question Re: Failed to create kerberos principal in Archives of Support Questions (Read Only)

Failed to create kerberos principal

ankita_ghate — Thu, 22 Nov 2018 01:41:56 GMT

I have kerberos and Ambari setup and I was able to enable/disable kerberos through ambari and was able to regenerate principals but now I am getting below error on Ambari UI,

2018-11-21 04:01:14,662 - Failed to create principal, zookeeper/local4.domain.coma@DOMAIN.COM,zookeeper/ubuntu25.domain.com@DOMAIN.COM,zookeeper/ubuntu26.domain.com@DOMAIN.COM - Failed to create service principal for zookeeper/local4.domain.com@DOMAIN.COM,zookeeper/ubuntu25.domain.com@DOMAIN.COM,zookeeper/ubuntu26.domain.com@DOMAIN.COM
STDOUT: Authenticating as principal kadmin/admin@DOMAIN.COM with existing credentials.
STDERR: add_principal: Malformed representation of principal while parsing principal
usage: add_principal [options] principal
options are:
[-randkey|-nokey] [-x db_princ_args]* [-expire expdate] [-pwexpire pwexpdate] [-maxlife maxtixlife]
[-kvno kvno] [-policy policy] [-clearpolicy]
[-pw password] [-maxrenewlife maxrenewlife]
[-e keysaltlist]
[{+|-}attribute]
attributes are:
allow_postdated allow_forwardable allow_tgs_req allow_renewable
allow_proxiable allow_dup_skey allow_tix requires_preauth
requires_hwauth needchange allow_svr password_changing_service
ok_as_delegate ok_to_auth_as_delegate no_auth_data_required
where,
[-x db_princ_args]* - any number of database specific arguments.
Look at each database documentation for supported arguments
Administration credentials NOT DESTROYED.
2018-11-21 04:01:16,073 - Failed to create principal, hbase/local4.domain.com@DOMAIN.COM,hbase/ubuntu25.domain.com@DOMAIN.COM,hbase/ubuntu26.domain.com@DOMAIN.COM - Failed to create service principal for hbase/local4.domain.com@DOMAIN.COM,hbase/ubuntu25.domain.com@DOMAIN.COM,hbase/ubuntu26.domain.com@DOMAIN.COM
STDOUT: Authenticating as principal kadmin/admin@DOMAIN.COM with existing credentials.
STDERR: add_principal: Malformed representation of principal while parsing principal
usage: add_principal [options] principal
options are:
[-randkey|-nokey] [-x db_princ_args]* [-expire expdate] [-pwexpire pwexpdate] [-maxlife maxtixlife]
[-kvno kvno] [-policy policy] [-clearpolicy]
[-pw password] [-maxrenewlife maxrenewlife]
[-e keysaltlist]
[{+|-}attribute]
attributes are:
allow_postdated allow_forwardable allow_tgs_req allow_renewable
allow_proxiable allow_dup_skey allow_tix requires_preauth
requires_hwauth needchange allow_svr password_changing_service
ok_as_delegate ok_to_auth_as_delegate no_auth_data_required
where,
[-x db_princ_args]* - any number of database specific arguments.
Look at each database documentation for supported arguments
Administration credentials NOT DESTROYED.

Can anyone check?

Re: Failed to create kerberos principal

ankita_ghate — Thu, 22 Nov 2018 01:41:57 GMT

I have destroyed kerberos database and created new, still getting above error.

Re: Failed to create kerberos principal

rlevas — Thu, 22 Nov 2018 02:09:32 GMT

@Ankita Ghate

It seems like there is an issue with the principal name. According to the error

2018-11-21 04:01:14,662 - Failed to create principal, zookeeper/local4.domain.coma@DOMAIN.COM,zookeeper/ubuntu25.domain.com@DOMAIN.COM,zookeeper/ubuntu26.domain.com@DOMAIN.COM - Failed to create service principal for zookeeper/local4.domain.com@DOMAIN.COM,zookeeper/ubuntu25.domain.com@DOMAIN.COM,zookeeper/ubuntu26.domain.com@DOMAIN.COM

Ambari thinks the principal name is

zookeeper/local4.domain.coma@DOMAIN.COM,zookeeper/ubuntu25.domain.com@DOMAIN.COM,zookeeper/ubuntu26.domain.com@DOMAIN.COM

As one principal name, not 3 different principal names. Do you know this could be? Did you add any custom Kerberos identities to the Kerberos Descriptor or customize it at all?

Re: Failed to create kerberos principal

ankita_ghate — Thu, 22 Nov 2018 10:50:00 GMT

Yes I had customized zookeeper and hbase principals in Kerberos configuration through Ambari but later I changed it to default and trying to regenerate principals but it is giving above error. From where is it taking these principals though I have destroyed Kerberos database?

Any solution?

Re: Failed to create kerberos principal

ankita_ghate — Fri, 23 Nov 2018 13:07:41 GMT

While regenerating principals it was giving above error because it might be taking that principal name from Ambari database - Postgres

Re: Failed to create kerberos principal

ankita_ghate — Fri, 23 Nov 2018 17:06:49 GMT

While regenerating principals it was giving above error because it might be taking that principal name from Ambari database - Postgres

Re: Failed to create kerberos principal

rlevas — Sat, 24 Nov 2018 02:35:31 GMT

@Ankita Ghate

Can you post/attach the user-supplied Kerberos descriptor retrieved from

GET /api/v1/clusters/CLUSTER_NAME/kerberos_descriptors/USER

Replacing CLUSTER_NAME with the name or your cluster.

I suspect the issue is related to Kerberos descriptor information supplied to Ambari