Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

missing KDC administrator credentials

Highlighted

missing KDC administrator credentials

Master Collaborator

I am getting this error while installing Ranger KMS , I have also followed the steps in this link to setup KDC credentials but no luck

https://community.hortonworks.com/articles/42927/adding-kdc-administrator-credentials-to-the-ambari....

23 Dec 2016 23:04:56,087  INFO [ambari-client-thread-25] AmbariManagementControllerImpl:2329 - AmbariManagementControllerImpl.createHostAction: created ExecutionCommand for host hadoop1.tolls.dot.state.fl.us, role RANGER_KMS_SERVER, roleCommand INSTALL, and command ID 2532--1, with cluster-env tags version1480534831774
23 Dec 2016 23:04:56,101  INFO [ambari-client-thread-25] AbstractResourceProvider:810 - Caught an exception while updating host components, retrying : java.lang.IllegalArgumentException: Missing KDC administrator credentials.
The KDC administrator credentials must be set as a persisted or temporary credential resource.This may be done by issuing a POST to the /api/v1/clusters/:clusterName/credentials/kdc.admin.credential API entry point with the following payload:
{
  "Credential" : {
    "principal" : "(PRINCIPAL)", "key" : "(PASSWORD)", "type" : "(persisted|temporary)"}
  }
}

some of the relevant information is below

ambari=> select * from clusterconfigmapping where type_name='krb5-conf';
 cluster_id | type_name |     version_tag      | create_timestamp | selected | user_name
------------+-----------+----------------------+------------------+----------+-----------
          2 | krb5-conf | version1480451713980 |    1480451714516 |        0 | admin
          2 | krb5-conf | version1480457371499 |    1480457371908 |        0 | admin
          2 | krb5-conf | version1480512641006 |    1480512641350 |        0 | admin
          2 | krb5-conf | version1480514713561 |    1480514713480 |        0 | admin
          2 | krb5-conf | version1480534242770 |    1480534242886 |        0 | admin
          2 | krb5-conf | version1480534438613 |    1480534438721 |        0 | admin
          2 | krb5-conf | version1480534635088 |    1480534635219 |        0 | admin
          2 | krb5-conf | version1482547881896 |    1482547876961 |        1 | admin
(8 rows)
ambari=> select * from clusterconfigmapping where type_name like '%kerberos%';
 cluster_id |  type_name   |     version_tag      | create_timestamp | selected | user_name
------------+--------------+----------------------+------------------+----------+-----------
          2 | kerberos-env | version1480451713980 |    1480451714512 |        0 | admin
          2 | kerberos-env | version1480457371499 |    1480457371906 |        0 | admin
          2 | kerberos-env | version1480512641006 |    1480512641352 |        0 | admin
          2 | kerberos-env | version1480514713561 |    1480514713478 |        0 | admin
          2 | kerberos-env | version1480534242770 |    1480534242888 |        0 | admin
          2 | kerberos-env | version1480534438613 |    1480534438719 |        0 | admin
          2 | kerberos-env | version1480534635088 |    1480534635217 |        0 | admin
          2 | kerberos-env | version1482547881896 |    1482547876957 |        1 | admin
(8 rows)

[root@hadoop1 ambari-server]# more /etc/krb5.conf
[libdefaults]
  renew_lifetime = 7d
  forwardable = true
  default_realm = abc.com
  ticket_lifetime = 24h
  dns_lookup_realm = false
  dns_lookup_kdc = false
  default_ccache_name = /tmp/krb5cc_%{uid}
  #default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
  #default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
[logging]
  default = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
  kdc = FILE:/var/log/krb5kdc.log
[realms]
  abc.com = {
    admin_server = hadoop1.tolls.dot.state.fl.us
    kdc = hadoop1.tolls.dot.state.fl.us
  }


6 REPLIES 6
Highlighted

Re: missing KDC administrator credentials

Super Mentor

@Sami Ahmad

The output that you posted here does not contain any Error , rather it si an INFO message which is suggesting that you should store the KDC admin credential

Which can be simply achieved using the following curl command:

curl -i -u ambariAdmin:ambariAdminPwd -H "X-Requested-By: ambari" -X POST -d '{"Credential" : {"principal" : "kdcadmin/kdcadmin", "key" : "master","type" : "temporary"}}' http://AMBARI_HOST:8080/api/v1/clusters/$CLUSTERNAME/credentials/kdc.admin.credential

You can choose the type persisted or temporary. "Here the kdcadmin credential you will need to alter in the above command.

