@bvishal
I see some contradictions in your response "1)Yes, I have entered the 'admin principal' in the same format example/admin@EXAMPLE.AI. in the pop-up window" Yet in "2)Also, I checked the krb5.conf and found a section for my realm (EXAMPLE.COM) inside the [realms] part of the file."
You can't have "EXAMPLE.AI and EXAMPLE.COM" as REALMS they are indeed different,
Let me walk you through the setup lets assume your REALM is "EXAMPLE.AI" and the FQDN of your host "host1.example.ai"
Because the Kerberization has failed and no keytabs have been generated we'll start afresh by deleting the KDC database please use root or sudo in the below walkthrough I have used root.
Get the REALM name in your krb5.conf
# kdb5_util -r EXAMPLE.AI destroy
Desired output
Deleting KDC database stored in '/var/kerberos/krb5kdc/principal', are you sure?
(type 'yes' to confirm)? yes
OK, deleting database '/var/kerberos/krb5kdc/principal'...
** Database '/var/kerberos/krb5kdc/principal' destroyed.
By prepping the krb5.conf and kdc.conf will enable you to create the KDC database in silent mode [-s]
Edit the current krb5.conf modify /etc/krb5.conf File to look like below
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.AI
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.AI = {
kdc = <your_kdc_server _here>
admin_server = <your_kdc_server _here>
}
[domain_realm]
.example.ai = EXAMPLE.AI
example.ai = EXAMPLE.AI
At this stage you can now create the KDC database
# /usr/sbin/kdb5_util create -s
# Modify kdc.conf file to look like below
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
EXAMPLE.AI = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
Desired output
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.AI',
master key name 'K/M@EXAMPLE.AI'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: <welcome1>
Re-enter KDC database master key to verify:<welcome1>
# Assign Administrator Privilege a very important step
# vi /var/kerberos/krb5kdc/kadm5.acl
Ensure that the KDC ACL file includes an entry so to allow the admin principal to administer the KDC for your realm. The entry should look like below
*/admin@EXAMPLE.AI *
# Create a Principal
This is the principal to use when kerberizing in the Ambari UI
# kadmin.local -q "addprinc admin/admin"
Authenticating as principal root/admin@EXAMPLE.AI with the password.
WARNING: no policy specified for admin/admin@EXAMPLE.AI; defaulting to no policy
Enter the password for principal "admin/admin@EXAMPLE.AI":
Re-enter password for principal "admin/admin@EXAMPLE.AI":
Principal "admin/admin@EXAMPLE.AI" created.
The above principal created is what you will use the Ambari Kerberos setup UI
PRINCIPAL = admin/admin@EXAMPLE.AI
PASSWORD = welcome1
# Start the Kerberos Service
Start the KDC server and the KDC admin server enable autoboot at startup by using chkconfig or systemctl
# service krb5kdc start
Starting Kerberos 5 KDC: [ OK ]
# service kadmin start
Starting Kerberos 5 Admin Server: [ OK ]
# Run Kerberos Ambari wizard it should run successfully using credentials hinted above
Done successfully
At this stage, your should have your key tags generated in /etc/security/keytabs/*
# ls /etc/security/keytabs
Hope this gives you light
Happy hadooping
