Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Failed to create kerberos principal

Labels:
avatar
author-rank ankita_ghate
Explorer

Created ‎11-21-2018 05:41 PM

I have kerberos and Ambari setup and I was able to enable/disable kerberos through ambari and was able to regenerate principals but now I am getting below error on Ambari UI, 

2018-11-21 04:01:14,662 - Failed to create principal, zookeeper/local4.domain.coma@DOMAIN.COM,zookeeper/ubuntu25.domain.com@DOMAIN.COM,zookeeper/ubuntu26.domain.com@DOMAIN.COM - Failed to create service principal for zookeeper/local4.domain.com@DOMAIN.COM,zookeeper/ubuntu25.domain.com@DOMAIN.COM,zookeeper/ubuntu26.domain.com@DOMAIN.COM
STDOUT: Authenticating as principal kadmin/admin@DOMAIN.COM with existing credentials.
STDERR: add_principal: Malformed representation of principal while parsing principal
usage: add_principal [options] principal
options are:
[-randkey|-nokey] [-x db_princ_args]* [-expire expdate] [-pwexpire pwexpdate] [-maxlife maxtixlife]
[-kvno kvno] [-policy policy] [-clearpolicy]
[-pw password] [-maxrenewlife maxrenewlife]
[-e keysaltlist]
[{+|-}attribute]
attributes are:
allow_postdated allow_forwardable allow_tgs_req allow_renewable
allow_proxiable allow_dup_skey allow_tix requires_preauth
requires_hwauth needchange allow_svr password_changing_service
ok_as_delegate ok_to_auth_as_delegate no_auth_data_required
where,
[-x db_princ_args]* - any number of database specific arguments.
Look at each database documentation for supported arguments
Administration credentials NOT DESTROYED.
2018-11-21 04:01:16,073 - Failed to create principal, hbase/local4.domain.com@DOMAIN.COM,hbase/ubuntu25.domain.com@DOMAIN.COM,hbase/ubuntu26.domain.com@DOMAIN.COM - Failed to create service principal for hbase/local4.domain.com@DOMAIN.COM,hbase/ubuntu25.domain.com@DOMAIN.COM,hbase/ubuntu26.domain.com@DOMAIN.COM
STDOUT: Authenticating as principal kadmin/admin@DOMAIN.COM with existing credentials.
STDERR: add_principal: Malformed representation of principal while parsing principal
usage: add_principal [options] principal
options are:
[-randkey|-nokey] [-x db_princ_args]* [-expire expdate] [-pwexpire pwexpdate] [-maxlife maxtixlife]
[-kvno kvno] [-policy policy] [-clearpolicy]
[-pw password] [-maxrenewlife maxrenewlife]
[-e keysaltlist]
[{+|-}attribute]
attributes are:
allow_postdated allow_forwardable allow_tgs_req allow_renewable
allow_proxiable allow_dup_skey allow_tix requires_preauth
requires_hwauth needchange allow_svr password_changing_service
ok_as_delegate ok_to_auth_as_delegate no_auth_data_required
where,
[-x db_princ_args]* - any number of database specific arguments.
Look at each database documentation for supported arguments
Administration credentials NOT DESTROYED.

Can anyone check?

5,142 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank ankita_ghate
Explorer

Created ‎11-23-2018 09:06 AM

While regenerating principals it was giving above error because it might be taking that principal name from Ambari database - Postgres

View solution in original post

4,827 Views
0 Kudos
6 REPLIES 6

avatar
author-rank ankita_ghate
Explorer

Created ‎11-21-2018 05:41 PM

I have destroyed kerberos database and created new, still getting above error.

4,827 Views
0 Kudos

avatar
author-rank rlevas
Guru

Created ‎11-21-2018 06:09 PM

@Ankita Ghate

It seems like there is an issue with the principal name. According to the error

2018-11-21 04:01:14,662 - Failed to create principal, zookeeper/local4.domain.coma@DOMAIN.COM,zookeeper/ubuntu25.domain.com@DOMAIN.COM,zookeeper/ubuntu26.domain.com@DOMAIN.COM - Failed to create service principal for zookeeper/local4.domain.com@DOMAIN.COM,zookeeper/ubuntu25.domain.com@DOMAIN.COM,zookeeper/ubuntu26.domain.com@DOMAIN.COM

Ambari thinks the principal name is 

zookeeper/local4.domain.coma@DOMAIN.COM,zookeeper/ubuntu25.domain.com@DOMAIN.COM,zookeeper/ubuntu26.domain.com@DOMAIN.COM

As one principal name, not 3 different principal names. Do you know this could be? Did you add any custom Kerberos identities to the Kerberos Descriptor or customize it at all?

4,827 Views
0 Kudos

avatar
author-rank ankita_ghate
Explorer

Created ‎11-22-2018 02:50 AM

Yes I had customized zookeeper and hbase principals in Kerberos configuration through Ambari but later I changed it to default and trying to regenerate principals but it is giving above error. From where is it taking these principals though I have destroyed Kerberos database?

Any solution?

4,827 Views
0 Kudos

avatar
author-rank ankita_ghate
Explorer

Created ‎11-23-2018 05:07 AM

While regenerating principals it was giving above error because it might be taking that principal name from Ambari database - Postgres

4,827 Views
0 Kudos

avatar
author-rank ankita_ghate
Explorer

Created ‎11-23-2018 09:06 AM

While regenerating principals it was giving above error because it might be taking that principal name from Ambari database - Postgres

4,828 Views
0 Kudos

avatar
author-rank rlevas
Guru

Created ‎11-23-2018 06:35 PM

@Ankita Ghate

Can you post/attach the user-supplied Kerberos descriptor retrieved from 

GET /api/v1/clusters/CLUSTER_NAME/kerberos_descriptors/USER

Replacing CLUSTER_NAME with the name or your cluster.

I suspect the issue is related to Kerberos descriptor information supplied to Ambari

4,827 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements