Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

KERBEROS : [ Invalid KDC administrator credentials. Please enter admin principal and password. ]

avatar
Explorer

Hello everyone,

 

Ambari : 2.7.4

HDP : 3.1.4.0

 

While kerberizing my cluster using MIT-KDC and Ambari Kerberos Wizard. I am facing the following window popup at the time of Testing client after client installation saying :

 

[ Invalid KDC administrator credentials. Please enter admin principal and password. ]
 
image.png

 

Error logs in /var/log/ambari-server/

vvvvv.png

 

We are using the right password and amin principal created while setting up MIT-KDC. Still, the window pops up with the same message again and again.

Please help in resolving the issue.

@jsensharma @Shelton @KuldeepK @nsabharwal Thanks in advance!

 
9 REPLIES 9

avatar
Master Mentor

@bvishal 

 

I am wondering what your input was in the initial pop up  but your admin principal should look like 

 

admin/admin@REALM
root/admin@REALM

The REAL should be already generated in your krb5.conf or your kadm.acl should give you a clue. 

Please let me know 

avatar
Explorer

@Shelton Thanks for the reply.

 

1) Yes, I have entered the 'admin principal' in the same format example/admin@EXAMPLE.AI. in the pop-up window.

2) Also, I checked the krb5.conf and found a section for my realm (EXAMPLE.COM) inside the [realms] part of the file.

 

Still the message remains the same and the error logs too as uploaded in the question above. Please help in resolving the issue.

  

avatar
Master Mentor

@bvishal 

I see some contradictions in your response "1)Yes, I have entered the 'admin principal' in the same format example/admin@EXAMPLE.AI. in the pop-up window" Yet in "2)Also, I checked the krb5.conf and found a section for my realm (EXAMPLE.COM) inside the [realms] part of the file."
You can't have "EXAMPLE.AI and EXAMPLE.COM" as REALMS they are indeed different,

Let me walk you through the setup lets assume your REALM is "EXAMPLE.AI" and the FQDN of your host "host1.example.ai"

 

Because the Kerberization has failed and no keytabs have been generated we'll start afresh by deleting the KDC database please use root or sudo in the below walkthrough I have used root.

Get the REALM name in your krb5.conf

 

 

# kdb5_util -r EXAMPLE.AI destroy

 

 

Desired output
Deleting KDC database stored in '/var/kerberos/krb5kdc/principal', are you sure?
(type 'yes' to confirm)? yes
OK, deleting database '/var/kerberos/krb5kdc/principal'...
** Database '/var/kerberos/krb5kdc/principal' destroyed.

 

By prepping the krb5.conf and kdc.conf will enable you to create the KDC database in silent mode [-s]

Edit the current krb5.conf modify /etc/krb5.conf File to look like below

 

 

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.AI
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.AI = {
kdc = <your_kdc_server _here>
admin_server = <your_kdc_server _here>
}
[domain_realm]
.example.ai = EXAMPLE.AI
example.ai = EXAMPLE.AI

 

 

 

At this stage you can now create the KDC database

 

 

# /usr/sbin/kdb5_util create -s

 

# Modify kdc.conf file to look like below

[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
EXAMPLE.AI = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}

Desired output
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.AI',
master key name 'K/M@EXAMPLE.AI'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: <welcome1>
Re-enter KDC database master key to verify:<welcome1>

 

# Assign Administrator Privilege a very important step 

 

# vi /var/kerberos/krb5kdc/kadm5.acl

 

Ensure that the KDC ACL file includes an entry so to allow the admin principal to administer the KDC for your realm. The entry should look like below

 

*/admin@EXAMPLE.AI *

 

# Create a Principal

This is the principal to use when kerberizing in the Ambari UI

 

# kadmin.local -q "addprinc admin/admin"

 

Authenticating as principal root/admin@EXAMPLE.AI with the password.
WARNING: no policy specified for admin/admin@EXAMPLE.AI; defaulting to no policy
Enter the password for principal "admin/admin@EXAMPLE.AI":
Re-enter password for principal "admin/admin@EXAMPLE.AI":
Principal "admin/admin@EXAMPLE.AI" created.

The above principal created is what you will use the Ambari Kerberos setup UI

 

PRINCIPAL = admin/admin@EXAMPLE.AI
PASSWORD = welcome1

 

# Start the Kerberos Service

Start the KDC server and the KDC admin server enable autoboot at startup by using chkconfig or systemctl

 

# service krb5kdc start

 

Starting Kerberos 5 KDC: [ OK ]

 

# service kadmin start

 

Starting Kerberos 5 Admin Server: [ OK ]

# Run Kerberos Ambari wizard it should run successfully using credentials hinted above

Done successfully

At this stage, your should have your key tags generated in /etc/security/keytabs/*

 

# ls /etc/security/keytabs

 

Hope this gives you light 

Happy hadooping

avatar
Explorer

Thanks @Shelton  for the detailed reply. 

 

The previous got resolved but now I am facing a new error :

 

latestkerberoserror.png

 

avatar
Master Mentor

@bvishal 

 

You should execute kadmin as root user or with sudo 

 

# kadmin 

 

Hope that helps

avatar
Explorer

@Shelton 
When I use root or sudo for kadmin then it enter as root/admin@EXAMPLE.AI  not what (credentials) I enter in Ambari Kerberos Web Wizard :

 

[ Entering as root ]

# kadmin
Authenticating as principal root/admin@EXAMPLE.AI with password.
Password for root/admin@EXAMPLE.AI:

 

error is still there as posted above. Please help!

 

 

 

 

avatar
Master Mentor

@bvishal 

You are surely doing something wrong. Kerberzing should take you that long. Follow my previous document and recreate the KDC database by destroying the actual. and share with me the krb5.conf,kadm5.acl, and kdc.conf 

You are not executing the correct command it's supposed to be 

# kadmin.local

And not

# kadmin

 

Happy hadooping

avatar
Master Mentor

@bvishal 
Sorry was away for a while 

1) Yes, I have entered the 'admin principal' in the same format example/admin@EXAMPLE.AI. in the pop-up window.
Somehow I feel your values are not correct   in the ambari wizard you should enter either

root/admin@EXAMPLE.AI
admin/admin@EXAMPLE.AI

depending on the  teh value you gave when adding the admin principal when you rûn initially the kadmin.local

2) Also, I checked the krb5.conf and found a section for my realm (EXAMPLE.COM) inside the [realms] part of the file.

The above part in the krb5.conf is wrong it should be EXAMPLE.AI

Sample of /etc/krb5.conf'

[libdefaults]
default_realm = EXAMPLE.AI
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 1000000
default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1

[realms]
EXAMPLE.AI = {
kdc = kdc.EXAMPLE.AI
admin_server = kdc.EXAMPLE.AI
default_domain = EXAMPLE.AI
}

[domain_realm]
.example.ai = EXAMPLE.AI
example.ai = EXAMPLE.AI

[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log

Replace all occurences of EXAMPLE.COM with EXAMPLE.AI  in the kdc.conf and kadm5.acl


Please let me know if you still need help

avatar
Explorer

Thanks @Shelton I found that the issue was popping up because of wrong entries in my local DNS (/etc/hosts) file which I have now resolved.