Support Questions

Find answers, ask questions, and share your expertise

Kerberos add_principal: Insufficient access to lock database while creating

avatar
Contributor

I'd like enable kerberos for hdp2.6.1 on ubuntu16.04 and i follow below guideline

https://docs.hortonworks.com/HDPDocuments/Ambari-2.5.1.0/bk_ambari-security/content/optional_install...

https://docs.hortonworks.com/HDPDocuments/Ambari-2.5.1.0/bk_ambari-security/content/enabling_kerbero...

After install kerberos client in all hosts, it failed in the Test kerberos step with:

add_principal: Insufficient access to lock database while creating "dakelake-090617@dev.com"

I have trid to disable selinux (ref http://manpages.ubuntu.com/manpages/xenial/man8/kerberos_selinux.8.html) but no luck.

i also tried to login kdc with kadmin -p admin/admin@dev.com then run "addprinc test3@dev.com" , it prompted with the same error.

Would anyone encouter this and having any solution or hints?

Thanks a ton.

Forest

1 ACCEPTED SOLUTION

avatar
Master Mentor

@forest lin

There are a couple of things that might have gone wrong.

How many nodes in your cluster? 
Have you successfully enabled it through the Ambari wizard? 
Did you copy the krb5.conf from the KC to all hosts? 
Make sure your KDC is up and running ensure autostart on OS reboot is enabled. 


I noticed you used REALM in lowercase 🙂

kadmin -p admin/admin@dev.com it should be kadmin -p admin/admin@DEV.COM

Can you copy and paste the contents following config files. Remember to mask sensitive info ONLY

krb5.conf 
kadm5.acl 
kdc.conf 

Can you log on to the KDC using see below or sudo option where applicable

# kadmin.local 
# sudo kadmin.local 
Authenticating as principal admin/admin@DEV.COM with password. 
kadmin.local: addprinc test3@DEV.COM 
WARNING: no policy specified for test3@DEV.COM; defaulting to no policy 
Enter password for principal "test3@DEV.COM": 
Re-enter password for principal "test3@DEV.COM": {Master_KDC_password} 
Principal "test3@DEV.COM" created 

Type q to quit kadmin.

Create a keytab in the current directory for the test3 user (use appropriate command)

# sudo ktutil 
# ktutil ktutil: addent -password -p test3@DEV.COM -k 1 -e RC4-HMAC 
Password for test3@DEV.COM: 
ktutil: wkt test3.keytab 
ktutil: q 

Copy the keytab to test3 user home directory and change the permissions

# chown test3:test3 test3.keytab 

Test the validity of the keytab against the principal created earlier on

# klist -kt /etc/security/keytabs/test3.keytab 
Keytab name: FILE:/etc/security/keytabs/test3.keytab 
KVNO                       Timestamp                      Principal 
----------------------------------------------------------------------------- 
1                       07/18/2017 10:46:27               test3@DEV.COM 

Grab a Kerberos ticket note the concatenation of keytab/principal

# kinit -kt /etc/security/keytabs/test3.keytab test3@DEV.COM 

Check if the above command gives a valid Kerberos ticket

# klist 
Ticket cache: FILE:/tmp/krb5cc_0 
Default principal: test3@DEV.COM 
Valid starting 	              Expires                        Service principal 
07/18/2017 10:53:48           07/19/2017 10:53:48            krbtgt/DEV.COM@DEV.COM 

All is set if need be repeat the above for all users you intend to create

Please revert

View solution in original post

2 REPLIES 2

avatar
Master Mentor

@forest lin

There are a couple of things that might have gone wrong.

How many nodes in your cluster? 
Have you successfully enabled it through the Ambari wizard? 
Did you copy the krb5.conf from the KC to all hosts? 
Make sure your KDC is up and running ensure autostart on OS reboot is enabled. 


I noticed you used REALM in lowercase 🙂

kadmin -p admin/admin@dev.com it should be kadmin -p admin/admin@DEV.COM

Can you copy and paste the contents following config files. Remember to mask sensitive info ONLY

krb5.conf 
kadm5.acl 
kdc.conf 

Can you log on to the KDC using see below or sudo option where applicable

# kadmin.local 
# sudo kadmin.local 
Authenticating as principal admin/admin@DEV.COM with password. 
kadmin.local: addprinc test3@DEV.COM 
WARNING: no policy specified for test3@DEV.COM; defaulting to no policy 
Enter password for principal "test3@DEV.COM": 
Re-enter password for principal "test3@DEV.COM": {Master_KDC_password} 
Principal "test3@DEV.COM" created 

Type q to quit kadmin.

Create a keytab in the current directory for the test3 user (use appropriate command)

# sudo ktutil 
# ktutil ktutil: addent -password -p test3@DEV.COM -k 1 -e RC4-HMAC 
Password for test3@DEV.COM: 
ktutil: wkt test3.keytab 
ktutil: q 

Copy the keytab to test3 user home directory and change the permissions

# chown test3:test3 test3.keytab 

Test the validity of the keytab against the principal created earlier on

# klist -kt /etc/security/keytabs/test3.keytab 
Keytab name: FILE:/etc/security/keytabs/test3.keytab 
KVNO                       Timestamp                      Principal 
----------------------------------------------------------------------------- 
1                       07/18/2017 10:46:27               test3@DEV.COM 

Grab a Kerberos ticket note the concatenation of keytab/principal

# kinit -kt /etc/security/keytabs/test3.keytab test3@DEV.COM 

Check if the above command gives a valid Kerberos ticket

# klist 
Ticket cache: FILE:/tmp/krb5cc_0 
Default principal: test3@DEV.COM 
Valid starting 	              Expires                        Service principal 
07/18/2017 10:53:48           07/19/2017 10:53:48            krbtgt/DEV.COM@DEV.COM 

All is set if need be repeat the above for all users you intend to create

Please revert

avatar
Contributor

Thanks advince.

The issue was resolved after changing the realms name from dev.com to DEV.COM