Support Questions

Find answers, ask questions, and share your expertise

How to reset admin password for kerberos enabled cluster

avatar
Contributor

How to reset the admin password set while enabling the kerberos.

Previously kerberos was enabled but we disabled it. When trying to again enable kerberos, admin username and password is required.

How to reset the password for this? Or is their any way to enable kerberos wirhout knowing the password?

Hdp 2.4

2 REPLIES 2

avatar
Master Mentor

@tauqeer khan

Try this solution

1.create .ldif file, add the following line to the file, save & exit out:

"dn: cn=global_policy,cn=DOMAINL,cn=EXAMPLE,dc=EXAMPLE,dc=COM

changetype: modify

replace: krbMinPwdLife

krbMinPwdLife: 0"

2. note: you need to know the directory manager password run:

ldapmodify -h localhost -x -W -D "cn=directory manager" -f /root/test/krb_test.ldif

3. now reset the password through kadmin.local:

kadmin.local Authenticating as principal admin/admin@EXAMPLE.COM with password. kadmin.local: change_password -pw secret123 admin@EXAMPLE.COM Password for "admin@EXAMPLE.COM" changed. kadmin.local: q

4. Run this command to clear cache kdestroy

5. Run "kimit admin" to login KDC using new password

[root@bddec1v1-0019 ~]# kinit admin Password for admin@EXAMPLE.COM:

[root@bddec1v1-0019 ~]# klist Ticket cache:

FILE:/tmp/krb5cc_0

Default principal: admin@EXAMPLE.COM

Valid starting Expires Service principal

.......

....

Or

[root@bddec1v1-0019 ~]# kadmin

Authenticating as principal self/admin@DOMAIN.TLD with password.

Password for self/admin@DOMAIN.TLD:

kadmin: getprivs

current privileges: GET ADD MODIFY DELETE

kadmin: cpw someuser

Enter password for principal "someuser@DOMAIN.TLD":

Re-enter password for principal "someuser@DOMAIN.TLD": P

assword for "someuser@DOMAIN.TLD" changed.

kadmin: quit

avatar

Your question seems to be unclear. Where are you looking to reset the admin password... from within the credentials stored in Ambari (if you enabled that) or within the KDC (or Active Directory, etc...)?

You cannot enable Kerberos without the credentials for some privileged user in the KDC unless you select the "manual" option, in which you will be responsible for the principal and keytab file creation and distribution.