Community Articles

Find and share helpful community-sourced technical articles.
Labels (1)
avatar
Super Collaborator

It is helpful to see values in the input fields of the wizard that actually worked! Ambari helps you at this point with some tooltips, but still you might doubt about the expected syntax of the values to provide. Sometimes you learn the hard way that the values provided are just not what Ambari expects them to be.

Note: this only applies to the Kerberos wizard with the "use an existing Active Directory" option.

1. (KDC host) The FQDN of your AD host

2. (Realm name) The realm name, make sure you use UPPERCASE here, otherwise the install will fail !! In my case the realm name is the same the AD domain, but that is not required. If you already did submit a lowercase Realm, here is help to fix this.

3. (LDAP uri) The use of secure ldap (ldaps) is required here

4. (Container DN) Distinguished Name of the container (or 'OU' Organisational Unit in ldap lingo) that will hold the Ambari/HDP service accounts. This OU has to exist already in your AD.

5. (Domains) Optional

-----

6. (Kadmin host) The hostname of the server that will carry out the Kerberos administrative tasks and that all your HDP clients will connect through to Kerberos. Ambari takes care of this for you and in my case, it will run from the HDP sandbox which happens to have to same hostname as the domain name of the KDC, by coincidence.

7. (Admin principal) Preconfigured LDAP administrative user (in this case named 'ldap') with delegated control over the Kerberos realm. This user should be created and empowered up front in AD.

With the correct values you will make it through the first following steps of the wizard. If you make a mistake you might get all kinds of rather undefined errors (like 500's on the Ambari api). Consult the Ambari server log for more details on errors (/var/log/ambari-server/ambari-server.log)

6947-ambari-kerberos-wiz.png

2,441 Views
Comments
3. (LDAP uri) The use of secure ldap (ldaps) is required her

Thanks for pointing this out. In a future version of Ambari, LDAPS will be a hard requirement by both the UI and the backend logic. For now (Ambari 2.4.0 and below) this is a documented requirement.