Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Invalid KDC administrator credentials

Invalid KDC administrator credentials

New Contributor

Hi ,

I am trying to setup Kerberos on HA enabled cluster , using Ambari GUI

GUI keep on saying : "Invalid KDC administrator credentials. Please enter admin principal and password."

ambari-server.log , show below error message

Jul 2017 19:43:25,469 ERROR [ambari-client-thread-34] KerberosHelperImpl:1861 - Cannot validate credentials: org.apache.ambari.server.serveraction.kerberos.KerberosAdminAuthenticationException: Invalid KDC administrator credentials. The KDC administrator credentials must be set as a persisted or temporary credential resource.This may be done by issuing a POST (or PUT for updating) to the /api/v1/clusters/:clusterName/credentials/kdc.admin.credential API entry point with the following payload: { "Credential" : { "principal" : "(PRINCIPAL)", "key" : "(PASSWORD)", "type" : "(persisted|temporary)"} } } 13 Jul 2017 19:43:25,469 ERROR [ambari-client-thread-34] BaseManagementHandler:67 - Bad request received: Invalid KDC administrator credentials. The KDC administrator credentials must be set as a persisted or temporary credential resource.This may be done by issuing a POST (or PUT for updating) to the /api/v1/clusters/:clusterName/credentials/kdc.admin.credential API entry point with the following payload: { "Credential" : { "principal" : "(PRINCIPAL)", "key" : "(PASSWORD)", "type" : "(persisted|temporary)"} } }

AS per the : https://community.hortonworks.com/articles/42927/adding-kdc-administrator-credentials-to-the-ambari.... , I successfully implemented belwo steps.

1) ambari-server setup-security

2) curl -H "X-Requested-By:ambari" -u admin:admin -X POST -d '{ "Credential" : { "principal" : "kadmin", "key" : "kadmin", "type" : "persisted" } }' http://ambari01.dev.dataquest.com:8080/api/v1/clusters/dev_cluster/credentials/kdc.admin.credential

3) curl -H "X-Requested-By:ambari" -u admin:admin -X GET http://ambari01.dev.dataquest.com:8080/api/v1/clusters/dev_cluster/credentials/kdc.admin.credential

Still having the problem

Below are my input in Ambari / Kerberos GUI setup

KDC HOST : kdc.dev.dataquest.com

Realm Name : DEV.DATAQUEST.COM

LDAP URL : ldaps://dev.dataquest.com:636

Container DN : OU=service-accounts,OU=core,dc=dev,dc=dataquest,dc=com

Domains: dev.dataquest.com,.dev.dataquest.com

Kadmin Host : kdc.dev.dataquest.com

Admin principal: kadmin

Admin password : kadmin

***********

I also tried with Admin principle as kadmin@DEV.DATAQUEST.COM . Still no luck.

ldapsearch : command wokrs fine

Can you please suggest the resolution

Thanks

Naveen

7 REPLIES 7

Re: Invalid KDC administrator credentials

Expert Contributor

Naveen,

Can you check Kerberos ACL?

RHEL/CentOS/Oracle Linux

vi /var/kerberos/krb5kdc/kadm5.acl

SLES

vi /var/lib/kerberos/krb5kdc/kadm5.acl

Ubuntu/Debian

vi /etc/krb5kdc/kadm5.acl

Default settings would be similar to:

*/admin@EXAMPLE.COM*

or in your case */admin@DEV.DATAQUEST.COM*

This means that only principals matching the above regex would be considered as admins.

So try changing your principal to kadmin/admin@DEV.DATAQUEST.COM instead.

Or add a line in the acl giving permission to kadmin.

Let me know if this works.

Re: Invalid KDC administrator credentials

Mentor

@naveen sangam

After creating the KDC databases do the following.

While logged on the KDC server kdc.dev.dataquest.com as root on this example is on Centos7

## Check the Principals yours should look like this

# sudo kadmin.localAuthenticating as principal root/admin@DEV.DATAQUEST.COM with password.
kadmin.local:  listprincs
K/M@DEV.DATAQUEST.COM
kadmin/admin@DEV.DATAQUEST.COM
kadmin/changepw@DEV.DATAQUEST.COM
kadmin/ kdc.dev.dataquest.com@DEV.DATAQUEST.COM
kiprop/ kdc.dev.dataquest.com@DEV.DATAQUEST.COM
krbtgt/DEV.DATAQUEST.COM@DEV.DATAQUEST.COM
kadmin.local:

You MUST create a root principal for kerberization

kadmin.local:  addprinc root/admin
WARNING: no policy specified for root/admin@UPUTEST.CH; defaulting to no policy
Enter password for principal "root/admin@UPUTEST.CH":  {KDC_password}
Re-enter password for principal "root/admin@DEV.DATAQUEST.COM": {KDC_password}
Principal "root/admin@DEV.DATAQUEST.COM" created.

And this is the admin you will use in the Ambari UI kerberizaton tool

root/admin@DEV.DATAQUEST.COM 
password {KDC_password}

Re: Invalid KDC administrator credentials

Mentor

@naveen sangam

You got a couple of responses to the issue you raised but never gave a feedback. You should realize HCC members go a long way to help and it would not be fair that you just keep quiet, that's not an opensource spirit.
Answers members strive to find will also help others who encounter the same issues so in that spirit your feedback is very important.
Please don't forget to vote a helpful answer and accept the best answer.

Re: Invalid KDC administrator credentials

New Contributor

Hi Naveen

I am also facing same issue while enabling kerberos with exiting active directory KDC. Is that problem resolved?

Can you please help me?

,

Hi Naveen

I am also facing same issue while enabling Kerberos with existing Active Directory KDC. Is that problem resolved?

Can you help me?

Re: Invalid KDC administrator credentials

New Contributor

facing same issue :(

Re: Invalid KDC administrator credentials

Mentor

@Mudit Kumar

Can you share the error you are encountering, you could be having something different!

Could you open a new thread it will get more attention.

Highlighted

Re: Invalid KDC administrator credentials

Contributor

@naveen sangam, I am also facing same issue. Have you resolved it?

Please suggest.