Support Questions

aliyesami · ‎11-29-2016

config-kerb.jpg kdc-error.txt ambari-error.jpg

I have installed the the KDC server and created principals . The configure Kerberos part goes fine from the ambari console and so does the install client Kerberos part , but the test client part is failing with some internal exception , please see the upload ambari log file and and the screen shots for the configuration screen .

rlevas · ‎11-30-2016

@Sami Ahmad

Looking at the error:

29 Nov 2016 15:49:43,526  WARN [ambari-client-thread-1242] MITKerberosOperationHandler:459 - Failed to execute kadmin:
        Command: [/usr/bin/kadmin, -s, hadoop1.tolls.dot.state.fl.us, -p, K/M@TOLLS.DOT.STATE.FL.US, -r, TOLLS.DOT.STATE.FL.US, -q, get_principal K/M@TOLLS.DOT.STATE.FL.US]
        ExitCode: 1
        STDOUT: Authenticating as principal K/M@TOLLS.DOT.STATE.FL.US with password.
        STDERR: kadmin: Clients credentials have been revoked while initializing kadmin interface

It appears that the admin account you are using has been locked out. See http://web.mit.edu/Kerberos/krb5-1.13/doc/admin/lockout.html for more information on this.

View solution in original post

Report Inappropriate Content · ‎11-30-2016

@Sami Ahmad

While posting the stacktarce you might want to hide (mask) the principal/realm name. Just for safety.

From your stacktarce we see that it is failing while doing the "validateKDCCredentials" so please check if you are using correct "kadmin" credentials.

Unexpected error condition executing the kadmin command
org.apache.ambari.server.AmbariException: Unexpected error condition executing the kadmin command         
at org.apache.ambari.server.controller.KerberosHelperImpl.validateKDCCredentials(KerberosHelperImpl.java:1564)         
at org.apache.ambari.server.controller.KerberosHelperImpl.handleTestIdentity(KerberosHelperImpl.java:1859) 
.
.
Caused by: org.apache.ambari.server.serveraction.kerberos.KerberosOperationException: Unexpected error condition executing the kadmin command         
at org.apache.ambari.server.serveraction.kerberos.MITKerberosOperationHandler.invokeKAdmin(MITKerberosOperationHandler.java:481)
at org.apache.ambari.server.serveraction.kerberos.MITKerberosOperationHandler.principalExists(MITKerberosOperationHandler.java:149)

.

aliyesami · ‎11-30-2016

hi jss

this is a test environment so I am not worried about the principal/realm name but thanks for advise.

I tried your method of ignoring the error and it does continue on the next screen but fails on the "kerberize cluster" stage with the error shown below .

How can I check/reset the "kadmin" credentials? btw It doesn't take any other credential but K/M@TOLLS.DOT.STATE.FL.US in the installation menu , why ? I tried kadmin@TOLLS.DOT.STATE.FL.US but it doesn't like it .

[root@hadoop1 ambari-server]# kadmin.local
Authenticating as principal root/admin@TOLLS.DOT.STATE.FL.US with password.
kadmin.local:  listprincs
K/M@TOLLS.DOT.STATE.FL.US     << this one is the admin  ??? 
host/hadoop1.tolls.dot.state.fl.us@TOLLS.DOT.STATE.FL.US
kadmin/admin@TOLLS.DOT.STATE.FL.US
kadmin/changepw@TOLLS.DOT.STATE.FL.US
kadmin/hadoop1@TOLLS.DOT.STATE.FL.US
krbtgt/TOLLS.DOT.STATE.FL.US@TOLLS.DOT.STATE.FL.US

here is the error file from the ambari-server log

30 Nov 2016 08:31:09,518  INFO [ambari-client-thread-1512] AmbariManagementControllerImpl:3749 - Received action execution request, clusterName=FDOT_Hadoop, request=isCommand :true, action :null, command :KERBEROS_SERVICE_CHECK, inputs :{}, resourceFilters: [RequestResourceFilter{serviceName='KERBEROS', componentName='null', hostNames=[]}], exclusive: false, clusterName :FDOT_Hadoop
30 Nov 2016 08:31:09,536  WARN [ambari-client-thread-1512] MITKerberosOperationHandler:459 - Failed to execute kadmin:
        Command: [/usr/bin/kadmin, -s, hadoop1.tolls.dot.state.fl.us, -p, K/M@tolls.dot.state.fl.us, -r, TOLLS.DOT.STATE.FL.US, -q, get_principal K/M@tolls.dot.state.fl.us]
        ExitCode: 1
        STDOUT: Authenticating as principal K/M@tolls.dot.state.fl.us with password.
        STDERR: kadmin: Cannot find KDC for requested realm while initializing kadmin interface
30 Nov 2016 08:31:09,537 ERROR [ambari-client-thread-1512] KerberosHelperImpl:1861 - Cannot validate credentials: org.apache.ambari.server.serveraction.kerberos.KerberosInvalidConfigurationException: Failed to find a KDC for the specified realm - kadmin: Cannot find KDC for requested realm while initializing kadmin interface

Report Inappropriate Content · ‎11-30-2016

@Sami Ahmad

Also try clicking on the "Ignore errors and continue to next steps" checkbox and then click on Next.

