Support Questions

Find answers, ask questions, and share your expertise

CONFIGURE KDC CLIENT FAILING

avatar
Super Collaborator

config-kerb.jpg kdc-error.txt ambari-error.jpg

I have installed the the KDC server and created principals . The configure Kerberos part goes fine from the ambari console and so does the install client Kerberos part , but the test client part is failing with some internal exception , please see the upload ambari log file and and the screen shots for the configuration screen .

1 ACCEPTED SOLUTION

avatar

@Sami Ahmad

Looking at the error:

29 Nov 2016 15:49:43,526  WARN [ambari-client-thread-1242] MITKerberosOperationHandler:459 - Failed to execute kadmin:
        Command: [/usr/bin/kadmin, -s, hadoop1.tolls.dot.state.fl.us, -p, K/M@TOLLS.DOT.STATE.FL.US, -r, TOLLS.DOT.STATE.FL.US, -q, get_principal K/M@TOLLS.DOT.STATE.FL.US]
        ExitCode: 1
        STDOUT: Authenticating as principal K/M@TOLLS.DOT.STATE.FL.US with password.
        STDERR: kadmin: Clients credentials have been revoked while initializing kadmin interface

It appears that the admin account you are using has been locked out. See http://web.mit.edu/Kerberos/krb5-1.13/doc/admin/lockout.html for more information on this.

View solution in original post

15 REPLIES 15

avatar

@Sami Ahmad

While posting the stacktarce you might want to hide (mask) the principal/realm name. Just for safety.

From your stacktarce we see that it is failing while doing the "validateKDCCredentials" so please check if you are using correct "kadmin" credentials.

Unexpected error condition executing the kadmin command
org.apache.ambari.server.AmbariException: Unexpected error condition executing the kadmin command         
at org.apache.ambari.server.controller.KerberosHelperImpl.validateKDCCredentials(KerberosHelperImpl.java:1564)         
at org.apache.ambari.server.controller.KerberosHelperImpl.handleTestIdentity(KerberosHelperImpl.java:1859) 
.
.
Caused by: org.apache.ambari.server.serveraction.kerberos.KerberosOperationException: Unexpected error condition executing the kadmin command         
at org.apache.ambari.server.serveraction.kerberos.MITKerberosOperationHandler.invokeKAdmin(MITKerberosOperationHandler.java:481)
at org.apache.ambari.server.serveraction.kerberos.MITKerberosOperationHandler.principalExists(MITKerberosOperationHandler.java:149)

.

avatar
Super Collaborator

hi jss

this is a test environment so I am not worried about the principal/realm name but thanks for advise.

I tried your method of ignoring the error and it does continue on the next screen but fails on the "kerberize cluster" stage with the error shown below .

How can I check/reset the "kadmin" credentials? btw It doesn't take any other credential but K/M@TOLLS.DOT.STATE.FL.US in the installation menu , why ? I tried kadmin@TOLLS.DOT.STATE.FL.US but it doesn't like it .

[root@hadoop1 ambari-server]# kadmin.local
Authenticating as principal root/admin@TOLLS.DOT.STATE.FL.US with password.
kadmin.local:  listprincs
K/M@TOLLS.DOT.STATE.FL.US     << this one is the admin  ??? 
host/hadoop1.tolls.dot.state.fl.us@TOLLS.DOT.STATE.FL.US
kadmin/admin@TOLLS.DOT.STATE.FL.US
kadmin/changepw@TOLLS.DOT.STATE.FL.US
kadmin/hadoop1@TOLLS.DOT.STATE.FL.US
krbtgt/TOLLS.DOT.STATE.FL.US@TOLLS.DOT.STATE.FL.US

here is the error file from the ambari-server log

30 Nov 2016 08:31:09,518  INFO [ambari-client-thread-1512] AmbariManagementControllerImpl:3749 - Received action execution request, clusterName=FDOT_Hadoop, request=isCommand :true, action :null, command :KERBEROS_SERVICE_CHECK, inputs :{}, resourceFilters: [RequestResourceFilter{serviceName='KERBEROS', componentName='null', hostNames=[]}], exclusive: false, clusterName :FDOT_Hadoop
30 Nov 2016 08:31:09,536  WARN [ambari-client-thread-1512] MITKerberosOperationHandler:459 - Failed to execute kadmin:
        Command: [/usr/bin/kadmin, -s, hadoop1.tolls.dot.state.fl.us, -p, K/M@tolls.dot.state.fl.us, -r, TOLLS.DOT.STATE.FL.US, -q, get_principal K/M@tolls.dot.state.fl.us]
        ExitCode: 1
        STDOUT: Authenticating as principal K/M@tolls.dot.state.fl.us with password.
        STDERR: kadmin: Cannot find KDC for requested realm while initializing kadmin interface
30 Nov 2016 08:31:09,537 ERROR [ambari-client-thread-1512] KerberosHelperImpl:1861 - Cannot validate credentials: org.apache.ambari.server.serveraction.kerberos.KerberosInvalidConfigurationException: Failed to find a KDC for the specified realm - kadmin: Cannot find KDC for requested realm while initializing kadmin interface


avatar

@Sami Ahmad

Also try clicking on the "Ignore errors and continue to next steps" checkbox and then click on Next.

