Issue “ Insufficient access while creating “xxx” “

Dean Duan(Contractor) chuanjie.duan at envisioncn.com
Sat Feb 4 02:57:05 EST 2017


HI Everyone,

Has anyone seen this issue. “ Insufficient access while creating “xxx” “

[cid:image001.png at 01D27EFF.3E045FC0]

My Version
krb5-libs-1.10.3-57.el6.x86_64
krb5-server-ldap-1.10.3-57.el6.x86_64
krb5-server-1.10.3-57.el6.x86_64

My acl file
*/admin at HADOOP.COM *

Kdc file
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88

[realms]
HADOOP.COM = {
  master_key_type = aes256-cts-hmac-sha1-96
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  key_stash_file = /var/kerberos/krb5kdc/.k5.HADOOP.COM
  supported_enctypes = des3-cbc-sha1:normal des3-hmac-sha1:normal des3-cbc-sha1-kd:normal aes256-cts-hmac-sha1-96:normal aes256-cts:normal aes256-sha1:normal aes128-cts-hmac-sha1-96:normal aes128-cts:normal aes128-sha1:normal arcfour-hmac:normal rc4-hmac:normal arcfour-hmac-md5:normal
  iprop_enable = true
  kadmind_listen = ip-10-21-14-34
  kadmind_listen = 24h
  max_renewable_life = 7d
}

[logging]
  kdc = FILE:/data/krb5kdc/logs/kdc.log
  admin_server = FILE:/data/krb5kdc/logs/kadmin.log

Krb file

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = HADOOP.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = false

[realms]
HADOOP.COM = {
  kdc = hadoop-2.hadoop.com
  admin_server = hadoop-2.hadoop.com
  database_module = openldap_ldapconf
  default_domain = hadoop.com
  key_stash_file = /var/kerberos/krb5kdc/.k5.HADOOP.COM
  dict_file = /usr/share/dict/words
}

[domain_realm]
.hadoop.com = HADOOP.COM
hadoop.com = HADOOP.COM

[dbdefaults]
  ldap_kerberos_container_dn = cn=Kerberos,dc=hadoop,dc=com

[dbmodules]
openldap_ldapconf = {
  db_library = kldap
  ldap_conns_per_server = 5
  ldap_servers = ldapi://
  ldap_kdc_dn = cn=kdc-srv,ou=Control,dc=hadoop,dc=com
  ldap_kadmind_dn = cn=kdc-adm,ou=Control,dc=hadoop,dc=com
  ldap_service_password_file = /etc/krb5.ldap
}


祝顺利!
________________________________________
Chuanjie Duan
段川杰
软件技术部
手机: 18616563050
邮箱:chuanjie.duan at envisioncn.com<mailto:chuanjie.duan at envisioncn.com>




本邮件(包括任何附件)内容机密并受法律保护。如果您意外地收到这封邮件,请回复通知发件人并从当前系统中删除本邮件。任何未经授权者,严禁使用并部分或者全部的转发本条信息。任何未经授权的使用或传播都是被严格禁止的。远景能源与其分公司不对因不正确和不完整的转发此邮件包含的信息以及因任何因邮件延迟或对你的系统造成的损害而负责。远景能源不能保证此邮件的真实完整性,也不能确定此邮件是否含有病毒或者监听程序。
This email message (including any attachments) is confidential and may be legally privileged. If you have received it by mistake, please notify the sender by return email and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. Envision Energy Limited and all its subsidiaries shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. Envision Energy Limited does not guarantee the integrity of this email message, nor that this email message is free of viruses, interceptions, or interference.


More information about the Kerberos mailing list