Enable Kerberos Wizard failed to create principals in Active Directory

jorge_florencio — Fri, 16 Sep 2022 12:29:20 GMT

Hi folks,

the "Enable Kerberos Wizard" failed to create all needed principals. Some principals were created, but not all. This is the output from the log file:

05 Nov 2017 12:24:26,337  INFO [Server Action Executor Worker 270] KerberosServerAction:353 - Processing identities...
05 Nov 2017 12:24:26,419  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, HTTP/hdp-master-02.vlab.local@VLAB.LOCAL
05 Nov 2017 12:24:26,471  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, ambari-qa@VLAB.LOCAL
05 Nov 2017 12:24:26,516  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, hdfs@VLAB.LOCAL
05 Nov 2017 12:24:26,566  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, mapred/hdp-master-02.vlab.local@VLAB.LOCAL
05 Nov 2017 12:24:26,614  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, yarn/hdp-master-02.vlab.local@VLAB.LOCAL
05 Nov 2017 12:24:26,664  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, rm/hdp-master-02.vlab.local@VLAB.LOCAL
05 Nov 2017 12:24:26,712  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, zookeeper/hdp-master-02.vlab.local@VLAB.LOCAL
05 Nov 2017 12:24:26,759  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, HTTP/hdp-master-01.vlab.local@VLAB.LOCAL
05 Nov 2017 12:24:26,806  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, amshbase/hdp-master-01.vlab.local@VLAB.LOCAL
05 Nov 2017 12:24:26,856  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, amszk/hdp-master-01.vlab.local@VLAB.LOCAL
05 Nov 2017 12:24:26,902  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, activity_analyzer/hdp-master-01.vlab.local@VLAB.LOCAL
05 Nov 2017 12:24:26,951  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, activity_explorer/hdp-master-01.vlab.local@VLAB.LOCAL
05 Nov 2017 12:24:26,996  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, zookeeper/hdp-master-01.vlab.local@VLAB.LOCAL
05 Nov 2017 12:24:27,043  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, HTTP/lab1-hdfs.vlab.local@VLAB.LOCAL
05 Nov 2017 12:24:27,093  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, hdfs/lab1-hdfs.vlab.local@VLAB.LOCAL
05 Nov 2017 12:24:27,096 ERROR [Server Action Executor Worker 270] CreatePrincipalsServerAction:297 - Failed to create principal, hdfs/lab1-hdfs.vlab.local@VLAB.LOCAL - Can not create principal : hdfs/lab1-hdfs.vlab.local@VLAB.LOCAL
org.apache.ambari.server.serveraction.kerberos.KerberosOperationException: Can not create principal : hdfs/lab1-hdfs.vlab.local@VLAB.LOCAL
        at org.apache.ambari.server.serveraction.kerberos.ADKerberosOperationHandler.createPrincipal(ADKerberosOperationHandler.java:338)
        at org.apache.ambari.server.serveraction.kerberos.CreatePrincipalsServerAction.createPrincipal(CreatePrincipalsServerAction.java:256)
        at org.apache.ambari.server.serveraction.kerberos.CreatePrincipalsServerAction.processIdentity(CreatePrincipalsServerAction.java:159)
        at org.apache.ambari.server.serveraction.kerberos.KerberosServerAction.processRecord(KerberosServerAction.java:532)
        at org.apache.ambari.server.serveraction.kerberos.KerberosServerAction.processIdentities(KerberosServerAction.java:414)
        at org.apache.ambari.server.serveraction.kerberos.CreatePrincipalsServerAction.execute(CreatePrincipalsServerAction.java:91)
        at org.apache.ambari.server.serveraction.ServerActionExecutor$Worker.execute(ServerActionExecutor.java:517)
        at org.apache.ambari.server.serveraction.ServerActionExecutor$Worker.run(ServerActionExecutor.java:454)
        at java.lang.Thread.run(Thread.java:745)
Caused by: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - 000021C7: AtrErr: DSID-03200BDF, #1:
        0: 000021C7: DSID-03200BDF, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90303 (servicePrincipalName)
]; remaining name '"cn=hdfs/lab1-hdfs.vlab.local,OU=HDP"'
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3149)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3082)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)
        at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:812)
        at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:341)
        at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:268)
        at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:202)
        at org.apache.ambari.server.serveraction.kerberos.ADKerberosOperationHandler.createPrincipal(ADKerberosOperationHandler.java:336)
        ... 8 more
05 Nov 2017 12:24:27,096  INFO [Server Action Executor Worker 270] KerberosServerAction:457 - Processing identities completed.

Any suggestion would be appreciated.

Many thanks in advance,

Jorge.

Re: Enable Kerberos Wizard failed to create principals in Active Directory

jsensharma — Sun, 05 Nov 2017 20:02:55 GMT

@Jorge Florencio

Based on the following error:

Caused by: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - 000021C7: AtrErr: DSID-03200BDF, #1: 0: 000021C7: DSID-03200BDF, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90303 (servicePrincipalName)

Please check your Active Directory it looks like the SPN (hdfs/lab1-hdfs.vlab.local@VLAB.LOCAL) already exited there. If yes then it seems to be restricting ambari from creating principals in the AD.

Please remove that principla from your AD first and then try again. It depends on the AD policy that is being applied with the constraint for creating the principals.

Re: Enable Kerberos Wizard failed to create principals in Active Directory

jorge_florencio — Mon, 06 Nov 2017 00:44:59 GMT

Perfect, I've already fixed it !

Thanks you!

Re: Enable Kerberos Wizard failed to create principals in Active Directory

sameer_dalai — Wed, 16 Jan 2019 10:24:19 GMT

how did you fixed this

Re: Enable Kerberos Wizard failed to create principals in Active Directory

sagarspathak — Sat, 13 Aug 2022 01:58:23 GMT

Hi ,

I am facing similar issue and I have already parsed entire AD structure, this particular principal is not existing. So the issue seems to be something else can someone please throw some idea ?

Checks we did :

1) Service Account has full access on Active Directory
2) No pre-existing SPN in AD

3) Manual connection to AD working using same Service account.

Thanks,

Sagar

Re: Enable Kerberos Wizard failed to create principals in Active Directory

sagarspathak — Sat, 13 Aug 2022 01:59:10 GMT

Hi Jorge,

Was it the duplicate SPN in your case ?

Thanks,

Sagar

Re: Enable Kerberos Wizard failed to create principals in Active Directory

JobBranwl — Fri, 31 Mar 2023 07:25:56 GMT

How did you solve it

question Re: Enable Kerberos Wizard failed to create principals in Active Directory in Archives of Support Questions (Read Only)

Enable Kerberos Wizard failed to create principals in Active Directory

Re: Enable Kerberos Wizard failed to create principals in Active Directory

Re: Enable Kerberos Wizard failed to create principals in Active Directory

Re: Enable Kerberos Wizard failed to create principals in Active Directory

Re: Enable Kerberos Wizard failed to create principals in Active Directory

Re: Enable Kerberos Wizard failed to create principals in Active Directory

Re: Enable Kerberos Wizard failed to create principals in Active Directory