It is the "command :KERBEROS_SERVICE_CHECK" command that is failing based on the "kdc-error.txt" file. You it is good to first complete the kerberos installation by clicking "Next" and then once it is done run the "Service check" again.

avatar
Super Collaborator

also I keep getting this error , whats the solution ? in this screen its not accepting kadmin/admin but only K/M

9917-capture.jpg

avatar
Expert Contributor

Sami Ahmad, i am also facing the same error and i have successfully installed the kerberos but while kerberos service check , it is giving me the same error as mentioned below and it is not resolved yet.

avatar

@Sami Ahmad

Looking at the error:

29 Nov 2016 15:49:43,526  WARN [ambari-client-thread-1242] MITKerberosOperationHandler:459 - Failed to execute kadmin:
        Command: [/usr/bin/kadmin, -s, hadoop1.tolls.dot.state.fl.us, -p, K/M@TOLLS.DOT.STATE.FL.US, -r, TOLLS.DOT.STATE.FL.US, -q, get_principal K/M@TOLLS.DOT.STATE.FL.US]
        ExitCode: 1
        STDOUT: Authenticating as principal K/M@TOLLS.DOT.STATE.FL.US with password.
        STDERR: kadmin: Clients credentials have been revoked while initializing kadmin interface

It appears that the admin account you are using has been locked out. See http://web.mit.edu/Kerberos/krb5-1.13/doc/admin/lockout.html for more information on this.

avatar
Super Collaborator

ah this is frustrating , I didn't change anything and just after the installation I can't get into kadmin

I even recreated the KDC database but no luck .

[root@hadoop1 krb5kdc]# kdb5_util create -r TOLLS.DOT.STATE.FL.US –s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'TOLLS.DOT.STATE.FL.US',
master key name 'K/M@TOLLS.DOT.STATE.FL.US'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
[root@hadoop1 krb5kdc]# pwd
/var/kerberos/krb5kdc

[root@hadoop1 krb5kdc]# ls
principal  principal.kadm5  principal.kadm5.lock  principal.ok
[root@hadoop1 krb5kdc]# ls -ltr
total 16
-rw------- 1 root root 8192 Nov 30 10:22 principal.kadm5
-rw------- 1 root root    0 Nov 30 10:22 principal.kadm5.lock
-rw------- 1 root root 8192 Nov 30 10:22 principal
-rw------- 1 root root    0 Nov 30 10:22 principal.ok
[root@hadoop1 krb5kdc]# kadmin.local
Authenticating as principal kadmin/admin@TOLLS.DOT.STATE.FL.US with password.
kadmin.local: Can not fetch master key (error: No such file or directory). while initializing kadmin.local interface
[root@hadoop1 krb5kdc]#
[root@hadoop1 krb5kdc]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: kadmin/admin@TOLLS.DOT.STATE.FL.US
Valid starting     Expires            Service principal
11/30/16 09:00:42  11/30/16 12:00:42  krbtgt/TOLLS.DOT.STATE.FL.US@TOLLS.DOT.STATE.FL.US
        renew until 11/30/16 09:00:42
[root@hadoop1 krb5kdc]#

avatar
Super Collaborator

here is my krb5.conf file

[root@hadoop1 ~]# cat /etc/krb5.conf
[libdefaults]
  renew_lifetime = 7d
  forwardable = true
  default_realm = TOLLS.DOT.SATE.FL.US
  ticket_lifetime = 24h
  dns_lookup_realm = false
  dns_lookup_kdc = false
  default_ccache_name = /tmp/krb5cc_%{uid}
  #default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
  #default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
[logging]
  default = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
  kdc = FILE:/var/log/krb5kdc.log
[realms]
  TOLLS.DOT.SATE.FL.US = {
    admin_server = hadoop1.tolls.dot.state.fl.us
    kdc = hadoop1
  }
[root@hadoop1 ~]#


avatar
kdc = hadoop1

should probably be

kdc = hadoop1.tolls.dot.state.fl.us