclipse集成Tomcat报错,使用Spring 4.3 框架,运行一段应用后,控制台报错: Unexpected death of background thread ContainerBack ...
- ElementUI——报错汇总
前言 elementUI的报错汇总 错误 please transfer a valid prop path to form item! vue.esm.js?c5de:628 [Vue warn]: ...
- SpringBoot集成MybatisPlus报错
SpringBoot集成MybatisPlus报错 启动的时候总是报如下错误: java.lang.annotation.AnnotationFormatError: Invalid default: ...
- selenium报错汇总
selenium报错汇总 报错:[error] Could not connect to Selenium Server. Have you started the Selenium Server y ...
- Ubuntu操作系统编译安装zabbix报错汇总
Ubuntu操作系统编译安装zabbix报错汇总 作者:尹正杰 版权声明:原创作品,谢绝转载!否则将追究法律责任. 一.报错提示:"configure: error: MySQL libra ...
- AndroidStudio 集成litepal 报错
E/AndroidRuntime(24972): org.litepal.c.b: can not find a class named org.litepal.model.Table_Schema ...
- spring集成shiro报错解决(no bean named 'shiroFilter' is defined)
引言: 本人在使用spring集成shiro是总是报“no bean named 'shiroFilter' is defined”,网上的所有方式挨个试了一遍,又检查了一遍, 还是没有解决,最后,抱 ...
- springboot集成redis报错-ClassNotFoundException: org.apache.commons.pool2.impl.GenericObjectPoolConfig
当使用Springboot 2.0以上版本集成redis的时候遇到报错信息如下: Application run failed org.springframework.beans.factory.Un ...
随机推荐
- kubernetes 基本命令
查询命令: kubectl get pods -n kube-system kubectl get ClusterRole -n kube-system kubectl get ClusterRole ...
- java中值类型与引用类型的关系
值类型:就是java的基本类型.byte.short.int.long.float.char.double.boolean 引用类型:类(class).接口(Interface).数组(Array) ...
- springboot使用redis
1.pom文件中引入 spring-boot-starter-redis <dependency> <groupId>org.springframework.boot</ ...
- [洛谷P1730] 最小密度路径
类型:Floyd 传送门:>Here< 题意:定义一条路径密度 = 该路径长度 / 边数.给出一张$DAG$,现有$Q$次询问,每次给出$X,Y$,问$X,Y$的最小密度路径($N \le ...
- 如何保证 spring-boot 和 spring-cloud版本一致
spring-boot 版本 和 spring-cloud版本是一一对应的,很多错误都是由于版本不一致导致的.很多百度的东西太老了, 版本一升级就会出错. spring的jar包依赖关系是最难的,但聪 ...
- IDEA 简单的正则匹配
IDEA在进行查看或替换的时候,勾选Regex 选项就可以进行正则匹配查找了 几个简单实用的正则: 以什么开头,以什么结尾的字符串 以aa开头,以bb结尾的字符串aa.*bb 从开头到某个字符串为止的 ...
- restfull api交互常用状态码
2xx (成功类别) 200 Ok:标准的 HTTP 响应,表示 GET.PUT 或 POST 的处理成功. 201 Created:在创建新实例时,应返回此状态代码.例如,使用 POST 方法创建一 ...
- project 2013 设置工期为1个工作日,但开始时间与结束时间不是同一天
1.问题描述 project2013在工期栏输入 1 ,在开始时间结束时间点自动安排,就会出现如下情况,会被误认为是两天 2.问题解决 文件-->选项-->常规-->日期格式选择 ...
- MT【284】构造函数的导数的两类题型
第一类: 已知定义在$R$上的奇函数$f(x),f(-1)=0,$当$x>0$时,$xf^{'}(x)-f(x)<0,$则$f(x)>0$的解集为____ 第二类: 已知函数$f(x ...
- Eslint检测出的问题如何自动修复
1. sublime 插件 eslintAutoFix 目前只试了windows下 真是大坑!如果你用了这个插件但不能自动修复,那就不要再用这个了!全网无解! 提示系统找不到指定的文件,各种路径加入系 ...