Support Questions
Find answers, ask questions, and share your expertise

Failed to create principal - hadoop@domain - can not check if principal exists

Failed to create principal - hadoop@domain - can not check if principal exists

Explorer

I am trying to ENABLE Kerberos. I entered KDC configs and then Kadmin_host, admin_principal and admin_password.

Then it is successfully installing Kerberos cliend but failing while testing Kerberos client with below error:

Failed to create principal - hadoop@domain - can not check if principal exists

-> I find this error in "ambari-audit.log"

I have a container in my Active Directory called KnoxUsers and I have "knxadmin" as user.

I have put 'knxadmin' as Admin_Principal while configuring Kerberos.

Can anyone points me where I need to check to correct this error?

Brief Description about my cluster:

I have single node cluster which I deployed using ambari on a VM on a host-machine. I have active directory setup on a domain controller. My domain controller and host-machine are on the same domain.

21 REPLIES 21

Re: Failed to create principal - hadoop@domain - can not check if principal exists

Expert Contributor

Check /etc/krb5.conf, whether you have correct setting for domain,kdc,admin_principal

Also check Kerberos acl at below location:

RHEL/CentOS/Oracle Linux

vi /var/kerberos/krb5kdc/kadm5.acl

SLES

vi /var/lib/kerberos/krb5kdc/kadm5.acl

Ubuntu/Debian

vi /etc/krb5kdc/kadm5.acl

If it's of the kind */admin@HADOOP.COM * , please change it to *admin@YOURDOMAIN * and restart the kadmin process.

Kerberos will consider only principals matching this acl as valid admins and will let you create user/service principals using them.

Or you can also change your admin_principal to knxadmin/admin@YOURDOMAIN.

Re: Failed to create principal - hadoop@domain - can not check if principal exists

Explorer

@tsharma

I didn't find /etc/krb5kdc

Do I need to create this acl file?

Note: [My host is ubuntu where single node hadoop is deployed using Ambari. ]

Re: Failed to create principal - hadoop@domain - can not check if principal exists

Expert Contributor

Can you search for this file?

find / -iname kadm5.acl

Usually this is created when you install krb5-kdc krb5-admin-server.

Re: Failed to create principal - hadoop@domain - can not check if principal exists

Explorer

I installed krb5-kdc krb5-admin-server but didn't find kadm5.acl in /etc/krb5kdc.

I can see /etc/krb5kdc/kdc.conf having acl_file = /etc/krb5kdc/kadm5.acl. But there is no .acl file present in this directory. Should I create one?

Re: Failed to create principal - hadoop@domain - can not check if principal exists

Expert Contributor

Yes try creating one in that case.

Refer this link http://manpages.ubuntu.com/manpages/trusty/man5/kadm5.acl.5.html

Do service krb5-admin-server restart after adding.

Re: Failed to create principal - hadoop@domain - can not check if principal exists

@Neha G,

Did you create the admin principal ? If not create the admin principal

kadmin.local -q "addprinc admin/admin"

Ensure that the KDC ACL file includes an entry so to allow the admin principal to administer the KDC for your specific realm. When using a realm that is different than EXAMPLE.COM, be sure there is an entry for the realm you are using. If not present, principal creation will fail. For example, for an admin/admin@HADOOP.COM principal, you should have an entry: */admin@HADOOP.COM *

Thanks,

Aditya

Re: Failed to create principal - hadoop@domain - can not check if principal exists

Explorer

@Aditya Sirna

I tried to create admin principal but it gave me error:

Authenticating as principat root/admin@mydomain with password.

kadmin.local: no such file or directory while initializing kadmin.local interface

Re: Failed to create principal - hadoop@domain - can not check if principal exists

@Neha G,

Can you try the same command using kadmin instead of kadmin.local. Also can you please attach your /etc/krb5.conf file.

Thanks,

Aditya

Re: Failed to create principal - hadoop@domain - can not check if principal exists

Explorer

@Aditya Sirna Thanks for helping me out in this case!

But I am little confused that Why I need to create admin principal. Please read below for what I am trying to do and how my current setup is.

Actually, my intent is to use existing Active Directory. I think, I need to create admin principal when I intent to use Existing MIT KDC, which is not the case. Please comment if I am wrong. (Also, do i need to be running kdc-admin-server and krb5kdc services if I am not using Existing MIT KDC?)

Brief desc about KDC and hadoop setup:

My existing Active Directory is already setup at Domain Controller (let's say, hostname=DC1) . And there I created new container "KnoxUsers" and a admin user "knxadmin" in that container. I want to use KDC as DC1 to connect to Active Directory from my hostmachine(where single node hadoop cluster is deployed using Ambari). To do that I started with enabling Kerberos through Ambari. After entering Configs (via Ambari) for KDC and Kadmin, it automatically started installing Kerberos client (which is succesfully complete, then it started Test Kerberos Client, where it is failed with the error "Failed to create principal - hadoop@domain - can not check if principal exists"