Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.

Kerberos installation failing

bkandalkar
Contributor

Created ‎11-28-2018 06:46 AM

Hello Team,

We are using HDP-2.6.5.0 and Ambari-2.6.2.2. While enabling kerberos we are getting following error in ambari UI

Admin session expiration error. 
Missing KDC administrator admin credentials. Please enter admin principal and password".

Attached the screenshot for same kerb-admin-cred.png.

At the same time in ambari server log we get following error message:

28 Nov 2018 01:35:46,078  INFO [ambari-client-thread-39] AmbariManagementControllerImpl:4173 - Received action execution request, clusterName=hdpmedacist, request=isCommand :true, action :null, command :KERBEROS_SERVICE_CHECK, inputs :{HAS_RESOURCE_FILTERS=true}, resourceFilters: [RequestResourceFilter{serviceName='KERBEROS', componentName='null', hostNames=[]}], exclusive: false, clusterName :hdpmedacist
28 Nov 2018 01:35:47,516 ERROR [ambari-client-thread-39] KerberosHelperImpl:2232 - Cannot validate credentials: org.apache.ambari.server.serveraction.kerberos.KerberosMissingAdminCredentialsException: Missing KDC administrator credentials.
The KDC administrator credentials must be set as a persisted or temporary credential resource.This may be done by issuing a POST to the /api/v1/clusters/:clusterName/credentials/kdc.admin.credential API entry point with the following payload:
{
  "Credential" : {
    "principal" : "(PRINCIPAL)", "key" : "(PASSWORD)", "type" : "(persisted|temporary)"}
  }
}
28 Nov 2018 01:35:47,516 ERROR [ambari-client-thread-39] BaseManagementHandler:67 - Bad request received: Missing KDC administrator credentials.
The KDC administrator credentials must be set as a persisted or temporary credential resource.This may be done by issuing a POST to the /api/v1/clusters/:clusterName/credentials/kdc.admin.credential API entry point with the following payload:
{
  "Credential" : {
    "principal" : "(PRINCIPAL)", "key" : "(PASSWORD)", "type" : "(persisted|temporary)"}
  }
}

How to resolve this? Our Kerberos installation stuck due to this.

Please suggest. Thanks in advance.

Thanks,

Bhushan

2,052 Views
0 Kudos
6 REPLIES 6

sampathkumar_ma
Expert Contributor

Created ‎11-28-2018 07:25 AM

@Bhushan Kandalkar,

1. Check the Principals

$kadmin.local
Authenticating as principal root/admin@<realm> with password.
kadmin.local:  listprincs
K/M@<realm>
kadmin/admin@<realm>
kadmin/changepw@<realm>
kadmin/KDC_SERVER_FQDN@<realm>
kiprop/KDC_SERVER_FQDN@<realm>
krbtgt/TEST.COM@TEST.COM

2. Must create a admin principal for enabling kerberos from ambari

$kadmin.local
$kadmin.local:  addprinc admin/admin@<realm>
WARNING: no policy specified for root/admin@<realm>; defaulting to no policy
Enter password for principal "admin/admin@<realm>":<password>
Re-enter password for principal "admin/admin@<realm>":<password>
Principal "admin/admin@<realm>" created.

3. Install kerberos Client package

On all the hosts in the cluster, install the client
$yum install -y krb5-libs krb5-workstation
copy the krb5.conf to all the hosts from kdc server.

4. While enabling the kerberos from ambari, use the below principal and corresponding password

Admin principal : admin/admin@<realm> 
admin password : <password>

Hope this helps!!!

1,770 Views
0 Kudos

bkandalkar
Contributor

Created ‎11-28-2018 07:27 AM

@Sampath Kumar, I do not have kadmin.local access. Is there any other way I can check for this?

1,770 Views
0 Kudos

nshelke
Guru

Created ‎11-29-2018 11:48 AM

@Bhushan Kandalkar

- Did you tried manual kinit of the same principal on ambari-server machine like,

# kinit admin/admin@REALM
Password: *******

- Check if above is working fine. If this is working fine, try adding the Credential using API call as temporary or Permanent,

https://community.hortonworks.com/articles/42927/adding-kdc-administrator-credentials-to-the-ambari....

- If it is still failing, you would need to share the ambari-server.log for the same time of failure

Hope this helps!!!

1,770 Views
0 Kudos

bkandalkar
Contributor

Created ‎11-29-2018 12:46 PM

Hi @Nitin Shelke,

I have followed steps mentioned at : https://community.hortonworks.com/articles/42927/adding-kdc-administrator-credentials-to-the-ambari....

But still getting same error in ambari server log.

Please suggest.

1,770 Views
0 Kudos

bkandalkar
Contributor

Created ‎11-29-2018 12:59 PM

@Jay Kumar SenSharma @Sandeep Nemuri @Arti Wadhwani...please suggest.

1,770 Views
0 Kudos

liuyong
New Contributor

Created ‎08-03-2020 01:24 AM

I have the same problem, have you solved it

1,339 Views
0 Kudos
Take a Tour of the Community
Don't have an account?
Register
Your experience may be limited. Sign in to explore more.
Announcements
What's New @ Cloudera
Cloudera Operational Database (COD) UI supports creating a smaller cluster using a predefined Data Lake template
What's New @ Cloudera
Cloudera Operational Database (COD) supports scaling up the clusters vertically
Product Announcements
CDP Public Cloud: April 2023 Release Summary
What's New @ Cloudera
Cloudera Machine Learning launches "Add Data" feature to simplify data ingestion
What's New @ Cloudera
Simplify Data Access with Custom Connection Support in CML
View More Announcements