question Re: Kerberos setup Ambari 2.4 and HDP 2.5 fails (simple bind failure) but KDC test passes. in Support Questions

Kerberos setup Ambari 2.4 and HDP 2.5 fails (simple bind failure) but KDC test passes.

eurodeebs — Thu, 12 Jan 2017 01:39:20 GMT

Hello, I'm receiving this error:

Failed to connect to KDC - Failed to communicate with the Active Directory at LDAP://hq.domain.com/OU=Production,OU=domain,DC=hq,DC=domain,DC=com: simple bind failed: hq.domain.com:389
Update the KDC settings in krb5-conf and kerberos-env configurations to correct this issue.

I've been following this guide: https://www.ibm.com/support/knowledgecenter/SSPT3X_4.2.0/com.ibm.swg.im.infosphere.biginsights.admin.doc/doc/admin_kerb_activedir.html as well as the HDP documentation on this. I'm doing the automated kerberos wizard.

JCE has been distributed to all of the nodes, I'm using Oracle JDK 1.8.

Attached is the full stack trace: kerberos-stack.txt

The KDC Test Connection passes just fine, I can see expected network traffic between my domain controller and the Ambari server. The only main difference is that I'm not using SSL on AD. I figure this should be fine and Ambari can just use the plaintext 389 port. I realize this is a security concern but I have no way around this right now. I don't have control over this area of our domain setup. Could this be my issue?

Any help appreciated. Thanks. EDIT: I was able to successfully parse AD using the ldapsearch tool using the same DN and LDAP url that I'm specifying. Also with the same admin user.

Re: Kerberos setup Ambari 2.4 and HDP 2.5 fails (simple bind failure) but KDC test passes.

rguruvannagari — Thu, 12 Jan 2017 01:49:52 GMT

@Dezka Dex

Problem seems to be with the ldap URL or the DN. And the error in the log shows "Root exception is java.net.SocketException: Connection reset"

It could be that Active directory is set to accept connections over SSL. You may try using ldaps:// instead of ldap:// (this needs active directory cert to be imported to java cacerts)

Re: Kerberos setup Ambari 2.4 and HDP 2.5 fails (simple bind failure) but KDC test passes.

lraheja — Thu, 12 Jan 2017 02:01:14 GMT

@Dezka Dex

The error you are getting is :

Caused by: java.net.SocketException: Connection reset

Failed to connect to KDC - Failed to communicate with the Active Directory at LDAP://hq.domain.com/OU=Production,OU=domain,DC=hq,DC=domain,DC=com: simple bind failed: hq.domain.com:389

Above error indicates communication failure with AD, but you mentioned KDC test passes? Can you make sure you are using correct communication string? Can you run ldapsearch with it?

Also, Have you followed below doc:

https://docs.hortonworks.com/HDPDocuments/Ambari-2.1.0.0/bk_Ambari_Security_Guide/content/_configure_ambari_to_use_ldap_server.html

Can you upload your krb5.conf?

Re: Kerberos setup Ambari 2.4 and HDP 2.5 fails (simple bind failure) but KDC test passes.

eurodeebs — Thu, 12 Jan 2017 02:03:04 GMT

Hi @rguruvannagari thanks for the reply. I just confirmed with my AD guy that our AD is not set up for SSL at all. I was able to parse AD using the ldapsearch tool using the same DN and ldap url I'm specifying. I'll keep trying different DN's

Re: Kerberos setup Ambari 2.4 and HDP 2.5 fails (simple bind failure) but KDC test passes.

eurodeebs — Thu, 12 Jan 2017 02:26:40 GMT

@lraheja I did not go through the ambari-server setup-ldap steps, I must've gone past this some how. After configuring this and restarting Ambari the LDAP tests seem to be getting further but are now just timing out. My krb5.conf is not configured at all, it's the default conf file. I assumed Ambari was going to configure this through the wizard, is that not the case?

Re: Kerberos setup Ambari 2.4 and HDP 2.5 fails (simple bind failure) but KDC test passes.

lraheja — Thu, 12 Jan 2017 03:01:21 GMT

@Dezka Dex Can you upload new stack trace?

Re: Kerberos setup Ambari 2.4 and HDP 2.5 fails (simple bind failure) but KDC test passes.

eurodeebs — Thu, 12 Jan 2017 03:38:55 GMT

@lraheja Sure, it's no longer timing out, it's just back to what it was doing before. kerberos-stack-2.txt

Re: Kerberos setup Ambari 2.4 and HDP 2.5 fails (simple bind failure) but KDC test passes.

ollie1 — Tue, 17 Jan 2017 20:31:51 GMT

I suffered the exact same issue of:

Caused by: java.net.SocketException: Connection reset

Logs giving nothing away, just constant refusal to connect to ldap://ad.mydomain.com:389 despite confirming LDAP was working on the same host using ldapsearch.

Anyway, I decided to test with LDAPS (following https://community.hortonworks.com/articles/60186/hdf-20-use-ambari-to-enable-kerberos-for-hdf-clust-1.html), and using exactly the same values for my config it worked.

Re: Kerberos setup Ambari 2.4 and HDP 2.5 fails (simple bind failure) but KDC test passes.

rlevas — Tue, 17 Jan 2017 23:02:48 GMT

In addition to this, when enabling Kerberos against an Active Directory, LDAPS must be used rather than LDAP since Active Directory requires a secure connection to set or update account password - and Ambari needs to set or update the passwords for the Kerberos identity accounts it manages.

Re: Kerberos setup Ambari 2.4 and HDP 2.5 fails (simple bind failure) but KDC test passes.

eurodeebs — Thu, 19 Jan 2017 23:33:00 GMT

@Oliver Fletcher

Yup, this was the issue. I enabled LDAPS on our domain and it works now.

Re: Kerberos setup Ambari 2.4 and HDP 2.5 fails (simple bind failure) but KDC test passes.

rakeshbca — Wed, 11 Apr 2018 04:53:53 GMT

do you alternate material available since following https://community.hortonworks.com/articles/60186/hdf-20-use-ambari-to-enable-kerberos-for-hdf-clust-1.html),is unavailable?

Re: Kerberos setup Ambari 2.4 and HDP 2.5 fails (simple bind failure) but KDC test passes.

rakeshbca — Wed, 11 Apr 2018 04:58:13 GMT

I also facing the same issue as started in the above blog; can someone pls advise me urgently

thank you support:)

Re: Kerberos setup Ambari 2.4 and HDP 2.5 fails (simple bind failure) but KDC test passes.

Shelton — Thu, 12 Apr 2018 15:08:50 GMT

@Rakesh Kumar

The thread you are referring too was closed. I doubt whether members attend to old threads I advise you to open a new thread and possibly attach the logs at times errors differ.

Please do that !!