Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

invalid KDC administrator credentials after upgrading ambari to 2.7.3

Solved Go to solution

invalid KDC administrator credentials after upgrading ambari to 2.7.3

New Contributor

I just upgraded ambari to 2.7.3 on my cluster. The cluster had previously been configured with kerberos, and running correctly. Now whenever I try to modify components I get an "admin session expired" dialog. I enter my admin credentials (kerberos) and get an invalid KDC admin error returned. I verified that the principal I entered has admin rights by logging into kadmin on the command line. The principal I am entering is the one I used when I initially configured the cluster to use kerberos. Why would this not work anymore, and how can I fix it?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: invalid KDC administrator credentials after upgrading ambari to 2.7.3

@scott powers

As of Ambari 2.7, Ambari authenticates with an MIT KDC more securely - using Kerberos. To do this, it must call kinit and specify the kadmin service principal.

kinit -c <path> -S kadmin/<kadmin server FQDN>@<realm> <principal>

There may be one of two issue a play causing you an issue.

1) The KDC Administrator host is not set to the FQDN of the host there the kadmin server is running

2) The KDC does not have a principal like kadmin/<kadmin server FQDN>@<realm>

Fixing #1 may be done by editing the Kerberos service configurations via Ambari. After restarting the Kerberos service, you should be able to properly kinit.

Fixing #2 may be done by adding the missing principal (kadmin/<kadmin server FQDN>@<realm>) to the MIT KDC.

In future versions of Ambari, you will be able to configure what the kadmin service principal is. However for now, Ambari assumes it is kadmin/<kadmin server FQDN>@<realm>.

If one of these solutions does not help, you should take a look at your ambari-server.log file and see if there are any interesting error messages posted that you can share here.

1 REPLY 1

Re: invalid KDC administrator credentials after upgrading ambari to 2.7.3

@scott powers

As of Ambari 2.7, Ambari authenticates with an MIT KDC more securely - using Kerberos. To do this, it must call kinit and specify the kadmin service principal.

kinit -c <path> -S kadmin/<kadmin server FQDN>@<realm> <principal>

There may be one of two issue a play causing you an issue.

1) The KDC Administrator host is not set to the FQDN of the host there the kadmin server is running

2) The KDC does not have a principal like kadmin/<kadmin server FQDN>@<realm>

Fixing #1 may be done by editing the Kerberos service configurations via Ambari. After restarting the Kerberos service, you should be able to properly kinit.

Fixing #2 may be done by adding the missing principal (kadmin/<kadmin server FQDN>@<realm>) to the MIT KDC.

In future versions of Ambari, you will be able to configure what the kadmin service principal is. However for now, Ambari assumes it is kadmin/<kadmin server FQDN>@<realm>.

If one of these solutions does not help, you should take a look at your ambari-server.log file and see if there are any interesting error messages posted that you can share here.

Don't have an account?
Coming from Hortonworks? Activate your account here