Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

HDP Sandbox 2.6 Automated Kerberos Installation and Configuration

HDP Sandbox 2.6 Automated Kerberos Installation and Configuration

New Contributor

Hello everyone there is my problem :

In order to automated kerberos installation i follow this tutorial for HDP sandbox 2.4 : https://community.hortonworks.com/articles/29203/automated-kerberos-installation-and-configuration.h...

I already try to set up it manually but without success because of a connection problem with the kdc when i try to configure it on ambari web interface.

So i try the tutorial but now i have this problem when i launch it :

017-07-27,13:50:41 Enabling Kerberos

% Total % Received % Xferd Average Speed Time Time Time Current

Dload Upload Total Spent Left Speed

137 513 102 513 0 172 12 4 0:00:42 0:00:40 0:00:02 78

HTTP/1.1 400 Bad Request

X-Frame-Options: DENY

X-XSS-Protection: 1; mode=block

X-Content-Type-Options: nosniff

Cache-Control: no-store

Pragma: no-cache

Set-Cookie: AMBARISESSIONID=ka633m5h9um01jqyy6uamrb18;Path=/;HttpOnly

Expires: Thu, 01 Jan 1970 00:00:00 GMT

User: raj_ops

Content-Type: text/plain

Content-Length: 513

Server: Jetty(8.1.19.v20160209)

{

"status" : 400,

"message" : "java.lang.IllegalArgumentException: Invalid KDC administrator credentials.\nThe KDC administrator credentials must be set as a persisted or temporary credential resource.This may be done by issuing a POST (or PUT for updating) to the /api/v1/clusters/:clusterName/credentials/kdc.admin.credential API entry point with the following payload:\n{\n \"Credential\" : {\n \"principal\" : \"(PRINCIPAL)\", \"key\" : \"(PASSWORD)\", \"type\" : \"(persisted|temporary)\"}\n }\n}"

I try to solve the problem by fixing manually the credential but the script seems to modify (it changes my persisted credential by a temporary credential) it and i can't find where it do it (and also i don't know how to see the principal of the credential to understand maybe why it's not working).

I also want to specify that in 2.6 ambari's log are : user : raj_ops password : raj_ops I think i configure my ambari.props correctly :

CLUSTER_NAME=Sandbox AMBARI_ADMIN_USER=raj_ops AMBARI_ADMIN_PASSWORD=raj_ops AMBARI_HOST=localhost KDC_HOST=localhost REALM=EXAMPLE.COM KERBEROS_CLIENTS=localhost

I have no more ideas on how to solve the problem please help me ^^

1 REPLY 1

Re: HDP Sandbox 2.6 Automated Kerberos Installation and Configuration

Expert Contributor

@Sofian Benabdelhak

Ambari requires a Kerberos admin principal which enables it to create principals/keytabs for all other components.

There are couple of things which may go wrong here.

1. Is raj_ops your admin principal name? It may not work because in default kerberos acl:

cat /var/kerberos/krb5kdc/kadm5.acl

*/admin@EXAMPLE.COM*

Only principal names matching the above regex are considered admins. (You can skip creation below if you modify this acl to grant access to your principal and restart kadmin)

2. The script may be creating and using default admin principal - admin/admin@EXAMPLE.COM and you may be specifying your credentials. You're running this from kdc host only right? In the procedure that you're following it says it'll create an admin principal for you (but that may be default again)

In your KDC, see available principles:

kadmin.local -q 'listprincs'

If you did not modify your acl and your principal is not there or it is mentioned as raj_ops@EXAMPLE.COM (delete that first) and create a new admin principal-

kadmin.local -q 'addprinc raj_ops/admin@EXAMPLE.COM'

Give password when prompted.

Also check whether admin/admin@EXAMPLE.COM is listed. (script may have created that, you can proceed with installation if you don't need custom principal name/password)

Store kdc.admin.credentials to the ambari server if they aren't. First check the current credentials . Follow the link below:

https://community.hortonworks.com/articles/42927/adding-kdc-administrator-credentials-to-the-ambari....

Then retry your installation.

Don't have an account?
Coming from Hortonworks? Activate your account here