Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

CONFIGURE KDC CLIENT FAILING

avatar
author-rank aliyesami
Super Collaborator

Created ‎11-29-2016 09:01 PM

config-kerb.jpg kdc-error.txt ambari-error.jpg

I have installed the the KDC server and created principals . The configure Kerberos part goes fine from the ambari console and so does the install client Kerberos part , but the test client part is failing with some internal exception , please see the upload ambari log file and and the screen shots for the configuration screen .

Preview file
26 KB
22,006 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank rlevas
Guru

Created ‎11-30-2016 02:31 PM

@Sami Ahmad

Looking at the error:

29 Nov 2016 15:49:43,526  WARN [ambari-client-thread-1242] MITKerberosOperationHandler:459 - Failed to execute kadmin:
        Command: [/usr/bin/kadmin, -s, hadoop1.tolls.dot.state.fl.us, -p, K/M@TOLLS.DOT.STATE.FL.US, -r, TOLLS.DOT.STATE.FL.US, -q, get_principal K/M@TOLLS.DOT.STATE.FL.US]
        ExitCode: 1
        STDOUT: Authenticating as principal K/M@TOLLS.DOT.STATE.FL.US with password.
        STDERR: kadmin: Clients credentials have been revoked while initializing kadmin interface

It appears that the admin account you are using has been locked out. See http://web.mit.edu/Kerberos/krb5-1.13/doc/admin/lockout.html for more information on this.

View solution in original post

14,607 Views
0 Kudos
15 REPLIES 15

avatar
Former Member

Created ‎11-30-2016 06:10 AM

@Sami Ahmad

While posting the stacktarce you might want to hide (mask) the principal/realm name. Just for safety.

From your stacktarce we see that it is failing while doing the "validateKDCCredentials" so please check if you are using correct "kadmin" credentials. 

Unexpected error condition executing the kadmin command
org.apache.ambari.server.AmbariException: Unexpected error condition executing the kadmin command         
at org.apache.ambari.server.controller.KerberosHelperImpl.validateKDCCredentials(KerberosHelperImpl.java:1564)         
at org.apache.ambari.server.controller.KerberosHelperImpl.handleTestIdentity(KerberosHelperImpl.java:1859) 
.
.
Caused by: org.apache.ambari.server.serveraction.kerberos.KerberosOperationException: Unexpected error condition executing the kadmin command         
at org.apache.ambari.server.serveraction.kerberos.MITKerberosOperationHandler.invokeKAdmin(MITKerberosOperationHandler.java:481)
at org.apache.ambari.server.serveraction.kerberos.MITKerberosOperationHandler.principalExists(MITKerberosOperationHandler.java:149)

.

13,042 Views
0 Kudos

avatar
author-rank aliyesami
Super Collaborator

Created ‎11-30-2016 01:52 PM

hi jss

this is a test environment so I am not worried about the principal/realm name but thanks for advise.

I tried your method of ignoring the error and it does continue on the next screen but fails on the "kerberize cluster" stage with the error shown below .

How can I check/reset the "kadmin" credentials? btw It doesn't take any other credential but K/M@TOLLS.DOT.STATE.FL.US in the installation menu , why ? I tried kadmin@TOLLS.DOT.STATE.FL.US but it doesn't like it .

[root@hadoop1 ambari-server]# kadmin.local
Authenticating as principal root/admin@TOLLS.DOT.STATE.FL.US with password.
kadmin.local:  listprincs
K/M@TOLLS.DOT.STATE.FL.US     << this one is the admin  ??? 
host/hadoop1.tolls.dot.state.fl.us@TOLLS.DOT.STATE.FL.US
kadmin/admin@TOLLS.DOT.STATE.FL.US
kadmin/changepw@TOLLS.DOT.STATE.FL.US
kadmin/hadoop1@TOLLS.DOT.STATE.FL.US
krbtgt/TOLLS.DOT.STATE.FL.US@TOLLS.DOT.STATE.FL.US

here is the error file from the ambari-server log

30 Nov 2016 08:31:09,518  INFO [ambari-client-thread-1512] AmbariManagementControllerImpl:3749 - Received action execution request, clusterName=FDOT_Hadoop, request=isCommand :true, action :null, command :KERBEROS_SERVICE_CHECK, inputs :{}, resourceFilters: [RequestResourceFilter{serviceName='KERBEROS', componentName='null', hostNames=[]}], exclusive: false, clusterName :FDOT_Hadoop
30 Nov 2016 08:31:09,536  WARN [ambari-client-thread-1512] MITKerberosOperationHandler:459 - Failed to execute kadmin:
        Command: [/usr/bin/kadmin, -s, hadoop1.tolls.dot.state.fl.us, -p, K/M@tolls.dot.state.fl.us, -r, TOLLS.DOT.STATE.FL.US, -q, get_principal K/M@tolls.dot.state.fl.us]
        ExitCode: 1
        STDOUT: Authenticating as principal K/M@tolls.dot.state.fl.us with password.
        STDERR: kadmin: Cannot find KDC for requested realm while initializing kadmin interface
30 Nov 2016 08:31:09,537 ERROR [ambari-client-thread-1512] KerberosHelperImpl:1861 - Cannot validate credentials: org.apache.ambari.server.serveraction.kerberos.KerberosInvalidConfigurationException: Failed to find a KDC for the specified realm - kadmin: Cannot find KDC for requested realm while initializing kadmin interface
13,042 Views
0 Kudos

avatar
Former Member

Created ‎11-30-2016 06:17 AM

@Sami Ahmad

Also try clicking on the "Ignore errors and continue to next steps" checkbox and then click on Next.

