Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Kerberos Issue (Failed to create principal- Complex password requirements)

Kerberos Issue (Failed to create principal- Complex password requirements)

New Contributor

Hi ,

We tried to enable Kerberos on our HDF Cluster (Ambari 2.7.1.0) (HDF -3.2.0.0) and we got the following error:

2019-02-28 03:51:10,771 ERROR [Server Action Executor Worker 1460] CreatePrincipalsServerAction:318 - Failed to create principal, hdf_sys-022819@tst.com - Can not create principal : hdf_sys-022819@tst.com org.apache.ambari.server.serveraction.kerberos.KerberosOperationException: Can not create principal : hdf_sys-022819@tst.com at org.apache.ambari.server.serveraction.kerberos.ADKerberosOperationHandler.createPrincipal(ADKerberosOperationHandler.java:337) at org.apache.ambari.server.serveraction.kerberos.CreatePrincipalsServerAction.createPrincipal(CreatePrincipalsServerAction.java:277) at org.apache.ambari.server.serveraction.kerberos.CreatePrincipalsServerAction.processIdentity(CreatePrincipalsServerAction.java:166) at org.apache.ambari.server.serveraction.kerberos.KerberosServerAction.processIdentities(KerberosServerAction.java:458) at org.apache.ambari.server.serveraction.kerberos.CreatePrincipalsServerAction.execute(CreatePrincipalsServerAction.java:92) at org.apache.ambari.server.serveraction.ServerActionExecutor$Worker.execute(ServerActionExecutor.java:550) at org.apache.ambari.server.serveraction.ServerActionExecutor$Worker.run(ServerActionExecutor.java:466) at java.lang.Thread.run(Thread.java:748) Caused by: javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 000003E6: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0 ^@]; remaining name 'cn=hdf_sys-022819,OU=HDF,OU=Servers,OU=Environments,OU=testing,DC=tst,DC=com' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3227) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891) at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:812) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:341) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:268) at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:202) at org.apache.ambari.server.serveraction.kerberos.ADKerberosOperationHandler.createPrincipal(ADKerberosOperationHandler.java:335)








1. We have a complex password policy with specific elements on our AD .(E.G - Password cant start with numbers, cant end/start with special character, should start with capital letterer, etc...)

2. AD organization unit for principals has been created as well user with admin privileges for this OU (I have manage to create user manually with OpenLDAP)

3. I tried to customized the password properties on the Kerberos wizard - Advanced kerberos-env (Password Length, Minimum Lowercase letters, Digits etc...)

The only solution we currently have is to create the principals and keytabs manually .(We prefer to avoid this option for now)

Do you have any idea or workaround for this issue?

Thanks.