Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Error while enabling the Kerberos with AD.

Error while enabling the Kerberos with AD.

New Contributor

Hello All,

I have been trying to enable kerberos with AD in Ambari. Imported AD CA certificate into ambari truststore and restarted the ambari server.

But it turned to be error which shows as follows.

Error1:

Failed to communicate with the Active Directory at ldaps://<IP_ADDR>:636: <IP_ADDR>:636

javax.naming.CommunicationException: <IP_ADDR>:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching ip-172-31-43-242.us-west-2.compute.internal found.] at com.sun.jndi.ldap.Connection.<init>(Connection.java:238) at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137) at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1615) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749) at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) at javax.naming.InitialContext.init(InitialContext.java:244) at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154) at org.apache.ambari.server.serveraction.kerberos.ADKerberosOperationHandler.createInitialLdapContext(ADKerberosOperationHandler.java:514) at org.apache.ambari.server.serveraction.kerberos.ADKerberosOperationHandler.createLdapContext(ADKerberosOperationHandler.java:465) at org.apache.ambari.server.serveraction.kerberos.ADKerberosOperationHandler.open(ADKerberosOperationHandler.java:182) at org.apache.ambari.server.controller.KerberosHelperImpl.validateKDCCredentials(KerberosHelperImpl.java:1901) at org.apache.ambari.server.controller.KerberosHelperImpl.handleTestIdentity(KerberosHelperImpl.java:2230) at org.apache.ambari.server.controller.KerberosHelperImpl.createTestIdentity(KerberosHelperImpl.java:1029) at org.apache.ambari.server.controller.AmbariManagementControllerImpl.createAction(AmbariManagementControllerImpl.java:4249) at org.apache.ambari.server.controller.internal.RequestResourceProvider$1.invoke(RequestResourceProvider.java:264) at org.apache.ambari.server.controller.internal.RequestResourceProvider$1.invoke(RequestResourceProvider.java:193) at org.apache.ambari.server.controller.internal.AbstractResourceProvider.invokeWithRetry(AbstractResourceP.

.

Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching <IP_ADDR>found. at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) at sun.security.ssl.Handshaker.process_record(Handshaker.java:987) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397) at com.sun.jndi.ldap.Connection.createSocket(Connection.java:394) at com.sun.jndi.ldap.Connection.<init>(Connection.java:215) ... 116 more Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching ip-172-31-43-242.us-west-2.compute.internal found. at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:214) at sun.security.util.HostnameChecker.match(HostnameChecker.java:96) at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:459) at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:200) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)

ERROR [ambari-client-thread-42] KerberosHelperImpl:2232 - Cannot validate credentials: org.apache.ambari.server.serveraction.kerberos.KerberosInvalidConfigurationException: Failed to connect to KDC - Failed to communicate with the Active Directory at ldaps://<IP_ADDR>:636: <IP_ADDR>:636 Make sure the server's SSL certificate or CA certificates have been imported into Ambari's truststore. 25 Aug 2018 07:40:41,298 ERROR [ambari-client-thread-42] BaseManagementHandler:67 - Bad request received: Failed to connect to KDC - Failed to communicate with the Active Directory at ldaps://<IP_ADDR>:636: <IP_ADDR>:636

Even i tried to test the connection from ambari host to AD using following:

LDAPTLS_CACERT=ad1.cer ldapsearch -H ldaps://<IP_ADDR>:636 -D "hdfadmin@example.com" -b "OU=hdfedge,DC=Hadoop,DC=Internal" "(&(objectclass=person)(sAMAccountName=*))"

but it is giving the below error.

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

If anyone faced the same problem please correct me the right direction.

2 REPLIES 2

Re: Error while enabling the Kerberos with AD.

New Contributor

Looks like you need to add CA certificate into your java keystore.

Re: Error while enabling the Kerberos with AD.

New Contributor

Hi @Shivam Dwivedi,

After your suggestion, i above problem got resolved. Even i added the windows AD hostname (not the aws internal private DNS) to /etc/hosts in my cluster.

Thanks

Don't have an account?
Coming from Hortonworks? Activate your account here