一、 ambari中启用kerberos报错Invalid KDC administrator credentials. Please enter admin principal and password.

从后台kinit 登录是可以登录的，admin principal和admin password可以确信无误

打开浏览器开发者工具：

{
  "status" : 400,
  "message" : "Invalid KDC administrator credentials.\nThe KDC administrator credentials must be set as a persisted or temporary credential resource.This may be done by issuing a POST (or PUT for updating) to the /api/v1/clusters/:clusterName/credentials/kdc.admin.credential API entry point with the following payload:\n{\n  \"Credential\" : {\n    \"principal\" : \"(PRINCIPAL)\", \"key\" : \"(PASSWORD)\", \"type\" : \"(persisted|temporary)\"}\n  }\n}"

所以根据提示：

查看kdc.admin.credential

curl -H "X-Requested-By:ambari" -u "admin:admin" -X GET http://10.211.55.60:8080/api/v1/clusters/mycluster/credentials/kdc.admin.credential

删除kdc.admin.credential

curl -H "X-Requested-By:ambari" -u "admin:admin" -X DELETE http://10.211.55.60:8080/api/v1/clusters/mycluster/credentials/kdc.admin.credential

重新添加kdc.admin.credential

curl -H "X-Requested-By:ambari" -u "admin:admin" -X POST -d '{"Credential" : {"principal" : "admin/admin", "key" : "admin","type" : "temporary"}}' http://10.211.55.60:8080/api/v1/clusters/c1/credentials/kdc.admin.credential

这样还是不行

查看日志vi /var/log/krb5kdc.log 报错AS_REQ SERVER_NOT_FOUND
```
Mar 02 08:49:35 host-10-211-55-60 krb5kdc[22443](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.211.55.60: SERVER_NOT_FOUND: kadmin/host-10-211-55-60@HONEY.COM for kadmin/10.211.55.60@HONEY.COM, Server not found in Kerberos database
```
kadmin/admin@HONEY.COM登录就可以了
但是又报新的错误：

错误信息: An internal system exception occurred: Unexpected error condition executing the kadmin command. STDERR: kadmin: Matching credential not found (filename: /tmp/ambari_krb_4716695361805456201cc) while initializing kadmin interface
执行 kinit -S kadmin/host-10-211-55-60@HONEY.COM admin/admin@HONEY.COM 仍然报错
 https://community.cloudera.com/t5/Support-Questions/Unexpected-error-condition-executing-the-kadmin-command/td-p/242295
```
#发现klist ticket cache是/tmp/krb5cc_0
[root@host-10-211-55-60 tmp]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin/admin@HONEY.COM
Valid starting       Expires              Service principal
03/02/2020 16:00:47  03/02/2020 19:00:47  kadmin/host-10-211-55-60@HONEY.COM
```
再也找不出原因了，
重新弄了一遍就好了,原来kadmin hosts的时候不能填写IP,

二、Can not fetch master key (error: No such file or directory). while initializing kadmin.local interface

[root@host-10-211-55-60 ~]# kadmin.local 
Authenticating as principal admin/admin@JIAZZ.COM with password.
kadmin.local: Can not fetch master key (error: No such file or directory). while initializing kadmin.local interface
这个错误一般就是数据库没有创建或初始化成功
 kdb5_util create -r [default_realm_value] -s
 但是我怎么执行都不行，后来发现可能是/etc/krb5.conf中的domain_realm有问题，反正注释掉就ok了 
vi /etc/krb5.conf配置中有配置domain_realm，
[domain_realm]
# .example.com = EXAMPLE.COM
 #.oxxx.com = oxx.COM
三、错误信息: An internal system exception occurred: Unexpected error condition executing the kadmin command. STDERR: kadmin: Communication failure with server while initializing kadmin interface
 

 解决办法：
 这样试过不管用
 kinit -S kadmin/<FQDN kadmin server>@EXAMPLE.COM admin/admin@EXAMPLE.COM
 重启kerberos服务
 systemctl start krb5kdc.service
 systemctl start kadmin.service 
PS：不断补充…
                                    1.离线部署ambari 2.7.4及HDP大数据组件服务(提供离线wangpan资源）
2.基于Docker部署(物理机部署同理)
3.开启kerberos权限认证服务，并提供相关Demo
4.支持HDFS、Spark、Yarn、MapReduce、Hive、Pig、 HBase、Zookeeper、Sqoop和Hcatalog等
5.很详细的文档，包括各种可能出现的Bug
                                    Ambari 是一款开源的工具，旨在帮助用户管理和监控 AWS 云环境中的虚拟机、容器和其他资源。它提供了一个易于使用的界面，可以帮助用户快速部署和管理云环境中的资源。部署和管理虚拟机和容器。监控和管理云环境中的资源。提供易于使用的界面和 API，方便用户进行资源的管理和监控。支持多种 AWS 服务，如 EC2、EBS、ELB 等。
                                    Kerberos权威指南 ，Kerberos The Definitive Guide。Single sign-on is the holy grail of network administration, and Kerberos is the only game in town. Microsoft, by integrating Kerberos into Active Directory in Windows 2000 and 2003, has extended the large or small. Kerberos makes your network more secure and more convenient for users by providing a single authentication system that works across the entire network. One username; one password; one login is all you need. Fortunately, help for administrators is on the way. This guide shows you how to implement Kerberos for secure authentication. In addition to covering the basic principles behind cryptographic authentication, it covers everything from basic installation to advanced topics like cross-realm authentication, defending against attacks on Kerberos, and troubleshooting. In addition to covering Microsoft's Active Directory implementation, Kerberos: The Definitive Guide covers both major implementations of Kerberos for Unix and Linux: MIT and Heimdal. It shows you how to set up Mac OS X as a Kerberos client. The book also covers both versions of the Kerberos protocol that are still in use: Kerberos 4 (now obsolete) and Kerberos 5, paying special attention to the integration between the different protocols, and between Unix and Windows implementations.
                                    对于客户端而言，集群开启Kerberos之后，可以对可信任的客户端提供认证，使得可信任客户端能够正确提交作业，恶意用户无法伪装成其他用户侵入到集群当中，能够有效防止恶意冒充客户端提交作业的情况。对于服务端而言，集群开启Kerberos之后，集群中的服务都是可以信任的，集群服务之间使用密钥进行通信，避免了冒充服务的情况。
开启Kerberos能够提升集群的安全性，但是也会提升用户使用集群的复杂度，提交作业的方式与没有开启Kerberos前会有一些区别，需要对作业进行改造，增加Kerberos认证的相关内容。
　(1)在Windows下转换：
　　利用一些编辑器如Notepat++,UltraEdit或EditPlus等工具先将脚本编码转换，再放到Linux中执行。转换方式如下(UltraEdit)：File-->Conver
                                    最近一个项目需要调用AD域来进行用户名登陆的验证.第一次接触AD域,什么都不懂,就百度.搜索到了几篇优质资源,现在分享出来.旨在方便开发小白解决问题(如有侵权还请联系删除)
按顺序贴的.先是理论,然后是解决办法.如果只想解决问题,那么可以直接跳到最后.如果想学习,可以按顺序浏览.
域服务器的简单介绍:
https://blog.csdn.net/qq_37497275/article/details/101554114
认证 – LDAP：错误代码49 – 80090308：LdapErr：DSID-0C0