Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Issue with enable kerberos with existing AD KDC

avatar
Expert Contributor

I'm trying to enable kerberos with existing AD and getting below error message.

WARN [ambari-client-thread-31] ADKerberosOperationHandler:470 - Failed to communicate with the Active Directory at ldaps://xldapxxx.xxx.com: simple bind failed: xldapxxx.xxx.com:636
javax.naming.CommunicationException: simple bind failed: vxldapxxx.xxx.com:636 [Root exception is javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty]
ERROR [ambari-client-thread-31] KerberosHelperImpl:2232 - Cannot validate credentials: org.apache.ambari.server.serveraction.kerberos.KerberosInvalidConfigurationException: Failed to connect to KDC - Failed to communicate with the Active Directory at ldaps://xldapxxx.xxx.com: simple bind failed: xldapxxx.xxx.com:636
Update the KDC settings in krb5-conf and kerberos-env configurations to correct this issue.
16 Oct 2018 10:53:52,542 ERROR [ambari-client-thread-31] BaseManagementHandler:67 - Bad request received: Failed to connect to KDC - Failed to communicate with the Active Directory at ldaps://xldapxxx.xxx.com: simple bind failed: xldapxxx.xxx.com:636
Update the KDC settings in krb5-conf and kerberos-env configurations to correct this issue
ldap server is reachable from hadoop kdc server.
$telnet xldapxxx.xxx.com 636 
Trying 1x.1xx.1xx.xx1... Connected to xldapxxx.xxx.com. 
Escape character is '^]'.

In Ambari, I'm try to connect to existing AD using below parameters

KDC host: seswcxxxd011.xxx.com  --> host where krb5-server is installed(KDC host)
Realm name: HADOOP.xxxx.xxx.COM
LDAP url: ldaps://xldapxxx.xxx.com
Container DN: OU=Users,OU=xxx,DC=xx,DC=com
Test connecton : successfull 

Kadmin host: seswcxxxd011.xxx.com  ---> host where krb5-server is installed(KDC host)
Admin principal: admin/admin@HADOOP.xxxx.xxx.COM
Admin password: ***********

I have created kerberos database(kdb5_util -r ) & krbtgt principle with master password in Krb5-server host.

$kadmin.local
Authenticating as principal root/admin@HADOOP.xxxx.xxxx.COM with password.
kadmin.local:  listprincs
K/M@HADOOP.xxxx.xxxx.COM ---> 
admin/admin@HADOOP.xxxx.xxxx.COM
ambari/admin@HADOOP.xxxx.xxxx.COM
kadmin/admin@HADOOP.xxxx.xxxx.COM
kadmin/changepw@HADOOP.xxxx.xxxx.COM
kadmin/seswcxxxd011.xxx.com@HADOOP.xxxx.xxxx.COM
kiprop/seswcxxxd011.xxx.com@HADOOP.xxxx.xxxx.COM
krbtgt/HADOOP.xxxx.xxxx.COM@xxx.COM  ---> AD master password
root/admin@HADOOP.xxxx.xxxx.COM  

Anyone can help me to resolve above issue?

Thanks.

1 ACCEPTED SOLUTION

avatar

It appears that the truststore may be invalid. Did you set up a truststore for Ambari. For example, using the Ambari CLI

[root@c7401 ~]# ambari-server setup-security
Using python  /usr/bin/python
Security setup options...
===========================================================================
Choose one of the following options:
  [1] Enable HTTPS for Ambari server.
  [2] Encrypt passwords stored in ambari.properties file.
  [3] Setup Ambari kerberos JAAS configuration.
  [4] Setup truststore.
  [5] Import certificate to truststore.
===========================================================================
Enter choice, (1-5): 4

If so, you should check to make sure Ambari can read that file and has the proper password to access it. You should also make sure that the Active Directory's SSL certificate chain has been imported into the truststore.

If you did not set up a truststore, you should. Here are some steps to follow:

1) Get the Active Directory's SSL certificate

openssl s_client -connect ad.mycompay.dom:636 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > ad_server.pem

2) Import this certificate into a new or existing truststore

keytool -importcert -file ad_server.pem -alias adserver -trustcacerts -storetype JKS -keystore /var/lib/ambari-server/keys/truststore.jks

3) Run ambari-server setup-security, selecting option #4 ("Setup truststore")

4) Restart Ambari

Note: If Ambari's truststore is already set up you can run ambari-server setup-security and select option #5 ("Import certificate to truststore"). Then provide the path to the retrieved AD server PEM file when prompted - rather than using keytool manually to do this.

View solution in original post

2 REPLIES 2

avatar

It appears that the truststore may be invalid. Did you set up a truststore for Ambari. For example, using the Ambari CLI

[root@c7401 ~]# ambari-server setup-security
Using python  /usr/bin/python
Security setup options...
===========================================================================
Choose one of the following options:
  [1] Enable HTTPS for Ambari server.
  [2] Encrypt passwords stored in ambari.properties file.
  [3] Setup Ambari kerberos JAAS configuration.
  [4] Setup truststore.
  [5] Import certificate to truststore.
===========================================================================
Enter choice, (1-5): 4

If so, you should check to make sure Ambari can read that file and has the proper password to access it. You should also make sure that the Active Directory's SSL certificate chain has been imported into the truststore.

If you did not set up a truststore, you should. Here are some steps to follow:

1) Get the Active Directory's SSL certificate

openssl s_client -connect ad.mycompay.dom:636 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > ad_server.pem

2) Import this certificate into a new or existing truststore

keytool -importcert -file ad_server.pem -alias adserver -trustcacerts -storetype JKS -keystore /var/lib/ambari-server/keys/truststore.jks

3) Run ambari-server setup-security, selecting option #4 ("Setup truststore")

4) Restart Ambari

Note: If Ambari's truststore is already set up you can run ambari-server setup-security and select option #5 ("Import certificate to truststore"). Then provide the path to the retrieved AD server PEM file when prompted - rather than using keytool manually to do this.

avatar

The last part of the description in your question does not make sense. The krb utils on the Linux host do not apply to an Active Directory. They are only for an MIT KDC installation.