Support Questions

Find answers, ask questions, and share your expertise

[KERBEROS]Invalid KDC administrator credentials

avatar
Contributor

Hi Everyone, 

While kerberizing my cluster using MIT-KDC and Ambari Kerberos Wizard. I am facing the following window popup at the time of Testing client after client installation saying :


rizalt_0-1717039188953.png

I'm using ambari 2.7.8
HDFS 3.3.6

UBUNTU 22

rizalt_1-1717039382548.png

config of krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.COM = {
kdc = admin.com
admin_server = admin.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

config of /etc/hostname

rizalt_2-1717039569520.png

list principal is

root@admin:/# kadmin.local -q "listprincs"
Authenticating as principal admin/admin@EXAMPLE.COM with password.
K/M@EXAMPLE.COM
admin/admin@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM

 

ambari-server.log

:KERBEROS_SERVICE_CHECK, inputs :{HAS_RESOURCE_FILTERS=true}, resourceFilters: [RequestResourceFilter{serviceName='KERBEROS', componentName='null', hostNames=[]}], exclusive: false, clusterName :hadoop
2024-05-30 05:12:20,298  WARN [ambari-client-thread-108] KDCKerberosOperationHandler:329 - Failed to kinit as the KDC administrator user, admin/admin@EXAMPLE.COM:
	ExitCode: 1
	STDOUT: 
	STDERR: kinit: Server not found in Kerberos database while getting initial credentials

2024-05-30 05:12:20,299 ERROR [ambari-client-thread-108] KerberosHelperImpl:2507 - Cannot validate credentials: org.apache.ambari.server.serveraction.kerberos.KerberosAdminAuthenticationException: Invalid KDC administrator credentials.
The KDC administrator credentials must be set as a persisted or temporary credential resource.This may be done by issuing a POST (or PUT for updating) to the /api/v1/clusters/:clusterName/credentials/kdc.admin.credential API entry point with the following payload:
{
  "Credential" : {
    "principal" : "(PRINCIPAL)", "key" : "(PASSWORD)", "type" : "(persisted|temporary)"}
  }
}
2024-05-30 05:12:20,299 ERROR [ambari-client-thread-108] CreateHandler:80 - Bad request received: Invalid KDC administrator credentials.
The KDC administrator credentials must be set as a persisted or temporary credential resource.This may be done by issuing a POST (or PUT for updating) to the /api/v1/clusters/:clusterName/credentials/kdc.admin.credential API entry point with the following payload:
{
  "Credential" : {
    "principal" : "(PRINCIPAL)", "key" : "(PASSWORD)", "type" : "(persisted|temporary)"}
  }
}
2024-05-30 05:12:20,733  WARN [agent-report-processor-3] ActionManager:162 - The task 1304 is not in progress, ignoring update
2024-05-30 05:12:21,052  WARN [agent-report-processor-1] ActionManager:162 - The task 1302 is not in progress, ignoring update

 

 

 

 

2 REPLIES 2

avatar
Master Collaborator

Hi @rizalt  The error below indicates that the configured KDC server does not have the admin/admin principal.

kinit: Server not found in Kerberos database while getting initial credentials

I can see that the admin and kdc server hostnames are set to admin.com from krb5.conf.

Could you verify that the hostnames for the admin and kdc servers are correct? Also check hostname  admin.com is resolving correctly from the client host

avatar
Contributor

@Scharan  My Hostname in my kdc server

 

*** System restart required ***
Last login: Thu May 30 07:23:57 2024 from 192.168.7.211
root@admin:~# hostname
admin.com
root@admin:~#

 

in my client host

 

root@slave2:~# ping admin.com
PING admin.com (192.168.7.4) 56(84) bytes of data.
64 bytes from admin.com (192.168.7.4): icmp_seq=1 ttl=64 time=0.608 ms
64 bytes from admin.com (192.168.7.4): icmp_seq=2 ttl=64 time=0.669 ms
64 bytes from admin.com (192.168.7.4): icmp_seq=3 ttl=64 time=0.561 ms
64 bytes from admin.com (192.168.7.4): icmp_seq=4 ttl=64 time=1.94 ms