Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

After Ambari 2.5.2 upgrade not able to authenticate

After Ambari 2.5.2 upgrade not able to authenticate

After upgrading ambari from 2.2.2.0 to 2.5.2.0 and JDK 1.8, I am not able to authenticate KDC server. Kindly help me to resolve this issue.

Error logs

Failed to connect to KDC - Failed to communicate with the Active Directory at ldaps://node1:636: simple bind failed: node1:636 Make sure the server's SSL certificate or CA certificates have been imported into Ambari's truststore. Please enter admin principal and password.

Screen shoot attached

42460-pp-ambari.png

6 REPLIES 6
Highlighted

Re: After Ambari 2.5.2 upgrade not able to authenticate

Super Mentor

@Kalyan Das

Based on the error it looks like the KDC certificates are not present inside the ambari-server's truststore. There can be few reasons behind this like:

1. The certificate is actually not present inside the ambari truststore.

2. Another reason can be that the KDC certificates are changes/expired and hence you will need to import the KDC certificate again to ambari-server truststore. Using Ambari-Server "setup-security" option by choosing

[5] Import certificate to truststore.

.

https://docs.hortonworks.com/HDPDocuments/Ambari-2.5.2.0/bk_ambari-security/content/set_up_truststor...

Re: After Ambari 2.5.2 upgrade not able to authenticate

@Jay Kumar SenSharma

HI Jay,

Ambari-server unable to authenticate either.

1) I have imported a fresh certificate from "ambari-server setup-security"

2) KDC certificate did not expire it has a validity up to 2019.

Can you please suggest some other options.

Re: After Ambari 2.5.2 upgrade not able to authenticate

Super Mentor

@Kalyan Das

Can you please double check the ambari truststore by listing the certs as following to see if the certificate of KDC is actually present there?

# $JAVA_HOME/bin/keytool -list -keystore /etc/ambari-server/ambari-server-truststore 

.

If it is not there then you can import the KDC certificate to it using the following command:

# $JAVA_HOME/bin/keytool -import -file /tmp/kdc-server.crt -keystore /etc/ambari-server/ambari-server-truststore -alias kdc-server

.

Then restart Ambari Server.

Re: After Ambari 2.5.2 upgrade not able to authenticate

@Jay Kumar SenSharma

Hi Jay,

Here's is the ambari truststore list

[root@node1 # $JAVA_HOME/bin/keytool -list -keystore /etc/ambari-server/ambari-server-truststore

Enter keystore password:

Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry

ambari-server, Nov 6, 2017, trustedCertEntry,

Certificate fingerprint (SHA1): 35:E6:CC:35:1E:5B:82:68:83:4B:0C:EB:C2:A7:B1:58:FE:F9:29:8D

Kindly let me if I need to check anything.

Re: After Ambari 2.5.2 upgrade not able to authenticate

Super Mentor

@Kalyan Das

One keystore entry is default. Your keytool -list command says it has only one entry:

 Your keystore contains 1 entry 

Which indicates that your ambari server keystore dos not have LDAP (KDC) entry in it.

You can run the "-list" command using "-v" Verbose option to confirm if your KDC entry is there or not?

[root@node1 # $JAVA_HOME/bin/keytool -list -v  -keystore /etc/ambari-server/ambari-server-truststore

.

Re: After Ambari 2.5.2 upgrade not able to authenticate

@Jay Kumar SenSharma

Hi Jay,

Now I have two entries. But no luck, the issue persists.

Is this related to permssion being revoked from writable container in AD?

[root@node1] # keytool -list -keystore ambari-server-truststore

Enter keystore password:

Keystore type: JKS

Keystore provider: SUN

Your keystore contains 2 entries

ambari-server, Nov 6, 2017, trustedCertEntry, Certificate fingerprint (SHA1): 35:E6:CC:35:1E:5B:82:68:83:4B:0C:EB:C2:A7:B1:58:FE:F9:29:8D

kdc-server, Nov 6, 2017, trustedCertEntry, Certificate fingerprint (SHA1): 12:58:59:3C:1C:68:14:61:CE:9A:CA:32:54:A6:B8:02:D0:A4:0F:25

Don't have an account?
Coming from Hortonworks? Activate your account here