However if you have executed the above steps and still you are getting the same info message then it will require further investigation. Next time can you try running the above curl command with the "tail -f /var/log/ambari-server/ambari-server.log" to see if you see any new events of logging.

- And even after running the above kind of curl command you are getting the same message again then better to try to reinstall the Ranger KMS.

Highlighted

Re: missing KDC administrator credentials

Master Collaborator

the curl command is not working

[root@hadoop1 ~]# curl -i -u ambariAdmin:ambariAdminPwd -H "X-Requested-By: ambari" -X POST -d '{"Credential" : {"principal" : "admin/admin", "key" : "master","type" : "temporary"}}' http://hadoop1:8080/api/v1/clusters/$CLUSTERNAME/credentials/kdc.admin.credential
HTTP/1.1 307 Temporary Redirect
Location: http://10.100.30.16/UserCheck/PortalMain?IID=84BFBF35-6C5D-C4A6-C3A7-EC6EDE300682&origUrl=aHR0cDovL2...
Connection: close



Highlighted

Re: missing KDC administrator credentials

Super Mentor

@Sami Ahmad

The article link that you shared looks pretty straight forward. Are you getting any error/warning while implementing the steps mentioned in the article?

Highlighted

Re: missing KDC administrator credentials

Master Collaborator

yes iam .. I tried curl and post .Curl fails , POST hangs. what is the "admin:admin" part in the CIURL command?

[root@hadoop1 ~]# curl -H "X-Requested-By:ambari" -u admin:admin -X  POST -d '{ "Credential" : { "principal" : "admin/admin@ABC.COM", "key" : "wXXXX", "type" : "persisted" } }' http://hadoop1.tolls.dot.state.fl.us:8080/api/v1/clusters/c1/credentials/kdc.admin.credential
<!DOCTYPE html>
<html><head>
<title>504 Gateway Timeout</title>
</head><body style='font-family:Verdana'>
<h2><b>Gateway Timeout</b></h2>
<p>The requested URL couldn't be resolved</p>
</body></html>

[root@hadoop1 ~]# curl -H "X-Requested-By:ambari" -u admin:admin -X GET http://hadoop1:8080/api/v1/clusters/c1/credentials/kdc.admin.credential
<!DOCTYPE html>
<html><head>
<title>504 Gateway Timeout</title>
</head><body style='font-family:Verdana'>
<h2><b>Gateway Timeout</b></h2>
<p>The requested URL couldn't be resolved</p>
</body></html>
[root@h

[root@hadoop1 ~]# POST /api/v1/clusters/FDOT_hadoop/credentials/kdc.admin.credential
Please enter content (application/x-www-form-urlencoded) to be POSTed:
{
  "Credential" :
  {
    "principal" : "admin/admin@ABC.COM",
    "key" : "wXXXX",
    "type" : "persisted"
  }
}
^C


Re: missing KDC administrator credentials

Super Mentor

@Sami Ahmad

Here the "admin:admin" is the Ambari Admin "username:password".

Also as you are getting "504 Gateway timeout"

which usually indicates that the ambari server is not directly rechable or there may be some DNS servers issue. Are you able to do telnet to your ambari Host from the machine where you are running the curl comand?

telnet  hadoop1.tolls.dot.state.fl.us  8080

Can you please check at the n/w level that you do not have any proxy setting done which might be causing the 504 gateway timeout error.

Highlighted

Re: missing KDC administrator credentials

Master Collaborator

this is a misleading error I think since my ambari server is up and running and I am logged into it .

I can also telnet to port 8080

[root@hadoop1 ~]# uname -a
Linux hadoop1 2.6.32-642.6.2.el6.x86_64 #1 SMP Wed Oct 26 06:52:09 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
[root@hadoop1 ~]# telnet  hadoop1.tolls.dot.state.fl.us  8080
Trying 10.100.44.17...
Connected to hadoop1.tolls.dot.state.fl.us.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
[root@hadoop1 ~]#
Don't have an account?
Coming from Hortonworks? Activate your account here