Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Issue with enable kerberos with existing AD KDC

Labels:
avatar
author-rank sampathkumar_ma
Expert Contributor

Created ‎10-16-2018 11:31 AM

I'm trying to enable kerberos with existing AD and getting below error message.

WARN [ambari-client-thread-31] ADKerberosOperationHandler:470 - Failed to communicate with the Active Directory at ldaps://xldapxxx.xxx.com: simple bind failed: xldapxxx.xxx.com:636
javax.naming.CommunicationException: simple bind failed: vxldapxxx.xxx.com:636 [Root exception is javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty]

ERROR [ambari-client-thread-31] KerberosHelperImpl:2232 - Cannot validate credentials: org.apache.ambari.server.serveraction.kerberos.KerberosInvalidConfigurationException: Failed to connect to KDC - Failed to communicate with the Active Directory at ldaps://xldapxxx.xxx.com: simple bind failed: xldapxxx.xxx.com:636
Update the KDC settings in krb5-conf and kerberos-env configurations to correct this issue.
16 Oct 2018 10:53:52,542 ERROR [ambari-client-thread-31] BaseManagementHandler:67 - Bad request received: Failed to connect to KDC - Failed to communicate with the Active Directory at ldaps://xldapxxx.xxx.com: simple bind failed: xldapxxx.xxx.com:636
Update the KDC settings in krb5-conf and kerberos-env configurations to correct this issue

ldap server is reachable from hadoop kdc server.
$telnet xldapxxx.xxx.com 636 
Trying 1x.1xx.1xx.xx1... Connected to xldapxxx.xxx.com. 
Escape character is '^]'.

In Ambari, I'm try to connect to existing AD using below parameters

KDC host: seswcxxxd011.xxx.com  --> host where krb5-server is installed(KDC host)
Realm name: HADOOP.xxxx.xxx.COM
LDAP url: ldaps://xldapxxx.xxx.com
Container DN: OU=Users,OU=xxx,DC=xx,DC=com
Test connecton : successfull 

Kadmin host: seswcxxxd011.xxx.com  ---> host where krb5-server is installed(KDC host)
Admin principal: admin/admin@HADOOP.xxxx.xxx.COM
Admin password: ***********

I have created kerberos database(kdb5_util -r ) & krbtgt principle with master password in Krb5-server host.

$kadmin.local
Authenticating as principal root/admin@HADOOP.xxxx.xxxx.COM with password.
kadmin.local:  listprincs
K/M@HADOOP.xxxx.xxxx.COM ---> 
admin/admin@HADOOP.xxxx.xxxx.COM
ambari/admin@HADOOP.xxxx.xxxx.COM
kadmin/admin@HADOOP.xxxx.xxxx.COM
kadmin/changepw@HADOOP.xxxx.xxxx.COM
kadmin/seswcxxxd011.xxx.com@HADOOP.xxxx.xxxx.COM
kiprop/seswcxxxd011.xxx.com@HADOOP.xxxx.xxxx.COM
krbtgt/HADOOP.xxxx.xxxx.COM@xxx.COM  ---> AD master password
root/admin@HADOOP.xxxx.xxxx.COM

Anyone can help me to resolve above issue?

Thanks.

4,226 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank rlevas
Guru

Created ‎10-16-2018 02:59 PM

It appears that the truststore may be invalid. Did you set up a truststore for Ambari. For example, using the Ambari CLI

[root@c7401 ~]# ambari-server setup-security
Using python  /usr/bin/python
Security setup options...
===========================================================================
Choose one of the following options:
  [1] Enable HTTPS for Ambari server.
  [2] Encrypt passwords stored in ambari.properties file.
  [3] Setup Ambari kerberos JAAS configuration.
  [4] Setup truststore.
  [5] Import certificate to truststore.
===========================================================================
Enter choice, (1-5): 4

If so, you should check to make sure Ambari can read that file and has the proper password to access it. You should also make sure that the Active Directory's SSL certificate chain has been imported into the truststore.

If you did not set up a truststore, you should. Here are some steps to follow:

1) Get the Active Directory's SSL certificate

openssl s_client -connect ad.mycompay.dom:636 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > ad_server.pem

2) Import this certificate into a new or existing truststore

keytool -importcert -file ad_server.pem -alias adserver -trustcacerts -storetype JKS -keystore /var/lib/ambari-server/keys/truststore.jks

3) Run ambari-server setup-security, selecting option #4 ("Setup truststore")

4) Restart Ambari

Note: If Ambari's truststore is already set up you can run ambari-server setup-security and select option #5 ("Import certificate to truststore"). Then provide the path to the retrieved AD server PEM file when prompted - rather than using keytool manually to do this.

View solution in original post

3,594 Views
0 Kudos
2 REPLIES 2

avatar
author-rank rlevas
Guru

Created ‎10-16-2018 02:59 PM

It appears that the truststore may be invalid. Did you set up a truststore for Ambari. For example, using the Ambari CLI

[root@c7401 ~]# ambari-server setup-security
Using python  /usr/bin/python
Security setup options...
===========================================================================
Choose one of the following options:
  [1] Enable HTTPS for Ambari server.
  [2] Encrypt passwords stored in ambari.properties file.
  [3] Setup Ambari kerberos JAAS configuration.
  [4] Setup truststore.
  [5] Import certificate to truststore.
===========================================================================
Enter choice, (1-5): 4

If so, you should check to make sure Ambari can read that file and has the proper password to access it. You should also make sure that the Active Directory's SSL certificate chain has been imported into the truststore.

If you did not set up a truststore, you should. Here are some steps to follow:

1) Get the Active Directory's SSL certificate

openssl s_client -connect ad.mycompay.dom:636 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > ad_server.pem

2) Import this certificate into a new or existing truststore

keytool -importcert -file ad_server.pem -alias adserver -trustcacerts -storetype JKS -keystore /var/lib/ambari-server/keys/truststore.jks

3) Run ambari-server setup-security, selecting option #4 ("Setup truststore")

4) Restart Ambari

Note: If Ambari's truststore is already set up you can run ambari-server setup-security and select option #5 ("Import certificate to truststore"). Then provide the path to the retrieved AD server PEM file when prompted - rather than using keytool manually to do this.

3,595 Views
0 Kudos

avatar
author-rank rlevas
Guru

Created ‎10-16-2018 03:01 PM

The last part of the description in your question does not make sense. The krb utils on the Linux host do not apply to an Active Directory. They are only for an MIT KDC installation.

3,594 Views
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
View More Announcements