Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

How can I fix this? Kerberos with AD (no local KDC) will not accept the admin user/password.

avatar
author-rank TerryP author-rank
Super Collaborator

Created on ‎10-14-2015 03:24 PM - edited ‎09-16-2022 02:44 AM

Before a production installation, we are testing the Kerberos install from the Sandbox to the client's Test Active Directory as a dry run. The entries in the KDC portion of the UI allow the "Test KDC Connection" to be successful. But the Kerberos install fails after the "Next" button and a prompt appears asking for the correct Admin name/password combination.

The same connection info, when tried through Apache Directory Studio, gives a "Unable to obtain Principal Name for authentication" error.

The entries being used on the Kerberos setup page.

  • KDC:
    • KDC host: ad.client.com
    • Realm name:TCORP
    • LDAP url: ldaps://ad.client.com
    • Container DN: ou=hadoop,ou=hdp,dc=client,dc=com
  • Kadmin
    • Kadmin host: ad.client.com
    • Admin principal: adminname@TCORP
    • Admin password: AD password for adminname
2,914 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank rlevas
Guru

Created ‎10-14-2015 03:36 PM

This appears to look correct.

Are we sure the realm name is correct and it is not something like "TCORP.COM"? Realm names are case-sensitive, so make sure the realm name in AD is all uppercase characters. I don't believe that the admin principal or password is trimmed, so make sure no (extra) spaces exist before or after them.

Also, does the admin user have delegated control over the specified LDAP container?

Can you take a look at the Ambari server log to see if any errors are posted there?

View solution in original post

1,211 Views
0 Kudos
2 REPLIES 2

avatar
author-rank rlevas
Guru

Created ‎10-14-2015 03:36 PM

This appears to look correct.

Are we sure the realm name is correct and it is not something like "TCORP.COM"? Realm names are case-sensitive, so make sure the realm name in AD is all uppercase characters. I don't believe that the admin principal or password is trimmed, so make sure no (extra) spaces exist before or after them.

Also, does the admin user have delegated control over the specified LDAP container?

Can you take a look at the Ambari server log to see if any errors are posted there?

1,212 Views
0 Kudos

avatar
author-rank TerryP author-rank
Super Collaborator

Created ‎10-15-2015 03:27 PM

We are able to authenticate with the settings from above. We dug further and see an error with creating the principals on the AD side. It looks like the full control over the OU is not in place.

1,211 Views
0 Kudos
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements