Created on 11-05-2017 11:53 AM - edited 09-16-2022 05:29 AM
Hi folks,
the "Enable Kerberos Wizard" failed to create all needed principals. Some principals were created, but not all. This is the output from the log file:
05 Nov 2017 12:24:26,337 INFO [Server Action Executor Worker 270] KerberosServerAction:353 - Processing identities... 05 Nov 2017 12:24:26,419 INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, HTTP/hdp-master-02.vlab.local@VLAB.LOCAL 05 Nov 2017 12:24:26,471 INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, ambari-qa@VLAB.LOCAL 05 Nov 2017 12:24:26,516 INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, hdfs@VLAB.LOCAL 05 Nov 2017 12:24:26,566 INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, mapred/hdp-master-02.vlab.local@VLAB.LOCAL 05 Nov 2017 12:24:26,614 INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, yarn/hdp-master-02.vlab.local@VLAB.LOCAL 05 Nov 2017 12:24:26,664 INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, rm/hdp-master-02.vlab.local@VLAB.LOCAL 05 Nov 2017 12:24:26,712 INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, zookeeper/hdp-master-02.vlab.local@VLAB.LOCAL 05 Nov 2017 12:24:26,759 INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, HTTP/hdp-master-01.vlab.local@VLAB.LOCAL 05 Nov 2017 12:24:26,806 INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, amshbase/hdp-master-01.vlab.local@VLAB.LOCAL 05 Nov 2017 12:24:26,856 INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, amszk/hdp-master-01.vlab.local@VLAB.LOCAL 05 Nov 2017 12:24:26,902 INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, activity_analyzer/hdp-master-01.vlab.local@VLAB.LOCAL 05 Nov 2017 12:24:26,951 INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, activity_explorer/hdp-master-01.vlab.local@VLAB.LOCAL 05 Nov 2017 12:24:26,996 INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, zookeeper/hdp-master-01.vlab.local@VLAB.LOCAL 05 Nov 2017 12:24:27,043 INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, HTTP/lab1-hdfs.vlab.local@VLAB.LOCAL 05 Nov 2017 12:24:27,093 INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, hdfs/lab1-hdfs.vlab.local@VLAB.LOCAL 05 Nov 2017 12:24:27,096 ERROR [Server Action Executor Worker 270] CreatePrincipalsServerAction:297 - Failed to create principal, hdfs/lab1-hdfs.vlab.local@VLAB.LOCAL - Can not create principal : hdfs/lab1-hdfs.vlab.local@VLAB.LOCAL org.apache.ambari.server.serveraction.kerberos.KerberosOperationException: Can not create principal : hdfs/lab1-hdfs.vlab.local@VLAB.LOCAL at org.apache.ambari.server.serveraction.kerberos.ADKerberosOperationHandler.createPrincipal(ADKerberosOperationHandler.java:338) at org.apache.ambari.server.serveraction.kerberos.CreatePrincipalsServerAction.createPrincipal(CreatePrincipalsServerAction.java:256) at org.apache.ambari.server.serveraction.kerberos.CreatePrincipalsServerAction.processIdentity(CreatePrincipalsServerAction.java:159) at org.apache.ambari.server.serveraction.kerberos.KerberosServerAction.processRecord(KerberosServerAction.java:532) at org.apache.ambari.server.serveraction.kerberos.KerberosServerAction.processIdentities(KerberosServerAction.java:414) at org.apache.ambari.server.serveraction.kerberos.CreatePrincipalsServerAction.execute(CreatePrincipalsServerAction.java:91) at org.apache.ambari.server.serveraction.ServerActionExecutor$Worker.execute(ServerActionExecutor.java:517) at org.apache.ambari.server.serveraction.ServerActionExecutor$Worker.run(ServerActionExecutor.java:454) at java.lang.Thread.run(Thread.java:745) Caused by: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - 000021C7: AtrErr: DSID-03200BDF, #1: 0: 000021C7: DSID-03200BDF, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90303 (servicePrincipalName) ]; remaining name '"cn=hdfs/lab1-hdfs.vlab.local,OU=HDP"' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3149) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3082) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888) at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:812) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:341) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:268) at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:202) at org.apache.ambari.server.serveraction.kerberos.ADKerberosOperationHandler.createPrincipal(ADKerberosOperationHandler.java:336) ... 8 more 05 Nov 2017 12:24:27,096 INFO [Server Action Executor Worker 270] KerberosServerAction:457 - Processing identities completed.
Any suggestion would be appreciated.
Many thanks in advance,
Jorge.
Created 11-05-2017 12:02 PM
Based on the following error:
Caused by: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - 000021C7: AtrErr: DSID-03200BDF, #1: 0: 000021C7: DSID-03200BDF, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90303 (servicePrincipalName)
.
Please check your Active Directory it looks like the SPN (hdfs/lab1-hdfs.vlab.local@VLAB.LOCAL) already exited there. If yes then it seems to be restricting ambari from creating principals in the AD.
Please remove that principla from your AD first and then try again. It depends on the AD policy that is being applied with the constraint for creating the principals.
.
Created 11-05-2017 12:02 PM
Based on the following error:
Caused by: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - 000021C7: AtrErr: DSID-03200BDF, #1: 0: 000021C7: DSID-03200BDF, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90303 (servicePrincipalName)
.
Please check your Active Directory it looks like the SPN (hdfs/lab1-hdfs.vlab.local@VLAB.LOCAL) already exited there. If yes then it seems to be restricting ambari from creating principals in the AD.
Please remove that principla from your AD first and then try again. It depends on the AD policy that is being applied with the constraint for creating the principals.
.
Created 08-12-2022 06:58 PM
Hi ,
I am facing similar issue and I have already parsed entire AD structure, this particular principal is not existing. So the issue seems to be something else can someone please throw some idea ?
Checks we did :
1) Service Account has full access on Active Directory
2) No pre-existing SPN in AD
3) Manual connection to AD working using same Service account.
Thanks,
Sagar
Created 11-05-2017 04:44 PM
Perfect, I've already fixed it !
Thanks you!
Created 08-12-2022 06:59 PM
Hi Jorge,
Was it the duplicate SPN in your case ?
Thanks,
Sagar
Created 03-31-2023 12:25 AM
How did you solve it
Created 01-16-2019 02:24 AM
how did you fixed this