Support Questions

mustafakemal_ma · ‎03-28-2017

Hello,

I am facing an issue while enabling kerberos in hadoop cluster. It pops-up an error at test section, I can't pass even I enter correct credentials. Here is the error;

jsensharma · ‎03-28-2017

@Mustafa Kemal MAYUK

In that popup you will need to add the kadmin credentials. You shoudl get it from the KDC admin if you have forgotten.

If you remember the credential and from next time onwards if you do not want tosee that popup then you will need to store that credential to the ambari store as mentioned in the article:

https://community.hortonworks.com/articles/42927/adding-kdc-administrator-credentials-to-the-ambari....

.

And if you are entering the correct credentials still you are not able to pass that popup that can happen if your ambari server is not able to contact the KDC server. In that case try validating if you are able to connect to KDC host/port using telnet from ambari host?

# telnet   $kdcHostName   $kdcPort

.

Also check if you see the output of the following URL as "REACHABLE" or not?

http://${AMBARI_HOSTNAME}:8080/api/v1/kdc_check/${KDC_HOSTNAME}

.

mustafakemal_ma · ‎03-28-2017

Hi,

I remember admin principal's password, I am trying it but can't pass this popup. I could validate it's true by "kinit ..."

rlevas · ‎03-28-2017

@Mustafa Kemal MAYUK

Take a look in your /var/log/ambari-server/ambari-server.log file to see if there are any interesting errors related to executing kadmin. This should shed some light on the issue. Without more information, it is tough to tell what the issue could be.

mustafakemal_ma · ‎03-29-2017

Hello,

when I check ambari-server log, there is an error like this;

29 Mar 2017 10:54:59,309 ERROR [ambari-client-thread-63] BaseManagementHandler:67 - Bad request received: Missing KDC administrator credentials. The KDC administrator credentials must be set as a persisted or temporary credential resource.This may be done by issuing a POST to the /api/v1/clusters/:clusterName/credentials/kdc.admin.credential API entry point with the following payload: { "Credential" : { "principal" : "(PRINCIPAL)", "key" : "(PASSWORD)", "type" : "(persisted|temporary)"} } }

I did the settings according to this url;

https://community.hortonworks.com/articles/42927/adding-kdc-administrator-credentials-to-the-ambari....

Firstly run ambari-server setup-security and select option 2.

Then run these without no error;

curl -H "X-Requested-By:ambari" -u admin:admin -X POST -d '{ "Credential" : { "principal" : "hadoopadmin@REALM", "key" : "xxxxx", "type" : "persisted" } }' http://AMBARI_IP:8080/api/v1/clusters/testcls/credentials/kdc.admin.credential

curl -H "X-Requested-By:ambari" -u admin:admin -X PUT -d '{ "Credential" : { "principal" : "hadoopadmin@REALM", "key" : "xxxxx", "type" : "persisted" } }' http://AMBARI_IP:8080/api/v1/clusters/testcls/credentials/kdc.admin.credential

But I am still getting above error about credential resource. When I type a wrong password ambari log says password is wrong. So I am sure that password is correct.

jsensharma · ‎03-29-2017

@Mustafa Kemal MAYUK

You might have already checked the following ... Still just wanted to confirm:

What do you see when you make a GET call to the following URL, Do you see the data that you entered?

# curl -H "X-Requested-By:ambari" -u admin:admin -X GET http://AMBARI_IP:8080/api/v1/clusters/testcls/credentials/kdc.admin.credential

.

- Can you try the same from a browser with "Incognito Mode" (Private mode so that we can isolate a possibility of NO cached/stored password used).

FireFox => "File" => "New Private Window"

Chrome => "File" => "New Incognito Window"

.

ankita_ghate · ‎12-10-2018

@Jay Kumar SenSharma

I have tried by clearing browser cookies (chrome/firefox), checked by storing KDC credentials through keytool and rest api as well but no luck.

I have done setup on one environment and it is done successful but now facing issue on another environment.

PFA,

missing-kdc-credentials.png

rlevas · ‎12-10-2018

@Ankita Ghate

You might want to open a new issue if the solution in this issue didn't help you. In the new issue, maybe post any errors you see in your ambari-server.log file.

In the image you posted, the error reads that the session expired. So if the admin credentials are not persisted in the Ambari credential store, they will be cached in memory for about 90 minutes. I assume you hit the 90 minutes timeout and you simply have to re-enter your admin credential. If you wish to save the entered credntial to Ambari's credential store, check the box next to "save admin credentials". This is active sine the Ambari credential store has been setup.

ankita_ghate · ‎12-11-2018

Did you mean that credentials are stored ambari server's in memory and as I got this exception should wait for next 90 minutes to try again?

rlevas · ‎12-11-2018

Sorry for the confusion. Nope. You need to set the credentials again and if they are stored in the temporary credential store, they will be usable by Ambari for the next 90 minutes (or until Ambari is restarted). However if you opt to save the credential in Ambari's credential store, then it will be usable by Ambari until you remove it from the credential store.

mustafakemal_ma · ‎03-29-2017

Result is;

{  "href" : "http://AMBARI_IP:8080/api/v1/clusters/testcls/credentials/kdc.admin.credential",  "Credential" : {  "alias" : "kdc.admin.credential",  "cluster_name" : "testcls",  "type" : "persisted"  }}

Same in firefox.

kalinichenko_vi · ‎04-12-2017

I've tested it with Internet Explorer. The result is the same - failed to configure, the same popup window shows...

rlevas · ‎03-29-2017

After issuing the REST API call(s) to set the KDC administrator credential, you then use the Ambari UI to enable Kerberos. In the Enable Kerberos Wizard, you are prompted for the KDC administrator credential. Maybe something is going wrong there. Make sure that when prompted, you enter the correct information and then choose to "Save Admin Credentials" to make sure the persisted credential store it updated. Maybe there is an issue if you have a previously stored credential but then add a temporary credential on top of it.

kalinichenko_vi · ‎04-12-2017

Hello!

I've faced with an error like described in this post.

Are there any news regarding this situation?

P.S. I'm trying to enable kerberos with ambari 2.5.0.3 bundle.

Support Questions

missing KDC administrator credentials