Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

invalid KDC administrator credentials after upgrading ambari to 2.7.3

Labels:
avatar
author-rank scott1
Explorer

Created ‎01-23-2019 03:54 PM

I just upgraded ambari to 2.7.3 on my cluster. The cluster had previously been configured with kerberos, and running correctly. Now whenever I try to modify components I get an "admin session expired" dialog. I enter my admin credentials (kerberos) and get an invalid KDC admin error returned. I verified that the principal I entered has admin rights by logging into kadmin on the command line. The principal I am entering is the one I used when I initially configured the cluster to use kerberos. Why would this not work anymore, and how can I fix it?

1,678 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank rlevas
Guru

Created ‎01-23-2019 04:19 PM

@scott powers

As of Ambari 2.7, Ambari authenticates with an MIT KDC more securely - using Kerberos. To do this, it must call kinit and specify the kadmin service principal. 

kinit -c <path> -S kadmin/<kadmin server FQDN>@<realm> <principal>

There may be one of two issue a play causing you an issue.

1) The KDC Administrator host is not set to the FQDN of the host there the kadmin server is running

2) The KDC does not have a principal like kadmin/<kadmin server FQDN>@<realm>

Fixing #1 may be done by editing the Kerberos service configurations via Ambari. After restarting the Kerberos service, you should be able to properly kinit.

Fixing #2 may be done by adding the missing principal (kadmin/<kadmin server FQDN>@<realm>) to the MIT KDC.

In future versions of Ambari, you will be able to configure what the kadmin service principal is. However for now, Ambari assumes it is kadmin/<kadmin server FQDN>@<realm>.

If one of these solutions does not help, you should take a look at your ambari-server.log file and see if there are any interesting error messages posted that you can share here.

View solution in original post

1,574 Views
0 Kudos
1 REPLY 1

avatar
author-rank rlevas
Guru

Created ‎01-23-2019 04:19 PM

@scott powers

As of Ambari 2.7, Ambari authenticates with an MIT KDC more securely - using Kerberos. To do this, it must call kinit and specify the kadmin service principal. 

kinit -c <path> -S kadmin/<kadmin server FQDN>@<realm> <principal>

There may be one of two issue a play causing you an issue.

1) The KDC Administrator host is not set to the FQDN of the host there the kadmin server is running

2) The KDC does not have a principal like kadmin/<kadmin server FQDN>@<realm>

Fixing #1 may be done by editing the Kerberos service configurations via Ambari. After restarting the Kerberos service, you should be able to properly kinit.

Fixing #2 may be done by adding the missing principal (kadmin/<kadmin server FQDN>@<realm>) to the MIT KDC.

In future versions of Ambari, you will be able to configure what the kadmin service principal is. However for now, Ambari assumes it is kadmin/<kadmin server FQDN>@<realm>.

If one of these solutions does not help, you should take a look at your ambari-server.log file and see if there are any interesting error messages posted that you can share here.

1,575 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements