I am trying to ENABLE Kerberos. I entered KDC configs and then Kadmin_host, admin_principal and admin_password.
Then it is successfully installing Kerberos cliend but failing while testing Kerberos client with below error:
Failed to create principal - hadoop@domain - can not check if principal exists
-> I find this error in "ambari-audit.log"
I have a container in my Active Directory called KnoxUsers and I have "knxadmin" as user.
I have put 'knxadmin' as Admin_Principal while configuring Kerberos.
Can anyone points me where I need to check to correct this error?
Brief Description about my cluster:
I have single node cluster which I deployed using ambari on a VM on a host-machine. I have active directory setup on a domain controller. My domain controller and host-machine are on the same domain.
Check /etc/krb5.conf, whether you have correct setting for domain,kdc,admin_principal
Also check Kerberos acl at below location:
If it's of the kind */admin@HADOOP.COM * , please change it to *admin@YOURDOMAIN * and restart the kadmin process.
Kerberos will consider only principals matching this acl as valid admins and will let you create user/service principals using them.
Or you can also change your admin_principal to knxadmin/admin@YOURDOMAIN.
Can you search for this file?
find / -iname kadm5.acl
Usually this is created when you install krb5-kdc krb5-admin-server.
I installed krb5-kdc krb5-admin-server but didn't find kadm5.acl in /etc/krb5kdc.
I can see /etc/krb5kdc/kdc.conf having acl_file = /etc/krb5kdc/kadm5.acl. But there is no .acl file present in this directory. Should I create one?
Did you create the admin principal ? If not create the admin principal
kadmin.local -q "addprinc admin/admin"
Ensure that the KDC ACL file includes an entry so to allow the admin principal to administer the KDC for your specific realm. When using a realm that is different than EXAMPLE.COM, be sure there is an entry for the realm you are using. If not present, principal creation will fail. For example, for an admin/admin@HADOOP.COM principal, you should have an entry: */admin@HADOOP.COM *
I tried to create admin principal but it gave me error:
Authenticating as principat root/admin@mydomain with password.
kadmin.local: no such file or directory while initializing kadmin.local interface
@Aditya Sirna Thanks for helping me out in this case!
But I am little confused that Why I need to create admin principal. Please read below for what I am trying to do and how my current setup is.
Actually, my intent is to use existing Active Directory. I think, I need to create admin principal when I intent to use Existing MIT KDC, which is not the case. Please comment if I am wrong. (Also, do i need to be running kdc-admin-server and krb5kdc services if I am not using Existing MIT KDC?)
Brief desc about KDC and hadoop setup:
My existing Active Directory is already setup at Domain Controller (let's say, hostname=DC1) . And there I created new container "KnoxUsers" and a admin user "knxadmin" in that container. I want to use KDC as DC1 to connect to Active Directory from my hostmachine(where single node hadoop cluster is deployed using Ambari). To do that I started with enabling Kerberos through Ambari. After entering Configs (via Ambari) for KDC and Kadmin, it automatically started installing Kerberos client (which is succesfully complete, then it started Test Kerberos Client, where it is failed with the error "Failed to create principal - hadoop@domain - can not check if principal exists"