Support Questions

Find answers, ask questions, and share your expertise

Enable Kerberos Wizard failed to create principals in Active Directory

Hi folks,

the "Enable Kerberos Wizard" failed to create all needed principals. Some principals were created, but not all. This is the output from the log file:

05 Nov 2017 12:24:26,337  INFO [Server Action Executor Worker 270] KerberosServerAction:353 - Processing identities...
05 Nov 2017 12:24:26,419  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, HTTP/hdp-master-02.vlab.local@VLAB.LOCAL
05 Nov 2017 12:24:26,471  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, ambari-qa@VLAB.LOCAL
05 Nov 2017 12:24:26,516  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, hdfs@VLAB.LOCAL
05 Nov 2017 12:24:26,566  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, mapred/hdp-master-02.vlab.local@VLAB.LOCAL
05 Nov 2017 12:24:26,614  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, yarn/hdp-master-02.vlab.local@VLAB.LOCAL
05 Nov 2017 12:24:26,664  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, rm/hdp-master-02.vlab.local@VLAB.LOCAL
05 Nov 2017 12:24:26,712  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, zookeeper/hdp-master-02.vlab.local@VLAB.LOCAL
05 Nov 2017 12:24:26,759  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, HTTP/hdp-master-01.vlab.local@VLAB.LOCAL
05 Nov 2017 12:24:26,806  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, amshbase/hdp-master-01.vlab.local@VLAB.LOCAL
05 Nov 2017 12:24:26,856  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, amszk/hdp-master-01.vlab.local@VLAB.LOCAL
05 Nov 2017 12:24:26,902  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, activity_analyzer/hdp-master-01.vlab.local@VLAB.LOCAL
05 Nov 2017 12:24:26,951  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, activity_explorer/hdp-master-01.vlab.local@VLAB.LOCAL
05 Nov 2017 12:24:26,996  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, zookeeper/hdp-master-01.vlab.local@VLAB.LOCAL
05 Nov 2017 12:24:27,043  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, HTTP/lab1-hdfs.vlab.local@VLAB.LOCAL
05 Nov 2017 12:24:27,093  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, hdfs/lab1-hdfs.vlab.local@VLAB.LOCAL
05 Nov 2017 12:24:27,096 ERROR [Server Action Executor Worker 270] CreatePrincipalsServerAction:297 - Failed to create principal, hdfs/lab1-hdfs.vlab.local@VLAB.LOCAL - Can not create principal : hdfs/lab1-hdfs.vlab.local@VLAB.LOCAL
org.apache.ambari.server.serveraction.kerberos.KerberosOperationException: Can not create principal : hdfs/lab1-hdfs.vlab.local@VLAB.LOCAL
        at org.apache.ambari.server.serveraction.kerberos.ADKerberosOperationHandler.createPrincipal(ADKerberosOperationHandler.java:338)
        at org.apache.ambari.server.serveraction.kerberos.CreatePrincipalsServerAction.createPrincipal(CreatePrincipalsServerAction.java:256)
        at org.apache.ambari.server.serveraction.kerberos.CreatePrincipalsServerAction.processIdentity(CreatePrincipalsServerAction.java:159)
        at org.apache.ambari.server.serveraction.kerberos.KerberosServerAction.processRecord(KerberosServerAction.java:532)
        at org.apache.ambari.server.serveraction.kerberos.KerberosServerAction.processIdentities(KerberosServerAction.java:414)
        at org.apache.ambari.server.serveraction.kerberos.CreatePrincipalsServerAction.execute(CreatePrincipalsServerAction.java:91)
        at org.apache.ambari.server.serveraction.ServerActionExecutor$Worker.execute(ServerActionExecutor.java:517)
        at org.apache.ambari.server.serveraction.ServerActionExecutor$Worker.run(ServerActionExecutor.java:454)
        at java.lang.Thread.run(Thread.java:745)
Caused by: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - 000021C7: AtrErr: DSID-03200BDF, #1:
        0: 000021C7: DSID-03200BDF, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90303 (servicePrincipalName)
]; remaining name '"cn=hdfs/lab1-hdfs.vlab.local,OU=HDP"'
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3149)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3082)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)
        at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:812)
        at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:341)
        at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:268)
        at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:202)
        at org.apache.ambari.server.serveraction.kerberos.ADKerberosOperationHandler.createPrincipal(ADKerberosOperationHandler.java:336)
        ... 8 more
05 Nov 2017 12:24:27,096  INFO [Server Action Executor Worker 270] KerberosServerAction:457 - Processing identities completed.

Any suggestion would be appreciated.

Many thanks in advance,

Jorge.

1 ACCEPTED SOLUTION

Super Mentor

@Jorge Florencio

Based on the following error:

Caused by: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - 000021C7: AtrErr: DSID-03200BDF, #1: 0: 000021C7: DSID-03200BDF, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90303 (servicePrincipalName)

.

Please check your Active Directory it looks like the SPN (hdfs/lab1-hdfs.vlab.local@VLAB.LOCAL) already exited there. If yes then it seems to be restricting ambari from creating principals in the AD.


Please remove that principla from your AD first and then try again. It depends on the AD policy that is being applied with the constraint for creating the principals.

.

View solution in original post

5 REPLIES 5

Super Mentor

@Jorge Florencio

Based on the following error:

Caused by: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - 000021C7: AtrErr: DSID-03200BDF, #1: 0: 000021C7: DSID-03200BDF, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90303 (servicePrincipalName)

.

Please check your Active Directory it looks like the SPN (hdfs/lab1-hdfs.vlab.local@VLAB.LOCAL) already exited there. If yes then it seems to be restricting ambari from creating principals in the AD.


Please remove that principla from your AD first and then try again. It depends on the AD policy that is being applied with the constraint for creating the principals.

.

New Contributor

Hi ,

I am facing similar issue and I have already parsed entire AD structure, this particular principal is not existing. So the issue seems to be something else can someone please throw some idea ?

Checks we did :

1) Service Account has full access on Active Directory
2)  No pre-existing SPN in AD

3)  Manual connection to AD working using same Service account.

 

Thanks,

Sagar

Perfect, I've already fixed it !

Thanks you!

New Contributor

Hi Jorge,

Was it the duplicate SPN in your case ?

 

Thanks,

Sagar

how did you fixed this

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.