Support Questions

nhgodwal · ‎10-11-2017

I am trying to enabling Kerberos via Ambari. I entered KDC configuration and tested the KDC connection which confirmed OK. Then I entered kadmin creds. I installed kerberos client and but while testing kerberos client it gives this error:

Failed to connect to KDC - Failed to communicate the Active Directory at ldaps://[KDChost]: simple bind failed: [KDChost]:636 Make sure the server's SSL certificate or CA certificates have been imported into Ambari's truststore.

While configuring active directory on KDC server, I created CA certificate and update the CA trust with my host machine where ambari-server is running and imported the certificate to JAVA. I also setup Ambari truststores and import CA certificate for active directory, following this link -> https://www.ibm.com/support/knowledgecenter/en/SSPT3X_4.2.0/com.ibm.swg.im.infosphere.biginsights.ad...

Can you help me with this error or direct me to the location of detailed logs for this error?

EDIT: I am able to do this successfully 'telnet KDC_host 636'

jsensharma · ‎10-11-2017

@Neha G

Please do not import the Certificate to Java truststore. Rather you should configure ambari truststore as described in the Doc: [1] and then import the KDC certification inside the Amabri Truststore.

Example:

# ambari-server setup-security
Choose one of the following options: 
  [1] Enable HTTPS for Ambari server.
  [2] Encrypt passwords stored in ambari.properties file.
  [3] Setup Ambari kerberos JAAS configuration.
  [4] Setup truststore.
  [5] Import certificate to truststore.
===========================================================================
Enter choice, (1-5): *4*
Do you want to configure a truststore [y/n] (y)? *y*
TrustStore type [jks/jceks/pkcs12] (jks): *jks*
Path to TrustStore file : *<path to the ambari-server-truststore keystore>*
Password for TrustStore:
Re-enter password: 
Ambari Server 'setup-security' completed successfully.

[1] https://docs.hortonworks.com/HDPDocuments/Ambari-2.5.2.0/bk_ambari-security/content/set_up_truststor...

nhgodwal · ‎10-11-2017

what is "path_to_the_Ambari_Server's_SSL_Certificate'?

nhgodwal · ‎10-11-2017

Is the "path_to_the_Ambari_Server's_SSL_Certificate" is the source path of the ca certificate?

jsensharma · ‎10-11-2017

@Neha G

First you need to create

Example: (On ambari server host) Please change the hostname in the following command.

# export AMBARI_SERVER_HOSTNAME=erie1.example.com

# cd /etc/ambari-server/conf/

# keytool -genkeypair -alias ambari -keyalg RSA -validity 365 -keystore /etc/ambari-server/conf/$AMBARI_SERVER_HOSTNAME.jks -dname 'CN=$AMBARI_SERVER_HOSTNAME, OU=hwx, O=test, L=Bangalore, S=Karnataka, C=IN' -keypass ambari -storepass ambari

- Now you will need to setup the truststore by choosing the Option 4) with ambari-server setup-security and in order to create the truststore for ambari you can use the same command as mentioned in the Doc that i shared earlier.

[root@erie1 conf]# ambari-server setup-security
Using python  /usr/bin/python
Security setup options...
===========================================================================
Choose one of the following options: 
  [1] Enable HTTPS for Ambari server.
  [2] Encrypt passwords stored in ambari.properties file.
  [3] Setup Ambari kerberos JAAS configuration.
  [4] Setup truststore.
  [5] Import certificate to truststore.
===========================================================================
Enter choice, (1-5): 4
Do you want to configure a truststore [y/n] (y)? 
The truststore is already configured. Do you want to re-configure the truststore [y/n] (y)? 
TrustStore type [jks/jceks/pkcs12] (jks):jks
Path to TrustStore file :/etc/ambari-server/conf/erie1.example.com.jks
Password for TrustStore: ambari
Re-enter password: ambari
Ambari Server 'setup-security' completed successfully.

- Then once the truststore is setup for ambari then you will need to import the KDC/AD certification on ambari's truststore by again running the "ambari-server setup-security" and this time choose the Option 5)

OR you might want to import the KDC/AD certificate as following: (suppose it is "KDC.cer")

# keytool -import -alias $AMBARI_SERVER_HOSTNAME -file /etc/ambari-server/conf/KDC.cer -keystore /etc/ambari-server/conf/$AMBARI_SERVER_HOSTNAME.jks

.

nhgodwal · ‎10-11-2017

This time I am getting a little different error:

Failed to connect to KDC - Failed to communicate the Active Directory at ldaps://MADLABDC1.mad.lab: simple bind failed: MADLABDC1.mad.lab:636

Update the KDC settings in krb5-conf and kerberos-env configurations to correct this issue.

Shelton · ‎10-12-2017

@Neha G

Your krb5.conf on all hosts should have both entries od the HDP and AD realms see below. In the below example

HDP.HORTONWORKS.COM = HDP domain

AD.HORTONWORKS.COM= AD domain

[realms]
HDP.HORTONWORKS.COM ={  
kdc = kdc-server.hortonworks.com  
admin_server = kdc-server.hortonworks.com  
default_domain = hdp.hortonworks.com
}
AD.HORTONWORKS.COM ={  
kdc = ad-server.hortonworks.com  
admin_server = ad-server.hortonworks.com  
default_domain = ad.hortonworks.com
}

Hope that helps

nhgodwal · ‎10-12-2017

@Geoffrey

My HDP and AD are on the same domain (lets say example.com), does it mean both have same realm (i.e. EXAMPLE.COM)?

If yes, how do I put the realm info in krb5.conf file?

Lets say,

AD_host = domainController.example.com

HDP_host = hadoopHost.example.com

Shelton · ‎10-12-2017

@Neha G

To get your Hadoop realm from Ambari UI -->Admin-->Kerberos -->General under the Global settings should be your REALM

The AD REALM could be domainController.example.com

A Kerberos realm is not a Windows 2000 domain,

nhgodwal · ‎10-12-2017

@Geoffrey

I am not able to see General in Ambari UI -->Admin-->Kerberos.... Its just showing Enable Kerberos button.

I am see the above errors while enabling the kerberos and entering KDC and Kadmin configs.