Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Unexpected error condition executing the kadmin command. STDERR: kadmin: Matching credential not found

avatar
author-rank mRabramS
Contributor

Created ‎01-15-2019 11:16 AM

Hello all,

I'm trying to kerberize the Ambari 2.7.3 cluster. However, during the setup, I get the following error:

Caused by: org.apache.ambari.server.serveraction.kerberos.KerberosOperationException: Unexpected error condition executing the kadmin command. STDERR: kadmin: Matching credential not found (filename: /tmp/ambari_krb_142308985016794830cc) while initializing kadmin interface
        at org.apache.ambari.server.serveraction.kerberos.MITKerberosOperationHandler.invokeKAdmin(MITKerberosOperationHandler.java:323)
        at org.apache.ambari.server.serveraction.kerberos.MITKerberosOperationHandler.principalExists(MITKerberosOperationHandler.java:123)
        at org.apache.ambari.server.serveraction.kerberos.KerberosOperationHandler.testAdministratorCredentials(KerberosOperationHandler.java:314)
        at org.apache.ambari.server.controller.KerberosHelperImpl.validateKDCCredentials(KerberosHelperImpl.java:2133)

All of the authentication settings are okay, because I am able to kinit and use the kadmin interface from shell.

It seems that the problem is that Ambari tries to do the following:

kinit -p admin/admin@EXAMPLE.COM
kadmin -c /tmp/ambari_krb_...

While it should be doing the following:

kinit -S kadmin/admin@EXAMPLE.COM admin/admin@EXAMPLE.COM
kadmin -c /tmp/ambari_krb...

I've tried replicating the two settings and confirmed my guess. The second code works from the shell. Further, If I intercept the temporarily generated credentials by ambari with my own, the code works.

How can I fix this behaviour? This seem like a bug in Ambari code -- which part should I edit to fix this?

8,286 Views
0 Kudos
0
2 ACCEPTED SOLUTIONS

avatar
author-rank rlevas
Guru

Created ‎01-15-2019 01:59 PM

@Javert Kirilov In Ambari 2.7.x, the MIT KDC connector logic uses the following kinit format:

kinit -S kadmin/<FQDN kadmin server>@EXAMPLE.COM admin/admin@EXAMPLE.COM

See https://github.com/apache/ambari/blob/branch-2.7/ambari-server/src/main/java/org/apache/ambari/serve... for the code.

This is different then what you suggest since the server principal is basically hardcoded to kadmin/<FQDN kadmin server>@<REALM>. Since not all installations of the MIT KDC have this principal set up, this can cause issues like what you are seeing. In the newer release of Ambari, we have this fixed and the user can override the kadmin server principal. So until that version is release, it is suggested that you manually create that missing principal.

Hopefully you are willing to try this is see if it works for you.

View solution in original post

7,844 Views
0 Kudos
0

avatar
author-rank demitov
New Contributor

Created ‎08-07-2019 01:41 PM

Hello!

ran into the same problem, but in my case the kadmin/<FQDN kadmin server>@<REALM> existed and if i run 

kinit -S kadmin/@<REALM> admin/admin@<REALM>

then he will authorize

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin/admin@<REALM>

Valid starting       Expires              Service principal
08/07/2019 11:30:25  08/07/2019 14:30:25  kadmin/cluster@<REALM>


View solution in original post

7,844 Views
0 Kudos
0
2 REPLIES 2

avatar
author-rank rlevas
Guru

Created ‎01-15-2019 01:59 PM

@Javert Kirilov In Ambari 2.7.x, the MIT KDC connector logic uses the following kinit format:

kinit -S kadmin/<FQDN kadmin server>@EXAMPLE.COM admin/admin@EXAMPLE.COM

See https://github.com/apache/ambari/blob/branch-2.7/ambari-server/src/main/java/org/apache/ambari/serve... for the code.

This is different then what you suggest since the server principal is basically hardcoded to kadmin/<FQDN kadmin server>@<REALM>. Since not all installations of the MIT KDC have this principal set up, this can cause issues like what you are seeing. In the newer release of Ambari, we have this fixed and the user can override the kadmin server principal. So until that version is release, it is suggested that you manually create that missing principal.

Hopefully you are willing to try this is see if it works for you.

7,845 Views
0 Kudos
0

avatar
author-rank demitov
New Contributor

Created ‎08-07-2019 01:41 PM

Hello!

ran into the same problem, but in my case the kadmin/<FQDN kadmin server>@<REALM> existed and if i run 

kinit -S kadmin/@<REALM> admin/admin@<REALM>

then he will authorize

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin/admin@<REALM>

Valid starting       Expires              Service principal
08/07/2019 11:30:25  08/07/2019 14:30:25  kadmin/cluster@<REALM>


7,845 Views
0 Kudos
0
Announcements
Community Announcements
April 2025 Cloudera Customer Advisory: Cloudera’s response t...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
View More Announcements