Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Invalid KDC administrator credentials

Labels:
avatar
author-rank naveensangam
Contributor

Created on ‎07-13-2017 08:39 PM - last edited on ‎10-25-2019 09:22 AM by Community Manager Community Manager

Hi ,

I am trying to setup Kerberos on HA enabled cluster , using Ambari GUI

GUI keep on saying : "Invalid KDC administrator credentials. Please enter admin principal and password."

ambari-server.log , show below error message

Jul 2017 19:43:25,469 ERROR [ambari-client-thread-34] KerberosHelperImpl:1861 - Cannot validate credentials: org.apache.ambari.server.serveraction.kerberos.KerberosAdminAuthenticationException: Invalid KDC administrator credentials. The KDC administrator credentials must be set as a persisted or temporary credential resource.This may be done by issuing a POST (or PUT for updating) to the /api/v1/clusters/:clusterName/credentials/kdc.admin.credential API entry point with the following payload: { "Credential" : { "principal" : "(PRINCIPAL)", "key" : "(PASSWORD)", "type" : "(persisted|temporary)"} } } 13 Jul 2017 19:43:25,469 ERROR [ambari-client-thread-34] BaseManagementHandler:67 - Bad request received: Invalid KDC administrator credentials. The KDC administrator credentials must be set as a persisted or temporary credential resource.This may be done by issuing a POST (or PUT for updating) to the /api/v1/clusters/:clusterName/credentials/kdc.admin.credential API entry point with the following payload: { "Credential" : { "principal" : "(PRINCIPAL)", "key" : "(PASSWORD)", "type" : "(persisted|temporary)"} } }

AS per the : https://community.hortonworks.com/articles/42927/adding-kdc-administrator-credentials-to-the-ambari.... , I successfully implemented belwo steps.

1) ambari-server setup-security

2) curl -H "X-Requested-By:ambari" -u admin:admin -X POST -d '{ "Credential" : { "principal" : "kadmin", "key" : "kadmin", "type" : "persisted" } }' http://ambari01.dev.dataquest.com:8080/api/v1/clusters/dev_cluster/credentials/kdc.admin.credential

3) curl -H "X-Requested-By:ambari" -u admin:admin -X GET http://ambari01.dev.dataquest.com:8080/api/v1/clusters/dev_cluster/credentials/kdc.admin.credential

Still having the problem

Below are my input in Ambari / Kerberos GUI setup

KDC HOST : kdc.dev.dataquest.com

Realm Name : DEV.DATAQUEST.COM

LDAP URL : ldaps://dev.dataquest.com:636

Container DN : OU=service-accounts,OU=core,dc=dev,dc=dataquest,dc=com

Domains: dev.dataquest.com,.dev.dataquest.com

Kadmin Host : kdc.dev.dataquest.com

Admin principal: kadmin

Admin password : kadmin

***********

I also tried with Admin principle as kadmin@DEV.DATAQUEST.COM . Still no luck.

ldapsearch : command wokrs fine

Can you please suggest the resolution

Thanks

Naveen

10,790 Views
0 Kudos
10 REPLIES 10

avatar
author-rank tsharma author-rank
Super Collaborator

Created ‎08-01-2017 02:58 PM

Naveen,

Can you check Kerberos ACL?

RHEL/CentOS/Oracle Linux

vi /var/kerberos/krb5kdc/kadm5.acl

SLES

vi /var/lib/kerberos/krb5kdc/kadm5.acl

Ubuntu/Debian

vi /etc/krb5kdc/kadm5.acl

Default settings would be similar to:

*/admin@EXAMPLE.COM*

or in your case */admin@DEV.DATAQUEST.COM*

This means that only principals matching the above regex would be considered as admins.

So try changing your principal to kadmin/admin@DEV.DATAQUEST.COM instead.

Or add a line in the acl giving permission to kadmin.

Let me know if this works.

7,888 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created ‎08-14-2017 08:05 AM

@naveen sangam

After creating the KDC databases do the following.

