Support Questions

Find answers, ask questions, and share your expertise

Admin session expiration error Invalid KDC administrator credentials

Hi,

I'm trying to kerberos HDP3, installed on CentOS 7, in the "Enable Kerberos" wizard, I got a repetitive dialogue box asking for re-entring the KDC admin credentials with the following message:

"Invalid KDC administrator credentials. Please enter admin principal and password."

Appreciate your support

@GEOFFREY SHELTON OKOT

13 REPLIES 13

Super Mentor

@Mahmoud Sabri

Which version of Ambari Server are you using?

Can you please share the ambari-server.log when you noticed the error?

Also please make sure that you have the following kind of Principal Created on the KDC side:

# kadmin.local -q "addprinc kadmin/<KADMIN_FQDN>@<REALM.COM>

.

For more information on the above principal addition please refer to: https://community.hortonworks.com/content/supportkb/230921/error-bad-request-received-invalid-kdc-ad...

Hi @Jay Kumar SenSharma,

Thanks for your response. I've Ambari 2.7.0.0ambari-server.zip

I've noticed this issue once I've started in kerberizing the cluster using Ambari Kerberos wizard.

I've attached the "ambari-server.log" since the issue started.

I ran the principal create command that you mentioned as well.

Super Mentor
@Mahmoud Sabri

While running the command have you replaced the "KADMIN_FQDN" and REALM.COM values according to your cluster.

Example:

# kadmin.local -q "addprinc kadmin/kadminhost.example.com@EXAMPLE.COM

.

Also can you please share the output of the "listprinc" command to verify if you have the kadmin principal created properly.

# kadmin.local: listprincs

.

I've made slight changes on names for privacy reason:

the output for the "listprincs" is:

kadmin.local: listprincs

K/M@myDN

admin/myFQDN@myDN

admin/admin@myDN

kadmin/myFQDN@myDN

kadmin/admin@myDN

kadmin/changepw@myDN

kadmin/myFQDN@myDN

kiprop/myFQDN@myDN

krbtgt/myDN@myDN

root/myFQDN@myDN

root/admin@myDN

Super Mentor

@Mahmoud Sabri


From Ambari Server host can you please try checking if you are able to run the kinit command something like following with the "kadmin/FQDN/REALM" principal?

# kinit -S kadmin/KADMIN_FQDN admin/admin@EXAMPLE.COM


Please replace the "KADMIN_FQDN" with your kadmin fqdn and the "EXAMPLE.COM" with your realm name in Upper case.

it went without errors:

# kinit -S admin/myFQDN admin/admin@myDN

Password for admin/admin@myDN:

Super Mentor

@Mahmoud Sabri

with flag "-S" please use the "kadmin" principal instead of "admin/myFQDN" principal.

# kinit -S kadmin/myFQDN admin/admin@myDN

went OK as well.

I've made slight changes on names for privacy reason:

the output for the "listprincs" is:

kadmin.local: listprincs

K/M@myDN

admin/myFQDN@myDN

admin/admin@myDN

kadmin/myFQDN@myDN

kadmin/admin@myDN

kadmin/changepw@myDN

kadmin/myFQDN@myDN

kiprop/myFQDN@myDN

krbtgt/myDN@myDN

root/myFQDN@myDN

root/admin@myDN

I've made slight changes on names for privacy reason:

the output for the "listprincs" is:

kadmin.local: listprincs

K/M@myDN

admin/myFQDN@myDN

admin/admin@myDN

kadmin/myFQDN@myDN

kadmin/admin@myDN

kadmin/changepw@myDN

kadmin/myFQDN@myDN

kiprop/myFQDN@myDN

krbtgt/myDN@myDN

root/myFQDN@myDN

root/admin@myDN

New Contributor

This problem seems to have unresolved, at-least from what I could follow.

I am facing exactly same issue. I am trying to Kerberise the HDP 3.0.1 sandbox using ambari. I have setup my KDC server on a ubuntu, and I have also setup the admin/admin principle correctly. From HDP sandbox I can successfully execute kinit for admin/admin.

 

In the ambari-server.log I see following error:

2020-12-03 12:38:57,331 ERROR [ambari-client-thread-168] KerberosHelperImpl:2412 - Cannot validate credentials: org.apache.ambari.s
erver.serveraction.kerberos.KerberosMissingAdminCredentialsException: Missing KDC administrator credentials.                       
The KDC administrator credentials must be set as a persisted or temporary credential resource.This may be done by issuing a POST to
 the /api/v1/clusters/:clusterName/credentials/kdc.admin.credential API entry point with the following payload:                    
{                                                                                                                                  
  "Credential" : {                                                                                                                 
    "principal" : "(PRINCIPAL)", "key" : "(PASSWORD)", "type" : "(persisted|temporary)"}                                           
  }                                                                                                                                
}                                                                                                                                  
2020-12-03 12:38:57,336 ERROR [ambari-client-thread-168] CreateHandler:80 - Bad request received: Missing KDC administrator credent
ials.                                                                                                                              
The KDC administrator credentials must be set as a persisted or temporary credential resource.This may be done by issuing a POST to
 the /api/v1/clusters/:clusterName/credentials/kdc.admin.credential API entry point with the following payload:                    
{                                                                                                                                  
  "Credential" : {                                                                                                                 
    "principal" : "(PRINCIPAL)", "key" : "(PASSWORD)", "type" : "(persisted|temporary)"}                                           
  }                                                                                                                                
}                                                                                                                                  
2020-12-03 12:38:57,565 ERROR [ambari-metrics-retrieval-service-thread-2] MetricsRetrievalService:496 - Unable to retrieve metrics 
from http://abc.xyz.com:8744/api/v1/cluster/summary. Subsequent failures will be suppressed from the log for 20 min
utes.    

 

New Contributor

I would really appreciate if someone can help me resolve what can be the issue in my case.

Community Manager

@jvlearn as this is an older post, you would have a better chance of receiving a resolution by starting a new thread. This will also be an opportunity to provide details specific to your environment that could aid others in assisting you with a more accurate answer to your question. You can link this thread as a reference in your new post.



Regards,

Vidya Sargur,
Community Manager


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:
Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.