Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

How can I fix this? Kerberos with AD (no local KDC) will not accept the admin user/password.

avatar
Super Collaborator

Before a production installation, we are testing the Kerberos install from the Sandbox to the client's Test Active Directory as a dry run. The entries in the KDC portion of the UI allow the "Test KDC Connection" to be successful. But the Kerberos install fails after the "Next" button and a prompt appears asking for the correct Admin name/password combination.

The same connection info, when tried through Apache Directory Studio, gives a "Unable to obtain Principal Name for authentication" error.

The entries being used on the Kerberos setup page.

  • KDC:
    • KDC host: ad.client.com
    • Realm name:TCORP
    • LDAP url: ldaps://ad.client.com
    • Container DN: ou=hadoop,ou=hdp,dc=client,dc=com
  • Kadmin
    • Kadmin host: ad.client.com
    • Admin principal: adminname@TCORP
    • Admin password: AD password for adminname
1 ACCEPTED SOLUTION

avatar

This appears to look correct.

Are we sure the realm name is correct and it is not something like "TCORP.COM"? Realm names are case-sensitive, so make sure the realm name in AD is all uppercase characters. I don't believe that the admin principal or password is trimmed, so make sure no (extra) spaces exist before or after them.

Also, does the admin user have delegated control over the specified LDAP container?

Can you take a look at the Ambari server log to see if any errors are posted there?

View solution in original post

2 REPLIES 2

avatar

This appears to look correct.

Are we sure the realm name is correct and it is not something like "TCORP.COM"? Realm names are case-sensitive, so make sure the realm name in AD is all uppercase characters. I don't believe that the admin principal or password is trimmed, so make sure no (extra) spaces exist before or after them.

Also, does the admin user have delegated control over the specified LDAP container?

Can you take a look at the Ambari server log to see if any errors are posted there?

avatar
Super Collaborator

We are able to authenticate with the settings from above. We dug further and see an error with creating the principals on the AD side. It looks like the full control over the OU is not in place.