https://community.cloudera.com/t5/Archives-of-Support-Questions/How-can-I-fix-this-Kerberos-with-AD-no-local-KDC-will-not/m-p/95428#M8785 <P>This appears to look correct.</P><P>Are we sure the realm name is correct and it is not something like "TCORP.COM"? Realm names are case-sensitive, so make sure the realm name in AD is all uppercase characters. I don't believe that the admin principal or password is trimmed, so make sure no (extra) spaces exist before or after them.</P><P>Also, does the admin user have delegated control over the specified LDAP container?</P><P>Can you take a look at the Ambari server log to see if any errors are posted there? </P> Wed, 14 Oct 2015 22:36:38 GMT rlevas 2015-10-14T22:36:38Z https://community.cloudera.com/t5/Archives-of-Support-Questions/How-can-I-fix-this-Kerberos-with-AD-no-local-KDC-will-not/m-p/95427#M8784 <P>Before a production installation, we are testing the Kerberos install from the Sandbox to the client's Test Active Directory as a dry run. The entries in the KDC portion of the UI allow the "Test KDC Connection" to be successful. But the Kerberos install fails after the "Next" button and a prompt appears asking for the correct Admin name/password combination.</P><P>The same connection info, when tried through Apache Directory Studio, gives a "Unable to obtain Principal Name for authentication" error.</P><P> The entries being used on the Kerberos setup page. </P><UL> <LI>KDC: <UL> <LI>KDC host: ad.client.com</LI><LI>Realm name:TCORP</LI><LI>LDAP url: ldaps://ad.client.com</LI><LI>Container DN: ou=hadoop,ou=hdp,dc=client,dc=com</LI></UL></LI><LI>Kadmin <UL> <LI>Kadmin host: ad.client.com</LI><LI>Admin principal: <A href="mailto:sandboxadmin@HORTONWORKS.COM" target="_blank">adminname@</A>TCORP</LI><LI>Admin password: AD password for adminname</LI></UL></LI></UL> Fri, 16 Sep 2022 09:44:11 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/How-can-I-fix-this-Kerberos-with-AD-no-local-KDC-will-not/m-p/95427#M8784 TerryP 2022-09-16T09:44:11Z https://community.cloudera.com/t5/Archives-of-Support-Questions/How-can-I-fix-this-Kerberos-with-AD-no-local-KDC-will-not/m-p/95428#M8785 <P>This appears to look correct.</P><P>Are we sure the realm name is correct and it is not something like "TCORP.COM"? Realm names are case-sensitive, so make sure the realm name in AD is all uppercase characters. I don't believe that the admin principal or password is trimmed, so make sure no (extra) spaces exist before or after them.</P><P>Also, does the admin user have delegated control over the specified LDAP container?</P><P>Can you take a look at the Ambari server log to see if any errors are posted there? </P> Wed, 14 Oct 2015 22:36:38 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/How-can-I-fix-this-Kerberos-with-AD-no-local-KDC-will-not/m-p/95428#M8785 rlevas 2015-10-14T22:36:38Z https://community.cloudera.com/t5/Archives-of-Support-Questions/How-can-I-fix-this-Kerberos-with-AD-no-local-KDC-will-not/m-p/95429#M8786 <P>We are able to authenticate with the settings from above. We dug further and see an error with creating the principals on the AD side. It looks like the full control over the OU is not in place.</P> Thu, 15 Oct 2015 22:27:44 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/How-can-I-fix-this-Kerberos-with-AD-no-local-KDC-will-not/m-p/95429#M8786 TerryP 2015-10-15T22:27:44Z