Support Questions

Find answers, ask questions, and share your expertise
Celebrating as our community reaches 100,000 members! Thank you!

Failed to create kerberos principal


I have kerberos and Ambari setup and I was able to enable/disable kerberos through ambari and was able to regenerate principals but now I am getting below error on Ambari UI,

2018-11-21 04:01:14,662 - Failed to create principal, zookeeper/local4.domain.coma@DOMAIN.COM,zookeeper/,zookeeper/ - Failed to create service principal for zookeeper/,zookeeper/,zookeeper/
STDOUT: Authenticating as principal kadmin/admin@DOMAIN.COM with existing credentials.
STDERR: add_principal: Malformed representation of principal while parsing principal
usage: add_principal [options] principal
options are:
[-randkey|-nokey] [-x db_princ_args]* [-expire expdate] [-pwexpire pwexpdate] [-maxlife maxtixlife]
[-kvno kvno] [-policy policy] [-clearpolicy]
[-pw password] [-maxrenewlife maxrenewlife]
[-e keysaltlist]
attributes are:
allow_postdated allow_forwardable allow_tgs_req allow_renewable
allow_proxiable allow_dup_skey allow_tix requires_preauth
requires_hwauth needchange allow_svr password_changing_service
ok_as_delegate ok_to_auth_as_delegate no_auth_data_required
[-x db_princ_args]* - any number of database specific arguments.
Look at each database documentation for supported arguments
Administration credentials NOT DESTROYED.
2018-11-21 04:01:16,073 - Failed to create principal, hbase/,hbase/,hbase/ - Failed to create service principal for hbase/,hbase/,hbase/
STDOUT: Authenticating as principal kadmin/admin@DOMAIN.COM with existing credentials.
STDERR: add_principal: Malformed representation of principal while parsing principal
usage: add_principal [options] principal
options are:
[-randkey|-nokey] [-x db_princ_args]* [-expire expdate] [-pwexpire pwexpdate] [-maxlife maxtixlife]
[-kvno kvno] [-policy policy] [-clearpolicy]
[-pw password] [-maxrenewlife maxrenewlife]
[-e keysaltlist]
attributes are:
allow_postdated allow_forwardable allow_tgs_req allow_renewable
allow_proxiable allow_dup_skey allow_tix requires_preauth
requires_hwauth needchange allow_svr password_changing_service
ok_as_delegate ok_to_auth_as_delegate no_auth_data_required
[-x db_princ_args]* - any number of database specific arguments.
Look at each database documentation for supported arguments
Administration credentials NOT DESTROYED.

Can anyone check?



This problem has been solved!

Want to get a detailed solution you have to login/registered on the community



I have destroyed kerberos database and created new, still getting above error.

@Ankita Ghate

It seems like there is an issue with the principal name. According to the error

2018-11-21 04:01:14,662 - Failed to create principal, zookeeper/local4.domain.coma@DOMAIN.COM,zookeeper/,zookeeper/ - Failed to create service principal for zookeeper/,zookeeper/,zookeeper/

Ambari thinks the principal name is


As one principal name, not 3 different principal names. Do you know this could be? Did you add any custom Kerberos identities to the Kerberos Descriptor or customize it at all?


Yes I had customized zookeeper and hbase principals in Kerberos configuration through Ambari but later I changed it to default and trying to regenerate principals but it is giving above error. From where is it taking these principals though I have destroyed Kerberos database?

Any solution?


While regenerating principals it was giving above error because it might be taking that principal name from Ambari database - Postgres


This problem has been solved!

Want to get a detailed solution you have to login/registered on the community



@Ankita Ghate

Can you post/attach the user-supplied Kerberos descriptor retrieved from

GET /api/v1/clusters/CLUSTER_NAME/kerberos_descriptors/USER

Replacing CLUSTER_NAME with the name or your cluster.

I suspect the issue is related to Kerberos descriptor information supplied to Ambari