question URGENT: Enabling AD KDC on CDP 7.1.7 in Support Questions

URGENT: Enabling AD KDC on CDP 7.1.7

snm1523 — Tue, 17 Jan 2023 22:58:08 GMT

Hello,

I am in process of setting up a CDP 7.1.7 cluster.

At the moment, CM 7.6.1 is installed and integrated to AD on LDAPS protocol (Had to select authentication type as LDAP for the integration to work even though we have AD being used).

Next step is I have added few basic services i.e. HDFS, YARN and Zookeeper and now I am enabling Kerberos.

At the step of Generating credentials it fails with attached screenshot.

However, in the same window I noticed that CM is trying to connect to AD on LDAP protocol on port 389. Ideally it should be connecting via LDAPS on 636 as we have TLS also configured and enabled. Not sure if this is even relevant.

From where does CM gets the LDAP URL? I tried to understand gen_credentials_ad.sh script at /opt/cloudera/cm/bin, however, did not completely interpret.

Please help as this is bit urgent.

Thanks

snm1523

Re: URGENT: Enabling AD KDC on CDP 7.1.7

tj2007 — Thu, 19 Jan 2023 04:14:23 GMT

Hello @snm1523,

The exit code 50 refers to the LDAP error code, which translates to 'insufficientAccessRights'. Cloudera Manager Server must have the correct Kerberos principal configured. Specifically, Cloudera Manager Server must have a Kerberos principal that has privileges to create other accounts in Active Directory.

Make sure that the Cloudera Manager Server account does have the ability to create/delete accounts in Active Directory and that it does belong to a Global group.

Ref: https://docs.cloudera.com/cdp-private-cloud-base/7.1.6/security-kerberos-authentication/topics/cm-security-kerberos-enabling-step3-cm-principal.html

Hope this helps,

Tarun

Was your question answered? Make sure to mark the answer as the accepted solution.

If you find a reply useful, say thanks by clicking on the thumbs-up button.

Re: URGENT: Enabling AD KDC on CDP 7.1.7

snm1523 — Thu, 19 Jan 2023 07:15:33 GMT

Thank you for the response @tj2007. We have ensured that the required permissions are assigned to the account that is provided to Cloudera to create principals.

we further tweaked some settings and also after a quick modification to gen_credentials_ad.sh script (post discussion with Cloudera support) got through with error. However, now getting below error:

We have scheduled a call later today with Cloudera once again to discuss this. However, if you may be able to suggest something would be helpful.

Thanks

snm1523

Re: URGENT: Enabling AD KDC on CDP 7.1.7

snm1523 — Wed, 08 Feb 2023 11:22:58 GMT

Was able to get this fixed. We ultimately identified there were some permissions for child objects not given yet. We got on a call with AD team and asked for a screen share to validate the permissions and then found it is not assigned yet.

Thanks