Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Enable Kerberos Wizard failed to create principals in Active Directory

avatar
author-rank jorge_florencio
Contributor

Created on ‎11-05-2017 11:53 AM - edited ‎09-16-2022 05:29 AM

Hi folks,

the "Enable Kerberos Wizard" failed to create all needed principals. Some principals were created, but not all. This is the output from the log file:

05 Nov 2017 12:24:26,337  INFO [Server Action Executor Worker 270] KerberosServerAction:353 - Processing identities...
05 Nov 2017 12:24:26,419  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, HTTP/hdp-master-02.vlab.local@VLAB.LOCAL
05 Nov 2017 12:24:26,471  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, ambari-qa@VLAB.LOCAL
05 Nov 2017 12:24:26,516  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, hdfs@VLAB.LOCAL
05 Nov 2017 12:24:26,566  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, mapred/hdp-master-02.vlab.local@VLAB.LOCAL
05 Nov 2017 12:24:26,614  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, yarn/hdp-master-02.vlab.local@VLAB.LOCAL
05 Nov 2017 12:24:26,664  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, rm/hdp-master-02.vlab.local@VLAB.LOCAL
05 Nov 2017 12:24:26,712  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, zookeeper/hdp-master-02.vlab.local@VLAB.LOCAL
05 Nov 2017 12:24:26,759  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, HTTP/hdp-master-01.vlab.local@VLAB.LOCAL
05 Nov 2017 12:24:26,806  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, amshbase/hdp-master-01.vlab.local@VLAB.LOCAL
05 Nov 2017 12:24:26,856  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, amszk/hdp-master-01.vlab.local@VLAB.LOCAL
05 Nov 2017 12:24:26,902  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, activity_analyzer/hdp-master-01.vlab.local@VLAB.LOCAL
05 Nov 2017 12:24:26,951  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, activity_explorer/hdp-master-01.vlab.local@VLAB.LOCAL
05 Nov 2017 12:24:26,996  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, zookeeper/hdp-master-01.vlab.local@VLAB.LOCAL
05 Nov 2017 12:24:27,043  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, HTTP/lab1-hdfs.vlab.local@VLAB.LOCAL
05 Nov 2017 12:24:27,093  INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, hdfs/lab1-hdfs.vlab.local@VLAB.LOCAL
05 Nov 2017 12:24:27,096 ERROR [Server Action Executor Worker 270] CreatePrincipalsServerAction:297 - Failed to create principal, hdfs/lab1-hdfs.vlab.local@VLAB.LOCAL - Can not create principal : hdfs/lab1-hdfs.vlab.local@VLAB.LOCAL
org.apache.ambari.server.serveraction.kerberos.KerberosOperationException: Can not create principal : hdfs/lab1-hdfs.vlab.local@VLAB.LOCAL
        at org.apache.ambari.server.serveraction.kerberos.ADKerberosOperationHandler.createPrincipal(ADKerberosOperationHandler.java:338)
        at org.apache.ambari.server.serveraction.kerberos.CreatePrincipalsServerAction.createPrincipal(CreatePrincipalsServerAction.java:256)
        at org.apache.ambari.server.serveraction.kerberos.CreatePrincipalsServerAction.processIdentity(CreatePrincipalsServerAction.java:159)
        at org.apache.ambari.server.serveraction.kerberos.KerberosServerAction.processRecord(KerberosServerAction.java:532)
        at org.apache.ambari.server.serveraction.kerberos.KerberosServerAction.processIdentities(KerberosServerAction.java:414)
        at org.apache.ambari.server.serveraction.kerberos.CreatePrincipalsServerAction.execute(CreatePrincipalsServerAction.java:91)
        at org.apache.ambari.server.serveraction.ServerActionExecutor$Worker.execute(ServerActionExecutor.java:517)
        at org.apache.ambari.server.serveraction.ServerActionExecutor$Worker.run(ServerActionExecutor.java:454)
        at java.lang.Thread.run(Thread.java:745)
Caused by: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - 000021C7: AtrErr: DSID-03200BDF, #1:
        0: 000021C7: DSID-03200BDF, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90303 (servicePrincipalName)
]; remaining name '"cn=hdfs/lab1-hdfs.vlab.local,OU=HDP"'
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3149)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3082)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)
        at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:812)
        at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:341)
        at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:268)
        at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:202)
        at org.apache.ambari.server.serveraction.kerberos.ADKerberosOperationHandler.createPrincipal(ADKerberosOperationHandler.java:336)
        ... 8 more
05 Nov 2017 12:24:27,096  INFO [Server Action Executor Worker 270] KerberosServerAction:457 - Processing identities completed.

Any suggestion would be appreciated.

Many thanks in advance,

Jorge.

9,202 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank jsensharma author-rank
Master Mentor

Created ‎11-05-2017 12:02 PM

@Jorge Florencio

Based on the following error:

Caused by: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - 000021C7: AtrErr: DSID-03200BDF, #1: 0: 000021C7: DSID-03200BDF, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90303 (servicePrincipalName)

.

Please check your Active Directory it looks like the SPN (hdfs/lab1-hdfs.vlab.local@VLAB.LOCAL) already exited there. If yes then it seems to be restricting ambari from creating principals in the AD.


Please remove that principla from your AD first and then try again. It depends on the AD policy that is being applied with the constraint for creating the principals.

.

View solution in original post

8,463 Views
6 REPLIES 6

avatar
author-rank jsensharma author-rank
Master Mentor

Created ‎11-05-2017 12:02 PM

@Jorge Florencio

Based on the following error:

Caused by: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - 000021C7: AtrErr: DSID-03200BDF, #1: 0: 000021C7: DSID-03200BDF, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90303 (servicePrincipalName)

.

Please check your Active Directory it looks like the SPN (hdfs/lab1-hdfs.vlab.local@VLAB.LOCAL) already exited there. If yes then it seems to be restricting ambari from creating principals in the AD.


Please remove that principla from your AD first and then try again. It depends on the AD policy that is being applied with the constraint for creating the principals.

.

8,464 Views

avatar
author-rank sagarspathak
Explorer

Created ‎08-12-2022 06:58 PM

Hi ,

I am facing similar issue and I have already parsed entire AD structure, this particular principal is not existing. So the issue seems to be something else can someone please throw some idea ?

Checks we did :

1) Service Account has full access on Active Directory
2)  No pre-existing SPN in AD

3)  Manual connection to AD working using same Service account.

 

Thanks,

Sagar

4,293 Views
0 Kudos

avatar
author-rank jorge_florencio
Contributor

Created ‎11-05-2017 04:44 PM

Perfect, I've already fixed it !

Thanks you!

8,462 Views
0 Kudos

avatar
author-rank sagarspathak
Explorer

Created ‎08-12-2022 06:59 PM

Hi Jorge,

Was it the duplicate SPN in your case ?

 

Thanks,

Sagar

4,293 Views
0 Kudos

avatar
author-rank JobBranwl
Explorer

Created ‎03-31-2023 12:25 AM

How did you solve it

2,901 Views
0 Kudos

avatar
author-rank sameer_dalai
Explorer

Created ‎01-16-2019 02:24 AM

how did you fixed this

8,462 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements