Ambari集成Kerberos报错汇总

　　　　　　　　　　　　　　　　　　Ambari集成Kerberos报错汇总

　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　作者：尹正杰

一.查看报错的配置信息步骤

1>.点击Test Kerberos Client，查看相应日志信息

Ambari集成Kerberos报错汇总

2>.查看具体是哪台机器出现问题

Ambari集成Kerberos报错汇总

3>.查看node101.yinzhengjie.org.cn的报错日志

Ambari集成Kerberos报错汇总

4>.查看对应的报错信息

Ambari集成Kerberos报错汇总

二.Error occured during stack advisor command invocation: Cannot create /var/run/ambari-server/stack-recommendations

Ambari集成Kerberos报错汇总

　　报错分析：

　　　　根据报错的提示信息，说是无法创建对应的文件或者目录！

　　解决方案：

　　　　既然他没法创建的话，那我们手动帮他一把呗！我们登录到报错的服务器，然后手动帮他一把！

[root@node101 ~]# mkdir /var/run/ambari-server/stack-recommendations　　　　　　　　　　　　　　　　#根据报错日志的提示信息，创建对应的目录
[root@node101 ~]# 
[root@node101 ~]# chmod  777  /var/run/ambari-server/stack-recommendations -R　　　　　　　　　　 #大家千万要记住，这个授权操作是必须要做了的哟！否则你会发现一些奇葩的坑！他会不断重复的在上面我们创建好的目录下创建子目录。
[root@node101 ~]#

三.STDERR: ipa: ERROR: The host 'node101.yinzhengjie.org.cn' does not exist to add a service to.

Ambari集成Kerberos报错汇总

　　报错分析：

　　　　根据报错的提示的信息说是对应的“node101.yinzhengjie.org.cn”是否存在。一开始我以为是KDC服务器没有配置“/etc/hosts”对应的本地解析记录呢。添加对应的解析后，充实此步的按照步骤发现问题依旧没有得到很好的解决，那到底是因为啥？仔细一想，既然这是Kerberos配置的话，是不是意味着Kerberos服务器中必须得有该服务器的凭据呢？我去查阅了一些，发现果真没有啊！具体操作如下（需要登录Kerberos服务器操作）：

[root@node100 ~]# klist 
Ticket cache: KEYRING:persistent:0:0
Default principal: admin@YINZHENGJIE.COM

Valid starting       Expires              Service principal
12/12/2018 06:53:24  12/13/2018 06:53:22  krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
[root@node100 ~]# 
[root@node100 ~]# kadmin.local 
Authenticating as principal admin/admin@YINZHENGJIE.COM with password.
kadmin.local:  listprincs 
admin@YINZHENGJIE.COM
K/M@YINZHENGJIE.COM
krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
kadmin/node100.yinzhengjie.com@YINZHENGJIE.COM
kadmin/admin@YINZHENGJIE.COM
kadmin/changepw@YINZHENGJIE.COM
kiprop/node100.yinzhengjie.com@YINZHENGJIE.COM
ldap/node100.yinzhengjie.com@YINZHENGJIE.COM
host/node100.yinzhengjie.com@YINZHENGJIE.COM
WELLKNOWN/ANONYMOUS@YINZHENGJIE.COM
dogtag/node100.yinzhengjie.com@YINZHENGJIE.COM
HTTP/node100.yinzhengjie.com@YINZHENGJIE.COM
DNS/node100.yinzhengjie.com@YINZHENGJIE.COM
ipa-dnskeysyncd/node100.yinzhengjie.com@YINZHENGJIE.COM
yinzhengjie-kerberos@YINZHENGJIE.COM
host/node103.yinzhengjie.org.cn@YINZHENGJIE.COM
host/node102.yinzhengjie.org.cn@YINZHENGJIE.COM
kadmin.local:

　　解决方法：

　　　　既然没有的话，那我们就让他有呗，具体操作如下：

[root@node102 ~]# ipa-client-install --domain=YINZHENGJIE.COM --server=node100.yinzhengjie.com --realm=YINZHENGJIE.COM --principal=admin@YINZHENGJIE.COM --enable-dns-updates　　　　#开始安装客户端程序，参数意思下面会详细解释！
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd

Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes　　　　#注意，这里需要输入的是yes哟！
Client hostname: node102.yinzhengjie.org.cn
Realm: YINZHENGJIE.COM
DNS Domain: yinzhengjie.com
IPA Server: node100.yinzhengjie.com
BaseDN: dc=yinzhengjie,dc=com

Continue to configure the system with these values? [no]: yes　　　　#注意，这里需要输入的是yes哟！
Skipping synchronizing time with NTP server.
Password for admin@YINZHENGJIE.COM: 　　#对面的小哥哥小姐姐往这里看，这里是需要你输入管理员的用户名密码，也就是你在安装IPA-Server时配置的密码！现在知道为什么我当时如此强调要记住他的原因了吧！
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=YINZHENGJIE.COM
    Issuer:      CN=Certificate Authority,O=YINZHENGJIE.COM
    Valid From:  2018-12-12 11:15:53
    Valid Until: 2038-12-12 11:15:53

Enrolled in IPA realm YINZHENGJIE.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm YINZHENGJIE.COM
trying https://node100.yinzhengjie.com/ipa/json
[try 1]: Forwarding 'schema' to json server 'https://node100.yinzhengjie.com/ipa/json'
trying https://node100.yinzhengjie.com/ipa/session/json
[try 1]: Forwarding 'ping' to json server 'https://node100.yinzhengjie.com/ipa/session/json'
[try 1]: Forwarding 'ca_is_enabled' to json server 'https://node100.yinzhengjie.com/ipa/session/json'
Systemwide CA database updated.
Hostname (node102.yinzhengjie.org.cn) does not have A/AAAA record.
Failed to update DNS records.
Missing A/AAAA record(s) for host node102.yinzhengjie.org.cn: 172.30.1.102.
Missing reverse record(s) for address(es): 172.30.1.102.
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
[try 1]: Forwarding 'host_mod' to json server 'https://node100.yinzhengjie.com/ipa/session/json'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring yinzhengjie.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
You have new mail in /var/spool/mail/root
[root@node102 ~]#

[root@node102 ~]# ipa-client-install --domain=YINZHENGJIE.COM --server=node100.yinzhengjie.com --realm=YINZHENGJIE.COM --principal=admin@YINZHENGJIE.COM --enable-dns-updates #开始安装客户端程序，参数意思下面会详细解释！