Support Questions

mamir2005 · ‎11-08-2018

When configuring Kerberos authentication with Microsoft Active Directory on HDP 2.6, the configuration successfully Installs Kerberos client but fails on Test Kerberos Client with below error.

400 status codereceived on POST method for API: /api/v1/clusters/ClusterName/requests

Error message: Failed to connect to KDC - Failed to communicate with the Active Directory at ldaps://10.10.1.13:636: 10.10Z.1.13:636 Make sure the server's SSL certificate or CA certificates have been imported into Ambari's truststore.

Ambari is running on non-root account with all the required permission is granted on sudoer. I appreciate if anyone can help as I am exhausted with this troubleshooting. FYI, AD authentication is configured successfully on the cluster.

jsensharma · ‎11-08-2018

@M AMIR

Please make sure that you have Setup Truststore on Ambari Server.

Then Import the Active Directory certificate to Ambari Server's troustore.

Followed by AmbariServer restart.

Please refer to know more about : Creating Ambari Truststore and storing Certificates inside the truststore.

https://community.hortonworks.com/articles/39865/enabling-https-for-ambariserver-and-troubleshootin....

View solution in original post

jsensharma · ‎11-08-2018

@M AMIR

Please make sure that you have Setup Truststore on Ambari Server.

Then Import the Active Directory certificate to Ambari Server's troustore.

Followed by AmbariServer restart.

Please refer to know more about : Creating Ambari Truststore and storing Certificates inside the truststore.

https://community.hortonworks.com/articles/39865/enabling-https-for-ambariserver-and-troubleshootin....

jsensharma · ‎11-08-2018

@M AMIR

Additionally please refer to the following HCC article to know what exactly you will need to do:

Topic: Failed to connect to KDC Make sure the server's SSL certificate or CA certificates have been imported into Ambari's truststore" when adding a new service on an Ambari Kerberized cluster

Link: https://community.hortonworks.com/content/supportkb/148572/failed-to-connect-to-kdc-make-sure-the-se...

mamir2005 · ‎11-09-2018

Thanks Jay Kumar SenSharma for your comments, I have followed more or less the same steps are you provided but still gets ldap connection error. I have pasted my steps below, hope to get feedback

[ambari@hadoop /]$ sudo keytool -import -file /etc/pki/ca-trust/source/anchors/activedirectory.cer -alias adcert -keystore /var/lib/ambari-server/keys/cacerts.jks

Enter keystore password:

[ambari@hadoop /]$ sudo ambari-server stop

Using python /usr/bin/python Stopping ambari-server Waiting for server stop... Ambari Server stopped

[ambari@hadoop /]$ sudo ambari-server setup-security Using python /usr/bin/python Security setup options... ===========================================================================

Choose one of the following options:

[1] Enable HTTPS for Ambari server.

[2] Encrypt passwords stored in ambari.properties file.

[3] Setup Ambari kerberos JAAS configuration.

[4] Setup truststore.

[5] Import certificate to truststore. ===========================================================================

Enter choice, (1-5): 4

Do you want to configure a truststore [y/n] (y)? y

The truststore is already configured. Do you want to re-configure the truststore [y/n] (y)? y

TrustStore type [jks/jceks/pkcs12] (jks): jks

Path to TrustStore file :/var/lib/ambari-server/keys/cacerts.jks

Password for TrustStore:

Re-enter password:

Ambari Server 'setup-security' completed successfully.

[ambari@hadoop /]$ sudo ambari-server setup-security Using python /usr/bin/python Security setup options... ===========================================================================

Choose one of the following options:

[1] Enable HTTPS for Ambari server.

[2] Encrypt passwords stored in ambari.properties file.

[3] Setup Ambari kerberos JAAS configuration.

[4] Setup truststore.

[5] Import certificate to truststore. ===========================================================================

Enter choice, (1-5): 5

Do you want to configure a truststore [y/n] (y)? y

Do you want to import a certificate [y/n] (y)? y

Please enter an alias for the certificate: adcert

Enter path to certificate: /etc/pki/ca-trust/source/anchors/activedirectory.cer

Ambari Server 'setup-security' completed successfully.

[ambari@hadoop /]$ sudo ambari-server start

victor84 · ‎11-15-2018

Hi MAMIR, did you solve this? I have the same issue. Following all the steps, importing the certificate into the ambari trust store etc. This worked fine on our HDP 2.6 installation that we did nog long ago, but on the new HDP 3.0 installation this didn't work.

AkshayZ · ‎04-29-2020

Hi Victor, did you find the solution. We are also into the same scenario and unable to install kerberos on HDP 3.1 though same steps worked smoothly on HDP 2.6.

Kindly suggest if any recommendations.

zaki · ‎11-09-2018

Hello Amir,

please check the below resources:

Also check this answer from @Sean Roberts which is worth reading.

Could you please update me if that helped.

mamir2005 · ‎03-16-2019

Thank you all for your help.

Cloudera Community

Support Questions

Install and Test Kerberos Client