【Kerberos】ambari启用kerberos 报错处理

报错处理"/>

【Kerberos】ambari启用kerberos 报错处理

文章目录

• 一、 ambari中启用kerberos报错Invalid KDC administrator credentials. Please enter admin principal and password.
• 二、Can not fetch master key (error: No such file or directory). while initializing kadmin.local interface
• 三、错误信息: An internal system exception occurred: Unexpected error condition executing the kadmin command. STDERR: kadmin: Communication failure with server while initializing kadmin interface

一、 ambari中启用kerberos报错Invalid KDC administrator credentials. Please enter admin principal and password.

1. 从后台kinit 登录是可以登录的，admin principal和admin password可以确信无误

2. 打开浏览器开发者工具：

   {"status" : 400,"message" : "Invalid KDC administrator credentials.\nThe KDC administrator credentials must be set as a persisted or temporary credential resource.This may be done by issuing a POST (or PUT for updating) to the /api/v1/clusters/:clusterName/credentials/kdc.admin.credential API entry point with the following payload:\n{\n  \"Credential\" : {\n    \"principal\" : \"(PRINCIPAL)\", \"key\" : \"(PASSWORD)\", \"type\" : \"(persisted|temporary)\"}\n  }\n}"
   }
   

   所以根据提示：

   1. 查看kdc.admin.credential

      curl -H "X-Requested-By:ambari" -u "admin:admin" -X GET http://10.211.55.60:8080/api/v1/clusters/mycluster/credentials/kdc.admin.credential
      

   2. 删除kdc.admin.credential

      curl -H "X-Requested-By:ambari" -u "admin:admin" -X DELETE http://10.211.55.60:8080/api/v1/clusters/mycluster/credentials/kdc.admin.credential
      

   3. 重新添加kdc.admin.credential

      curl -H "X-Requested-By:ambari" -u "admin:admin" -X POST -d '{"Credential" : {"principal" : "admin/admin", "key" : "admin","type" : "temporary"}}' http://10.211.55.60:8080/api/v1/clusters/c1/credentials/kdc.admin.credential
      

   这样还是不行

3. 查看日志vi /var/log/krb5kdc.log 报错AS_REQ SERVER_NOT_FOUND

   Mar 02 08:49:35 host-10-211-55-60 krb5kdc[22443](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.211.55.60: SERVER_NOT_FOUND: kadmin/host-10-211-55-60@HONEY.COM for kadmin/10.211.55.60@HONEY.COM, Server not found in Kerberos database
   

   kadmin/admin@HONEY.COM登录就可以了
   但是又报新的错误：
   
   错误信息: An internal system exception occurred: Unexpected error condition executing the kadmin command. STDERR: kadmin: Matching credential not found (filename: /tmp/ambari_krb_4716695361805456201cc) while initializing kadmin interface
   执行kinit -S kadmin/host-10-211-55-60@HONEY.COM admin/admin@HONEY.COM仍然报错
   

   #发现klist ticket cache是/tmp/krb5cc_0
   [root@host-10-211-55-60 tmp]# klist
   Ticket cache: FILE:/tmp/krb5cc_0
   Default principal: admin/admin@HONEY.COMValid starting       Expires              Service principal
   03/02/2020 16:00:47  03/02/2020 19:00:47  kadmin/host-10-211-55-60@HONEY.COM
   

   再也找不出原因了，
   重新弄了一遍就好了,原来kadmin hosts的时候不能填写IP,

二、Can not fetch master key (error: No such file or directory). while initializing kadmin.local interface

[root@host-10-211-55-60 ~]# kadmin.local 
Authenticating as principal admin/admin@JIAZZ.COM with password.
kadmin.local: Can not fetch master key (error: No such file or directory). while initializing kadmin.local interface

这个错误一般就是数据库没有创建或初始化成功
kdb5_util create -r [default_realm_value] -s
但是我怎么执行都不行，后来发现可能是/etc/krb5.conf中的domain_realm有问题，反正注释掉就ok了

vi /etc/krb5.conf配置中有配置domain_realm，
[domain_realm]
# .example = EXAMPLE.COM#.oxxx = oxx.COM

三、错误信息: An internal system exception occurred: Unexpected error condition executing the kadmin command. STDERR: kadmin: Communication failure with server while initializing kadmin interface

解决办法：
这样试过不管用
kinit -S kadmin/<FQDN kadmin server>@EXAMPLE.COM admin/admin@EXAMPLE.COM
重启kerberos服务
systemctl start krb5kdc.service
systemctl start kadmin.service

PS：不断补充…