Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Kerberos issue

avatar

Hi I have is install HDP 2.5 and ambari 2.4. I have configured kdc server and then try to enable kerberos but my /etc/krb5.conf file getting change. And it gets failed with error

Command: [/usr/bin/kadmin, -s, abc.example.com, -p, root/admin@example.COM, -r, example.COM, -q, get_principal root/admin@example.COM]

ExitCode: 1

STDOUT: Authenticating as principal root/admin@example.COM with password.

Password for root/admin@example.COM:

STDERR: kadmin: Cannot read password while initializing kadmin interface

21 Sep 2017 12:21:16,295 ERROR [ambari-client-thread-32897] KerberosHelperImpl:1861 - Cannot validate credentials: org.apache.ambari.server.AmbariException: Unexpected error condition executing the kadmin command

21 Sep 2017 12:21:16,296 ERROR [ambari-client-thread-32897] AbstractResourceProvider:285 - Caught AmbariException when creating a resource

1 ACCEPTED SOLUTION

avatar
Master Mentor

@Ashnee Sharma

Notice krb5-auth-dialog is optional

Assuming you installed the KDC server

yum -y install krb5-server krb5-libs krb5-auth-dialog

Assuming you installed the KDC clients

yum -y install  krb5-auth-dialog krb5-workstation 

Your /etc/krb5.conf looks like below and copied to all the hosts in the cluster

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
[realms]
 EXAMPLE.COM = {
  kdc = kdc.examplecom
  admin_server = kdc.examplecom
 }
[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

Your kdc.conf should resemble this

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88
[realms]
 EXAMPLE.COM = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }


You kadm5.acl in /var/kerberos/krb5kdc as below

*/admin@EAMPLE.COM      *

Can you create an admin principal as suit

# kadmin.local -q "addprinc admin/admin" 
Authenticating as principal admin/admin@EXAMPLE.COM with password. 
WARNING: no policy specified for admin/admin@EXAMPLE.COM; defaulting to no policy 
Enter password for principal "admin/admin@EXAMPLE.COM": 
Re-enter password for principal "admin/admin@EXAMPLE.COM": 
Principal "admin/admin@EXAMPLE.COM" created.

This is the principal you should use for the Ambari Kerberos,make sure you started the appropriate daemons below

Centos7/RHEL7

# systemctl start krb5kdc 
# systemctl start kadmin

Centos6/RHEL6

# systemctl start krb5kdc 
# systemctl start kadmin

All should be fine please let me know

View solution in original post

3 REPLIES 3

avatar
Master Mentor

@Ashnee Sharma

Notice krb5-auth-dialog is optional

Assuming you installed the KDC server

yum -y install krb5-server krb5-libs krb5-auth-dialog

Assuming you installed the KDC clients

yum -y install  krb5-auth-dialog krb5-workstation 

Your /etc/krb5.conf looks like below and copied to all the hosts in the cluster

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
[realms]
 EXAMPLE.COM = {
  kdc = kdc.examplecom
  admin_server = kdc.examplecom
 }
[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

Your kdc.conf should resemble this

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88
[realms]
 EXAMPLE.COM = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }


You kadm5.acl in /var/kerberos/krb5kdc as below

*/admin@EAMPLE.COM      *

Can you create an admin principal as suit

# kadmin.local -q "addprinc admin/admin" 
Authenticating as principal admin/admin@EXAMPLE.COM with password. 
WARNING: no policy specified for admin/admin@EXAMPLE.COM; defaulting to no policy 
Enter password for principal "admin/admin@EXAMPLE.COM": 
Re-enter password for principal "admin/admin@EXAMPLE.COM": 
Principal "admin/admin@EXAMPLE.COM" created.

This is the principal you should use for the Ambari Kerberos,make sure you started the appropriate daemons below

Centos7/RHEL7

# systemctl start krb5kdc 
# systemctl start kadmin

Centos6/RHEL6

# systemctl start krb5kdc 
# systemctl start kadmin

All should be fine please let me know

avatar

@Geoffrey Shelton Okot

I have done same steps and got same error.

avatar
@Geoffrey Shelton Okot

My issue is resolved. I have configure KDC server on different machine. Thanks for the help...!!!