Support Questions
Find answers, ask questions, and share your expertise

missing KDC administrator credentials

Rising Star

Hello,

I am facing an issue while enabling kerberos in hadoop cluster. It pops-up an error at test section, I can't pass even I enter correct credentials. Here is the error;

14128-kdc.png

13 REPLIES 13

Super Mentor

@Mustafa Kemal MAYUK

In that popup you will need to add the kadmin credentials. You shoudl get it from the KDC admin if you have forgotten.

If you remember the credential and from next time onwards if you do not want tosee that popup then you will need to store that credential to the ambari store as mentioned in the article:

https://community.hortonworks.com/articles/42927/adding-kdc-administrator-credentials-to-the-ambari....

.

And if you are entering the correct credentials still you are not able to pass that popup that can happen if your ambari server is not able to contact the KDC server. In that case try validating if you are able to connect to KDC host/port using telnet from ambari host?

# telnet   $kdcHostName   $kdcPort

.

Also check if you see the output of the following URL as "REACHABLE" or not?

http://${AMBARI_HOSTNAME}:8080/api/v1/kdc_check/${KDC_HOSTNAME}

.

Rising Star

Hi,

I remember admin principal's password, I am trying it but can't pass this popup. I could validate it's true by "kinit ..."

@Mustafa Kemal MAYUK

Take a look in your /var/log/ambari-server/ambari-server.log file to see if there are any interesting errors related to executing kadmin. This should shed some light on the issue. Without more information, it is tough to tell what the issue could be.

Rising Star

Hello,

when I check ambari-server log, there is an error like this;

29 Mar 2017 10:54:59,309 ERROR [ambari-client-thread-63] BaseManagementHandler:67 - Bad request received: Missing KDC administrator credentials. The KDC administrator credentials must be set as a persisted or temporary credential resource.This may be done by issuing a POST to the /api/v1/clusters/:clusterName/credentials/kdc.admin.credential API entry point with the following payload: { "Credential" : { "principal" : "(PRINCIPAL)", "key" : "(PASSWORD)", "type" : "(persisted|temporary)"} } }

I did the settings according to this url;

https://community.hortonworks.com/articles/42927/adding-kdc-administrator-credentials-to-the-ambari....

Firstly run ambari-server setup-security and select option 2.

Then run these without no error;

curl -H "X-Requested-By:ambari" -u admin:admin -X POST -d '{ "Credential" : { "principal" : "hadoopadmin@REALM", "key" : "xxxxx", "type" : "persisted" } }' http://AMBARI_IP:8080/api/v1/clusters/testcls/credentials/kdc.admin.credential

curl -H "X-Requested-By:ambari" -u admin:admin -X PUT -d '{ "Credential" : { "principal" : "hadoopadmin@REALM", "key" : "xxxxx", "type" : "persisted" } }' http://AMBARI_IP:8080/api/v1/clusters/testcls/credentials/kdc.admin.credential

But I am still getting above error about credential resource. When I type a wrong password ambari log says password is wrong. So I am sure that password is correct.

Super Mentor

@Mustafa Kemal MAYUK

You might have already checked the following ... Still just wanted to confirm:

What do you see when you make a GET call to the following URL, Do you see the data that you entered?

# curl -H "X-Requested-By:ambari" -u admin:admin -X GET http://AMBARI_IP:8080/api/v1/clusters/testcls/credentials/kdc.admin.credential

.

- Can you try the same from a browser with "Incognito Mode" (Private mode so that we can isolate a possibility of NO cached/stored password used).

FireFox => "File" => "New Private Window"

Chrome => "File" => "New Incognito Window"

.

@Jay Kumar SenSharma

I have tried by clearing browser cookies (chrome/firefox), checked by storing KDC credentials through keytool and rest api as well but no luck.

I have done setup on one environment and it is done successful but now facing issue on another environment.

PFA,

missing-kdc-credentials.png

@Ankita Ghate

You might want to open a new issue if the solution in this issue didn't help you. In the new issue, maybe post any errors you see in your ambari-server.log file.

In the image you posted, the error reads that the session expired. So if the admin credentials are not persisted in the Ambari credential store, they will be cached in memory for about 90 minutes. I assume you hit the 90 minutes timeout and you simply have to re-enter your admin credential. If you wish to save the entered credntial to Ambari's credential store, check the box next to "save admin credentials". This is active sine the Ambari credential store has been setup.

Did you mean that credentials are stored ambari server's in memory and as I got this exception should wait for next 90 minutes to try again?

Sorry for the confusion. Nope. You need to set the credentials again and if they are stored in the temporary credential store, they will be usable by Ambari for the next 90 minutes (or until Ambari is restarted). However if you opt to save the credential in Ambari's credential store, then it will be usable by Ambari until you remove it from the credential store.