It is the "command :KERBEROS_SERVICE_CHECK" command that is failing based on the "kdc-error.txt" file. You it is good to first complete the kerberos installation by clicking "Next" and then once it is done run the "Service check" again.

aliyesami · ‎11-30-2016

also I keep getting this error , whats the solution ? in this screen its not accepting kadmin/admin but only K/M

hardikv_desai · ‎03-03-2017

Sami Ahmad, i am also facing the same error and i have successfully installed the kerberos but while kerberos service check , it is giving me the same error as mentioned below and it is not resolved yet.

rlevas · ‎11-30-2016

@Sami Ahmad

Looking at the error:

29 Nov 2016 15:49:43,526  WARN [ambari-client-thread-1242] MITKerberosOperationHandler:459 - Failed to execute kadmin:
        Command: [/usr/bin/kadmin, -s, hadoop1.tolls.dot.state.fl.us, -p, K/M@TOLLS.DOT.STATE.FL.US, -r, TOLLS.DOT.STATE.FL.US, -q, get_principal K/M@TOLLS.DOT.STATE.FL.US]
        ExitCode: 1
        STDOUT: Authenticating as principal K/M@TOLLS.DOT.STATE.FL.US with password.
        STDERR: kadmin: Clients credentials have been revoked while initializing kadmin interface

It appears that the admin account you are using has been locked out. See http://web.mit.edu/Kerberos/krb5-1.13/doc/admin/lockout.html for more information on this.

aliyesami · ‎11-30-2016

ah this is frustrating , I didn't change anything and just after the installation I can't get into kadmin

I even recreated the KDC database but no luck .

[root@hadoop1 krb5kdc]# kdb5_util create -r TOLLS.DOT.STATE.FL.US –s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'TOLLS.DOT.STATE.FL.US',
master key name 'K/M@TOLLS.DOT.STATE.FL.US'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
[root@hadoop1 krb5kdc]# pwd
/var/kerberos/krb5kdc

[root@hadoop1 krb5kdc]# ls
principal  principal.kadm5  principal.kadm5.lock  principal.ok
[root@hadoop1 krb5kdc]# ls -ltr
total 16
-rw------- 1 root root 8192 Nov 30 10:22 principal.kadm5
-rw------- 1 root root    0 Nov 30 10:22 principal.kadm5.lock
-rw------- 1 root root 8192 Nov 30 10:22 principal
-rw------- 1 root root    0 Nov 30 10:22 principal.ok
[root@hadoop1 krb5kdc]# kadmin.local
Authenticating as principal kadmin/admin@TOLLS.DOT.STATE.FL.US with password.
kadmin.local: Can not fetch master key (error: No such file or directory). while initializing kadmin.local interface
[root@hadoop1 krb5kdc]#

[root@hadoop1 krb5kdc]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: kadmin/admin@TOLLS.DOT.STATE.FL.US
Valid starting     Expires            Service principal
11/30/16 09:00:42  11/30/16 12:00:42  krbtgt/TOLLS.DOT.STATE.FL.US@TOLLS.DOT.STATE.FL.US
        renew until 11/30/16 09:00:42
[root@hadoop1 krb5kdc]#

aliyesami · ‎11-30-2016

here is my krb5.conf file

[root@hadoop1 ~]# cat /etc/krb5.conf
[libdefaults]
  renew_lifetime = 7d
  forwardable = true
  default_realm = TOLLS.DOT.SATE.FL.US
  ticket_lifetime = 24h
  dns_lookup_realm = false
  dns_lookup_kdc = false
  default_ccache_name = /tmp/krb5cc_%{uid}
  #default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
  #default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
[logging]
  default = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
  kdc = FILE:/var/log/krb5kdc.log
[realms]
  TOLLS.DOT.SATE.FL.US = {
    admin_server = hadoop1.tolls.dot.state.fl.us
    kdc = hadoop1
  }
[root@hadoop1 ~]#

rlevas · ‎11-30-2016

kdc = hadoop1

should probably be

kdc = hadoop1.tolls.dot.state.fl.us

Cloudera Community

Support Questions

CONFIGURE KDC CLIENT FAILING

Configure two Kerberos KDCs as a Master/Slave

Generate missing credetials - KDC

Spark 3 legacy configurations list ( Spark 2 behav...

Configuring Ambari and Hadoop for Kerberos using ...

Enabling and configuring the ViewHDFS client side ...

Cloudera manger , HBase Deploy Client Configuratio...

One Way Trust - MIT KDC to Active Directory

KDC test failing

Setup cross realm trust between two MIT KDC

HandleHttpRequest -- Client Authentication configu...