Kadmin can not create principle but kadmin.local can

Question

I am enabling security mode on Cloudera 5 beta. with cloudera manager and after performing 8th step of security enabling document from here cloudera manager should fire Generate Credential command but it is not.

so what i am doing is to run the Generate Credential manually but it is giving me error inlogs ie.

KADMIN='kadmin -k -t /etc/cloudera-scm-server/cmf.keytab -p cloudera-scm/admin@IMP.CO.IN -r IMP.CO.IN'
+ kadmin -k -t /etc/cloudera-scm-server/cmf.keytab -p cloudera-scm/admin@IMP.CO.IN -r IMP.CO.IN -q 'addprinc -randkey hue/cdh4hdm@IMP.CO.IN'
WARNING: no policy specified for hue/cdh4hdm@IMP.CO.IN; defaulting to no policy
add_principal: Operation requires ``add'' privilege while creating "hue/cdh4hdm@IMP.CO.IN".
+ kadmin -k -t /etc/cloudera-scm-server/cmf.keytab -p cloudera-scm/admin@IMP.CO.IN -r IMP.CO.IN -q 'xst -k /tmp/cmf4198733808580266866.keytab hue/cdh4hdm@IMP.CO.IN'
kadmin: Operation requires ``change-password'' privilege while changing hue/cdh4hdm@IMP.CO.IN's key
+ chmod 600 /tmp/cmf4198733808580266866.keytab
chmod: cannot access `/tmp/cmf4198733808580266866.keytab': No such file or directory

it seems that kadmin can not create principle.

my question is how can i give kadmin add principle privilege or how can i run this command using kadmin.local?

is there any way so i can get out of from this problem...

Answer 1

Some configuration are needed for providing a user principal to create any principle by using kadmin.

One has to edit kadm5.acl file and add below entry in kadm5.acl file:

*/admin@EXAMPLE.COM 

Here * represents the wildcard, So the user principal who matches the string as provided in kadm5.acl will be able to create any principal for example:

root/admin@EXAMPLE.COM

After changing configuration one need to restart the Kerberos for taking the changes in effect. For more details refer this

Answer 2

I had the same problem and got solved by starting the kadmind service.