Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Install and Test Kerberos Client

Solved Go to solution
Highlighted

Install and Test Kerberos Client

New Contributor

When configuring Kerberos authentication with Microsoft Active Directory on HDP 2.6, the configuration successfully Installs Kerberos client but fails on Test Kerberos Client with below error.

400 status codereceived on POST method for API: /api/v1/clusters/ClusterName/requests

Error message: Failed to connect to KDC - Failed to communicate with the Active Directory at ldaps://10.10.1.13:636: 10.10Z.1.13:636 Make sure the server's SSL certificate or CA certificates have been imported into Ambari's truststore.

Ambari is running on non-root account with all the required permission is granted on sudoer. I appreciate if anyone can help as I am exhausted with this troubleshooting. FYI, AD authentication is configured successfully on the cluster.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Install and Test Kerberos Client

Super Mentor

@M AMIR

Please make sure that you have Setup Truststore on Ambari Server.

Then Import the Active Directory certificate to Ambari Server's troustore.

Followed by AmbariServer restart.

Please refer to know more about : Creating Ambari Truststore and storing Certificates inside the truststore.

https://community.hortonworks.com/articles/39865/enabling-https-for-ambariserver-and-troubleshootin....

6 REPLIES 6

Re: Install and Test Kerberos Client

Super Mentor

@M AMIR

Please make sure that you have Setup Truststore on Ambari Server.

Then Import the Active Directory certificate to Ambari Server's troustore.

Followed by AmbariServer restart.

Please refer to know more about : Creating Ambari Truststore and storing Certificates inside the truststore.

https://community.hortonworks.com/articles/39865/enabling-https-for-ambariserver-and-troubleshootin....

Re: Install and Test Kerberos Client

Super Mentor

@M AMIR

Additionally please refer to the following HCC article to know what exactly you will need to do:

Topic: Failed to connect to KDC Make sure the server's SSL certificate or CA certificates have been imported into Ambari's truststore" when adding a new service on an Ambari Kerberized cluster

Link: https://community.hortonworks.com/content/supportkb/148572/failed-to-connect-to-kdc-make-sure-the-se...

Re: Install and Test Kerberos Client

New Contributor

Thanks Jay Kumar SenSharma for your comments, I have followed more or less the same steps are you provided but still gets ldap connection error. I have pasted my steps below, hope to get feedback

[ambari@hadoop /]$ sudo keytool -import -file /etc/pki/ca-trust/source/anchors/activedirectory.cer -alias adcert -keystore /var/lib/ambari-server/keys/cacerts.jks

Enter keystore password:

[ambari@hadoop /]$ sudo ambari-server stop

Using python /usr/bin/python Stopping ambari-server Waiting for server stop... Ambari Server stopped

[ambari@hadoop /]$ sudo ambari-server setup-security Using python /usr/bin/python Security setup options... ===========================================================================

Choose one of the following options:

[1] Enable HTTPS for Ambari server.

[2] Encrypt passwords stored in ambari.properties file.

[3] Setup Ambari kerberos JAAS configuration.

[4] Setup truststore.

[5] Import certificate to truststore. ===========================================================================

Enter choice, (1-5): 4

Do you want to configure a truststore [y/n] (y)? y

The truststore is already configured. Do you want to re-configure the truststore [y/n] (y)? y

TrustStore type [jks/jceks/pkcs12] (jks): jks

Path to TrustStore file :/var/lib/ambari-server/keys/cacerts.jks

Password for TrustStore:

Re-enter password:

Ambari Server 'setup-security' completed successfully.

[ambari@hadoop /]$ sudo ambari-server setup-security Using python /usr/bin/python Security setup options... ===========================================================================

Choose one of the following options:

[1] Enable HTTPS for Ambari server.

[2] Encrypt passwords stored in ambari.properties file.

[3] Setup Ambari kerberos JAAS configuration.

[4] Setup truststore.

[5] Import certificate to truststore. ===========================================================================

Enter choice, (1-5): 5

Do you want to configure a truststore [y/n] (y)? y

Do you want to import a certificate [y/n] (y)? y

Please enter an alias for the certificate: adcert

Enter path to certificate: /etc/pki/ca-trust/source/anchors/activedirectory.cer

Ambari Server 'setup-security' completed successfully.

[ambari@hadoop /]$ sudo ambari-server start

Re: Install and Test Kerberos Client

New Contributor

Hi MAMIR, did you solve this? I have the same issue. Following all the steps, importing the certificate into the ambari trust store etc. This worked fine on our HDP 2.6 installation that we did nog long ago, but on the new HDP 3.0 installation this didn't work.

Re: Install and Test Kerberos Client

New Contributor

Hello Amir,

please check the below resources:

Also check this answer from @Sean Roberts which is worth reading.

Could you please update me if that helped.

Re: Install and Test Kerberos Client

New Contributor

Thank you all for your help.

Don't have an account?
Coming from Hortonworks? Activate your account here