While logged on the KDC server kdc.dev.dataquest.com as root on this example is on Centos7

## Check the Principals yours should look like this 

# sudo kadmin.localAuthenticating as principal root/admin@DEV.DATAQUEST.COM with password.
kadmin.local:  listprincs
K/M@DEV.DATAQUEST.COM
kadmin/admin@DEV.DATAQUEST.COM
kadmin/changepw@DEV.DATAQUEST.COM
kadmin/ kdc.dev.dataquest.com@DEV.DATAQUEST.COM
kiprop/ kdc.dev.dataquest.com@DEV.DATAQUEST.COM
krbtgt/DEV.DATAQUEST.COM@DEV.DATAQUEST.COM
kadmin.local:

You MUST create a root principal for kerberization 

kadmin.local:  addprinc root/admin
WARNING: no policy specified for root/admin@UPUTEST.CH; defaulting to no policy
Enter password for principal "root/admin@UPUTEST.CH":  {KDC_password}
Re-enter password for principal "root/admin@DEV.DATAQUEST.COM": {KDC_password}
Principal "root/admin@DEV.DATAQUEST.COM" created.

And this is the admin you will use in the Ambari UI kerberizaton tool

root/admin@DEV.DATAQUEST.COM 
password {KDC_password}
7,888 Views

avatar
author-rank Shelton
Master Mentor

Created ‎06-23-2018 05:00 PM

@naveen sangam

You got a couple of responses to the issue you raised but never gave a feedback. You should realize HCC members go a long way to help and it would not be fair that you just keep quiet, that's not an opensource spirit.
Answers members strive to find will also help others who encounter the same issues so in that spirit your feedback is very important.
Please don't forget to vote a helpful answer and accept the best answer.

7,888 Views
0 Kudos

avatar
author-rank jepe_desu
New Contributor

Created ‎10-25-2019 12:08 AM

This worked for me. Thank you so much!

7,460 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created on ‎10-25-2019 12:24 AM - edited ‎10-25-2019 12:27 AM

@jepe_desu 

Good to know it worked out for you?  Which solution was that? it's good if you could elaborate so other members could use it as a quick win and that will also give you points or just mark the post you referenced as a solution so the Cloudera community members can use a filter to get a quick solution🙂

 

Giving back to the community happy hadooping🙂

7,457 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created ‎12-02-2019 12:03 AM

@naveensangam  @jepe_desu 
In reference to Invalid KDC administrator credentials issue raised by @naveensangam    I wrote a walkthrough of the solution that resolved the issue for other users like @jepe_desu  who had encountered exactly the same problem. 
@naveensangam  can you update the thread if my solution resolved your issue or if not can you share what errors you have. Once you accept an answer it can be referenced by other members for similar issues rather than starting a new thread. 

 

Happy  hadooping

 

7,189 Views
0 Kudos

avatar
author-rank sivaprakasam_t
Explorer

Created ‎05-02-2018 12:27 AM

Hi Naveen

I am also facing same issue while enabling kerberos with exiting active directory KDC. Is that problem resolved?

Can you please help me?

,

Hi Naveen

I am also facing same issue while enabling Kerberos with existing Active Directory KDC. Is that problem resolved?

Can you help me?

7,888 Views
0 Kudos

avatar
author-rank muditcse
Explorer

Created ‎06-23-2018 04:09 PM

facing same issue 😞

7,888 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created ‎06-23-2018 04:53 PM

@Mudit Kumar

Can you share the error you are encountering, you could be having something different!

Could you open a new thread it will get more attention.

7,888 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera DataFlow 2.9 now supports building GenAI pipelines ...
What's New @ Cloudera
Accelerate Data Scientist Productivity with Cloudera Copilot...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
Community Announcements
October 2024 Community Highlights
What's New @ Cloudera
Accelerate Your AI with the Cloudera AI Inference Service wi...
View More Announcements