Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Missing KDC administrator credentials. Please enter admin principal and password

Labels:
avatar
author-rank ankita_ghate
Explorer

Created ‎12-11-2018 12:14 PM

I have setup kerberos and enabled in Ambari successfully on one environment but while trying the same on another environment I am facing issue while enabling kerberos. I have tried to store credentials using keytool, Rest API, checked kerberos descriptors but no luck. what else is left to check?

PFA,

missing-kdc-credentials.png

12,717 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank ankita_ghate
Explorer

Created ‎12-21-2018 02:30 PM

All,

Thanks for your response. I found the root cause of the issue. Ambari was using its master's key in KDC admin credentials that is why it was giving "Missing KDC administrator credentials. Please enter admin principal and password". So I have removed that crendential file (PFA for this) and issue has been solved.

For others, you may need to keep ambari master key and KDC admin creds same, because that file is required at the time of ambari-server restart (if you have configured jceks).

PFA,

kerberos-admin-creds-issue-solved.png

View solution in original post

13,755 Views
0 Kudos
16 REPLIES 16

avatar
author-rank sampathkumar_ma
Expert Contributor

Created ‎12-11-2018 12:35 PM

Hi @Ankita Ghate

Check the principals in kdc server

$kadmin.local
Authenticating as principal root/admin@<realm> with password.
kadmin.local:  listprincsK/M@<realm>
kadmin/admin@<realm>
kadmin/changepw@<realm>
kadmin/KDC_SERVER_FQDN@<realm>
kiprop/KDC_SERVER_FQDN@<realm>
krbtgt/TEST.COM@TEST.COM

Must create a admin principal for enabling kerberos from ambari

$kadmin.local
$kadmin.local:  addprinc admin/admin@<realm>
WARNING: no policy specified for root/admin@<realm>; defaulting to no policy
Enter password for principal "admin/admin@<realm>":<password>
Re-enter password for principal "admin/admin@<realm>":<password>
Principal "admin/admin@<realm>" created.

While enabling the kerberos from ambari, use the below principal and corresponding password

Admin principal : admin/admin@<realm> 
admin password : <password>

Try manual kinit of the same principal on ambari-server machine like,

kinit admin/admin@REALM
Password: *******

Check if above is working fine.

Also, you can refer the below thread which talk about adding the credential using API call as temporary or Permanent

https://community.hortonworks.com/articles/42927/adding-kdc-administrator-credentials-to-the-ambari....

Hope this helps!

10,068 Views
0 Kudos

avatar
author-rank ankita_ghate
Explorer

Created ‎12-11-2018 01:00 PM

@Sampath Kumar

I have already tried above steps and again tried the same as you said from reinstalltion of kerberos but facing the same issue.

10,068 Views
0 Kudos

avatar
author-rank rlevas
Guru

Created ‎12-11-2018 02:09 PM

@Ankita Ghate

Can you post any relevant information from your ambari-server.log?

One thing to check is to make sure that you are using the FQDN of the KDC when specifying the host in the KDC administrator host field. You should use the FQDN in the KDC hosts field as well, but that is not as important due to the way Ambari authenticates with the target KDC.

10,068 Views
0 Kudos

avatar
author-rank ankita_ghate
Explorer

Created ‎12-12-2018 01:14 PM

@Robert Levas

I have checked ambari-server.log file at that time and made password store persistent by executing below command and from Ambari UI, I was able to check on save password box,

curl -H "X-Requested-By:ambari" -u admin:admin -X PUT -d '{ "Credential" : { "principal" : "kadmin/admin@EXAMPLE.COM", "key" : "123456", "type" : "persisted" } }' http://ambari-server-host-ip:8080/api/v1/clusters/Ambari_PreDev/credentials/kdc.admin.credential

But still Ambari UI is giving exception as missing credentials and not able to kerberize cluster.

Also my last admin principal created is admin/admin@EXAMPLE.COM and changed password is password.

PFA,

ambari-server-logs.png

10,068 Views
0 Kudos

avatar
author-rank rlevas
Guru

Created ‎12-12-2018 04:28 PM

So Ambari really cannot find the KDC administrator credentials. Can you execute the following to see if the alias exists in the Ambari credential store?

<JAVA_HOME>/bin/keytool -list -keystore /var/lib/ambari-server/keys/credentials.jceks -store-type JCEKS

For Example:

[root@c7401 ~]# /usr/jdk64/jdk1.8.0_112/bin/keytool -list -keystore /var/lib/ambari-server/keys/credentials.jceks -store-type JCEKS
Enter keystore password:
Keystore type: JCEKS
Keystore provider: SunJCE
Your keystore contains 2 entries
cluster.ambari_predev.kdc.admin.credential, Dec 12, 2018, SecretKeyEntry,
ambari.db.password, Dec 12, 2018, SecretKeyEntry,

Here you see that my persisted KDC admin credential is listed as cluster.ambari_predev.kdc.admin.credential.

If you do not see this, then something is wrong.

10,068 Views
0 Kudos

avatar
author-rank ankita_ghate
Explorer

Created ‎12-13-2018 04:09 AM

@Robert Levas

It is showing output as expected PFA,

keytool-output.png

10,068 Views
0 Kudos

avatar
author-rank rlevas
Guru

Created ‎12-17-2018 04:19 PM

I am at a loss as far as what the issue is. All tests I have proposed yielded results that make it seem like all should be working. Maybe

  1. Manually remove the credential from the credential store
  2. Restart Ambari
  3. Add it again, through Ambari when it asks for it

To remove the credential using keytool - 

<JAVA_HOME>/bin/keytool -remove -alias  -keystore /var/lib/ambari-server/keys/credentials.jceks -store-type JCEKS
10,068 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created ‎12-11-2018 09:28 PM

@Ankita Ghate

Your situation is bizarre! Can you share the screenshot of the kerberization steps?

Apart from the above can you share a tokenized version of your the below files

  • krb5.conf
  • kdc.conf
  • kadm5.acl
  • /etc/hosts

share the output of $ hostname -f on the kdc server
Then if the above files are correct

Reset the password through kadmin

# kadmin.local 
Authenticating as principal admin/admin@EXAMPLE.COM with password. 
kadmin.local: change_password -pw secret123 admin@EXAMPLE.COM 
Password for "admin@EXAMPLE.COM" changed. 
kadmin.local: q

In the above sequence, I have invoked kadmin as root user and change the previous password to secret123. To ensure all is okay restart the kdc and kadmin

# /etc/rc.d/init.d/krb5kdc start 
Starting Kerberos 5 KDC: 		[ OK ] 
# /etc/rc.d/init.d/kadmin start 
Starting Kerberos 5 Admin Server: 	[ OK ]

Now you can run the Kerberos tool again to regenerate the keytabs and all the services should restart successfully

10,068 Views
0 Kudos

avatar
author-rank ankita_ghate
Explorer

Created ‎12-13-2018 11:13 AM

@Geoffrey Shelton Okot

Apart from the above can you share a tokenized version of your the below files- Sorry I did not get what you have asked.

klist -V Kerberos 5 version 1.13.2

And KDC server's hostname -f output is --> ubuntu19.example.com

Check attached files of KDC server,

krb5conf.pngkdcconf.pngkadm5conf.pnghosts.png

10,068 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera DataFlow 2.9 now supports building GenAI pipelines ...
What's New @ Cloudera
Accelerate Data Scientist Productivity with Cloudera Copilot...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
Community Announcements
October 2024 Community Highlights
What's New @ Cloudera
Accelerate Your AI with the Cloudera AI Inference Service wi...
View More Announcements