It is the "command :KERBEROS_SERVICE_CHECK" command that is failing based on the "kdc-error.txt" file. You it is good to first complete the kerberos installation by clicking "Next" and then once it is done run the "Service check" again.

13,042 Views
0 Kudos

avatar
author-rank aliyesami
Super Collaborator

Created on ‎11-30-2016 02:08 PM - edited ‎08-19-2019 02:43 AM

also I keep getting this error , whats the solution ? in this screen its not accepting kadmin/admin but only K/M

9917-capture.jpg

13,042 Views
0 Kudos

avatar
author-rank hardikv_desai
Expert Contributor

Created ‎03-03-2017 09:46 AM

Sami Ahmad, i am also facing the same error and i have successfully installed the kerberos but while kerberos service check , it is giving me the same error as mentioned below and it is not resolved yet.

13,042 Views
0 Kudos

avatar
author-rank rlevas
Guru

Created ‎11-30-2016 02:31 PM

@Sami Ahmad

Looking at the error:

29 Nov 2016 15:49:43,526  WARN [ambari-client-thread-1242] MITKerberosOperationHandler:459 - Failed to execute kadmin:
        Command: [/usr/bin/kadmin, -s, hadoop1.tolls.dot.state.fl.us, -p, K/M@TOLLS.DOT.STATE.FL.US, -r, TOLLS.DOT.STATE.FL.US, -q, get_principal K/M@TOLLS.DOT.STATE.FL.US]
        ExitCode: 1
        STDOUT: Authenticating as principal K/M@TOLLS.DOT.STATE.FL.US with password.
        STDERR: kadmin: Clients credentials have been revoked while initializing kadmin interface

It appears that the admin account you are using has been locked out. See http://web.mit.edu/Kerberos/krb5-1.13/doc/admin/lockout.html for more information on this.

14,608 Views
0 Kudos

avatar
author-rank aliyesami
Super Collaborator

Created ‎11-30-2016 03:09 PM

ah this is frustrating , I didn't change anything and just after the installation I can't get into kadmin

I even recreated the KDC database but no luck . 

[root@hadoop1 krb5kdc]# kdb5_util create -r TOLLS.DOT.STATE.FL.US –s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'TOLLS.DOT.STATE.FL.US',
master key name 'K/M@TOLLS.DOT.STATE.FL.US'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
[root@hadoop1 krb5kdc]# pwd
/var/kerberos/krb5kdc

[root@hadoop1 krb5kdc]# ls
principal  principal.kadm5  principal.kadm5.lock  principal.ok
[root@hadoop1 krb5kdc]# ls -ltr
total 16
-rw------- 1 root root 8192 Nov 30 10:22 principal.kadm5
-rw------- 1 root root    0 Nov 30 10:22 principal.kadm5.lock
-rw------- 1 root root 8192 Nov 30 10:22 principal
-rw------- 1 root root    0 Nov 30 10:22 principal.ok
[root@hadoop1 krb5kdc]# kadmin.local
Authenticating as principal kadmin/admin@TOLLS.DOT.STATE.FL.US with password.
kadmin.local: Can not fetch master key (error: No such file or directory). while initializing kadmin.local interface
[root@hadoop1 krb5kdc]#

[root@hadoop1 krb5kdc]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: kadmin/admin@TOLLS.DOT.STATE.FL.US
Valid starting     Expires            Service principal
11/30/16 09:00:42  11/30/16 12:00:42  krbtgt/TOLLS.DOT.STATE.FL.US@TOLLS.DOT.STATE.FL.US
        renew until 11/30/16 09:00:42
[root@hadoop1 krb5kdc]#
13,042 Views
0 Kudos

avatar
author-rank aliyesami
Super Collaborator

Created ‎11-30-2016 03:38 PM

here is my krb5.conf file 

[root@hadoop1 ~]# cat /etc/krb5.conf
[libdefaults]
  renew_lifetime = 7d
  forwardable = true
  default_realm = TOLLS.DOT.SATE.FL.US
  ticket_lifetime = 24h
  dns_lookup_realm = false
  dns_lookup_kdc = false
  default_ccache_name = /tmp/krb5cc_%{uid}
  #default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
  #default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
[logging]
  default = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
  kdc = FILE:/var/log/krb5kdc.log
[realms]
  TOLLS.DOT.SATE.FL.US = {
    admin_server = hadoop1.tolls.dot.state.fl.us
    kdc = hadoop1
  }
[root@hadoop1 ~]#
13,042 Views
0 Kudos

avatar
author-rank rlevas
Guru

Created ‎11-30-2016 04:26 PM 

kdc = hadoop1

should probably be

kdc = hadoop1.tolls.dot.state.fl.us
13,042 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
View More Announcements