Support Questions

Find answers, ask questions, and share your expertise
Celebrating as our community reaches 100,000 members! Thank you!

Missing KDC administrator credentials. Please enter admin principal and password


I have setup kerberos and enabled in Ambari successfully on one environment but while trying the same on another environment I am facing issue while enabling kerberos. I have tried to store credentials using keytool, Rest API, checked kerberos descriptors but no luck. what else is left to check?





This problem has been solved!

Want to get a detailed solution you have to login/registered on the community


Expert Contributor

Hi @Ankita Ghate

Check the principals in kdc server

Authenticating as principal root/admin@<realm> with password.
kadmin.local:  listprincsK/M@<realm>

Must create a admin principal for enabling kerberos from ambari

$kadmin.local:  addprinc admin/admin@<realm>
WARNING: no policy specified for root/admin@<realm>; defaulting to no policy
Enter password for principal "admin/admin@<realm>":<password>
Re-enter password for principal "admin/admin@<realm>":<password>
Principal "admin/admin@<realm>" created.

While enabling the kerberos from ambari, use the below principal and corresponding password

Admin principal : admin/admin@<realm> 
admin password : <password>

Try manual kinit of the same principal on ambari-server machine like,

kinit admin/admin@REALM
Password: *******

Check if above is working fine.

Also, you can refer the below thread which talk about adding the credential using API call as temporary or Permanent

Hope this helps!


@Sampath Kumar

I have already tried above steps and again tried the same as you said from reinstalltion of kerberos but facing the same issue.

@Ankita Ghate

Can you post any relevant information from your ambari-server.log?

One thing to check is to make sure that you are using the FQDN of the KDC when specifying the host in the KDC administrator host field. You should use the FQDN in the KDC hosts field as well, but that is not as important due to the way Ambari authenticates with the target KDC.


@Robert Levas

I have checked ambari-server.log file at that time and made password store persistent by executing below command and from Ambari UI, I was able to check on save password box,

curl -H "X-Requested-By:ambari" -u admin:admin -X PUT -d '{ "Credential" : { "principal" : "kadmin/admin@EXAMPLE.COM", "key" : "123456", "type" : "persisted" } }' http://ambari-server-host-ip:8080/api/v1/clusters/Ambari_PreDev/credentials/kdc.admin.credential

But still Ambari UI is giving exception as missing credentials and not able to kerberize cluster.

Also my last admin principal created is admin/admin@EXAMPLE.COM and changed password is password.




So Ambari really cannot find the KDC administrator credentials. Can you execute the following to see if the alias exists in the Ambari credential store?

<JAVA_HOME>/bin/keytool -list -keystore /var/lib/ambari-server/keys/credentials.jceks -store-type JCEKS

For Example:

[root@c7401 ~]# /usr/jdk64/jdk1.8.0_112/bin/keytool -list -keystore /var/lib/ambari-server/keys/credentials.jceks -store-type JCEKS
Enter keystore password:
Keystore type: JCEKS
Keystore provider: SunJCE
Your keystore contains 2 entries
cluster.ambari_predev.kdc.admin.credential, Dec 12, 2018, SecretKeyEntry,
ambari.db.password, Dec 12, 2018, SecretKeyEntry,

Here you see that my persisted KDC admin credential is listed as cluster.ambari_predev.kdc.admin.credential.

If you do not see this, then something is wrong.


@Robert Levas

It is showing output as expected PFA,



I am at a loss as far as what the issue is. All tests I have proposed yielded results that make it seem like all should be working. Maybe

  1. Manually remove the credential from the credential store
  2. Restart Ambari
  3. Add it again, through Ambari when it asks for it

To remove the credential using keytool -

<JAVA_HOME>/bin/keytool -remove -alias  -keystore /var/lib/ambari-server/keys/credentials.jceks -store-type JCEKS

Master Mentor

@Ankita Ghate

Your situation is bizarre! Can you share the screenshot of the kerberization steps?

Apart from the above can you share a tokenized version of your the below files

  • krb5.conf
  • kdc.conf
  • kadm5.acl
  • /etc/hosts

share the output of $ hostname -f on the kdc server
Then if the above files are correct

Reset the password through kadmin

# kadmin.local 
Authenticating as principal admin/admin@EXAMPLE.COM with password. 
kadmin.local: change_password -pw secret123 admin@EXAMPLE.COM 
Password for "admin@EXAMPLE.COM" changed. 
kadmin.local: q

In the above sequence, I have invoked kadmin as root user and change the previous password to secret123. To ensure all is okay restart the kdc and kadmin

# /etc/rc.d/init.d/krb5kdc start 
Starting Kerberos 5 KDC: 		[ OK ] 
# /etc/rc.d/init.d/kadmin start 
Starting Kerberos 5 Admin Server: 	[ OK ]

Now you can run the Kerberos tool again to regenerate the keytabs and all the services should restart successfully


@Geoffrey Shelton Okot

Apart from the above can you share a tokenized version of your the below files- Sorry I did not get what you have asked.

klist -V Kerberos 5 version 1.13.2

And KDC server's hostname -f output is -->

Check attached files of KDC server,