Support Questions

Find answers, ask questions, and share your expertise

invalid KDC administrator credentials after upgrading ambari to 2.7.3

avatar
Explorer

I just upgraded ambari to 2.7.3 on my cluster. The cluster had previously been configured with kerberos, and running correctly. Now whenever I try to modify components I get an "admin session expired" dialog. I enter my admin credentials (kerberos) and get an invalid KDC admin error returned. I verified that the principal I entered has admin rights by logging into kadmin on the command line. The principal I am entering is the one I used when I initially configured the cluster to use kerberos. Why would this not work anymore, and how can I fix it?

1 ACCEPTED SOLUTION

avatar

@scott powers

As of Ambari 2.7, Ambari authenticates with an MIT KDC more securely - using Kerberos. To do this, it must call kinit and specify the kadmin service principal.

kinit -c <path> -S kadmin/<kadmin server FQDN>@<realm> <principal>

There may be one of two issue a play causing you an issue.

1) The KDC Administrator host is not set to the FQDN of the host there the kadmin server is running

2) The KDC does not have a principal like kadmin/<kadmin server FQDN>@<realm>

Fixing #1 may be done by editing the Kerberos service configurations via Ambari. After restarting the Kerberos service, you should be able to properly kinit.

Fixing #2 may be done by adding the missing principal (kadmin/<kadmin server FQDN>@<realm>) to the MIT KDC.

In future versions of Ambari, you will be able to configure what the kadmin service principal is. However for now, Ambari assumes it is kadmin/<kadmin server FQDN>@<realm>.

If one of these solutions does not help, you should take a look at your ambari-server.log file and see if there are any interesting error messages posted that you can share here.

View solution in original post

1 REPLY 1

avatar

@scott powers

As of Ambari 2.7, Ambari authenticates with an MIT KDC more securely - using Kerberos. To do this, it must call kinit and specify the kadmin service principal.

kinit -c <path> -S kadmin/<kadmin server FQDN>@<realm> <principal>

There may be one of two issue a play causing you an issue.

1) The KDC Administrator host is not set to the FQDN of the host there the kadmin server is running

2) The KDC does not have a principal like kadmin/<kadmin server FQDN>@<realm>

Fixing #1 may be done by editing the Kerberos service configurations via Ambari. After restarting the Kerberos service, you should be able to properly kinit.

Fixing #2 may be done by adding the missing principal (kadmin/<kadmin server FQDN>@<realm>) to the MIT KDC.

In future versions of Ambari, you will be able to configure what the kadmin service principal is. However for now, Ambari assumes it is kadmin/<kadmin server FQDN>@<realm>.

If one of these solutions does not help, you should take a look at your ambari-server.log file and see if there are any interesting error messages posted that you can share here.