Support Questions

Find answers, ask questions, and share your expertise

KDC test failing

avatar
Super Collaborator

I am in the Kerberos install menu and I choose the options "existing MIT KDC" but on the next screen (see attached picture) the KDC test fails .

this is my first time installing Ranger so I am not even sure if I should be choosing this option so please guide me on how to install/fix the Kerberos issue on HDP2.5.

capture.jpg

1 ACCEPTED SOLUTION

avatar

@Sami Ahmad

When you will click on the "Connection Failed" (link) present in the screenshot then it will show you the cause of failure.

If it shows "UNREACHABLE" then you will need to check if that host is reachable or not.

Also while doing "Test Connection" next it will be best to put the "ambari-server.log" in tail mode to see what error you get.

You should see something like following entry: (Here i intentionally made the hostname wrong for testing.

29 Nov 2016 19:25:51,929 ERROR [ambari-kdc-verify] KdcConnection:380 - Authentication failed
29 Nov 2016 19:25:51,952 ERROR [ambari-kdc-verify] KdcConnection:380 - Authentication failed
29 Nov 2016 19:25:51,954  WARN [ambari-client-thread-88819] KdcServerConnectionVerification:242 - An unexpected exception occurred while attempting to communicate with the KDC server at kjss1.example.com1:88 over TCP
29 Nov 2016 19:25:51,975 ERROR [ambari-kdc-verify] KdcConnection:380 - Authentication failed
29 Nov 2016 19:25:52,002 ERROR [ambari-kdc-verify] KdcConnection:380 - Authentication failed
29 Nov 2016 19:25:52,003  WARN [ambari-client-thread-88819] KdcServerConnectionVerification:242 - An unexpected exception occurred while attempting to communicate with the KDC server at kjss1.example.com1:88 over UDP
29 Nov 2016 19:25:52,003 ERROR [ambari-client-thread-88819] KdcServerConnectionVerification:115 - Failed to connect to the KDC at kjss1.example.com1:88 using either TCP or UDP

.

View solution in original post

8 REPLIES 8

avatar

@Sami Ahmad

When you will click on the "Connection Failed" (link) present in the screenshot then it will show you the cause of failure.

If it shows "UNREACHABLE" then you will need to check if that host is reachable or not.

Also while doing "Test Connection" next it will be best to put the "ambari-server.log" in tail mode to see what error you get.

You should see something like following entry: (Here i intentionally made the hostname wrong for testing.

29 Nov 2016 19:25:51,929 ERROR [ambari-kdc-verify] KdcConnection:380 - Authentication failed
29 Nov 2016 19:25:51,952 ERROR [ambari-kdc-verify] KdcConnection:380 - Authentication failed
29 Nov 2016 19:25:51,954  WARN [ambari-client-thread-88819] KdcServerConnectionVerification:242 - An unexpected exception occurred while attempting to communicate with the KDC server at kjss1.example.com1:88 over TCP
29 Nov 2016 19:25:51,975 ERROR [ambari-kdc-verify] KdcConnection:380 - Authentication failed
29 Nov 2016 19:25:52,002 ERROR [ambari-kdc-verify] KdcConnection:380 - Authentication failed
29 Nov 2016 19:25:52,003  WARN [ambari-client-thread-88819] KdcServerConnectionVerification:242 - An unexpected exception occurred while attempting to communicate with the KDC server at kjss1.example.com1:88 over UDP
29 Nov 2016 19:25:52,003 ERROR [ambari-client-thread-88819] KdcServerConnectionVerification:115 - Failed to connect to the KDC at kjss1.example.com1:88 using either TCP or UDP

.

avatar
Super Collaborator

the node is up. The Ambari logs are reporting the following:

how can I see if the KDC server is up and listening on port 88 ?

I installed Kerberos as follows :

yum install krb5-server krb5-libs krb5-workstation
29 Nov 2016 14:52:17,878 ERROR [ambari-kdc-verify] KdcConnection:380 - Authentication failed
29 Nov 2016 14:52:17,890 ERROR [ambari-kdc-verify] KdcConnection:380 - Authentication failed
29 Nov 2016 14:52:17,891  WARN [ambari-client-thread-84] KdcServerConnectionVerification:242 - An unexpected exception occurred while attempting to communicate with the KDC server at hadoop1:88 over TCP
29 Nov 2016 14:52:27,892  WARN [ambari-client-thread-84] KdcServerConnectionVerification:252 - Timeout occurred while attempting to to communicate with KDC server at hadoop1:88 over UDP
29 Nov 2016 14:52:27,892 ERROR [ambari-client-thread-84] KdcServerConnectionVerification:115 - Failed to connect to the KDC at hadoop1:88 using either TCP or UDP

avatar
Super Collaborator

the connection was failing because the KDC server was not up and running . I followed this link to install and bring the KDC server and then I could pass the connection test .

https://gist.github.com/ashrithr/4767927948eca70845db

avatar
Rising Star

Hiii

i m facing the same issue will you plz help me to get into this out unreachable.png

( this action will check accessibility of KDC host and port from Ambari Server host)

on os level kerberos is working fine....

avatar
@PATHAN SHEBAZ RUSTUM

Take a look at the Ambari server log (/var/log/ambari-server/ambari-server.log) and see if are any interesting messages in there related to this. I assume the KDC is an MIT KDC

avatar
Rising Star

@Rober its MIT

[ambari-client-thread-637] KdcServerConnectionVerification:242 - An unexpected exception occurred while attempting to communicate with the KDC server at maxiqtesting1.lti.com:88 over UDP 10 May 2017 17:54:42,799 ERROR [ambari-client-thread-637] KdcServerConnectionVerification:115 - Failed to connect to the KDC at maxiqtesting1.lti.com:88 using either TCP or UDP

avatar

My only guess is that maxiqtesting1.lti.com or port 88 (UDP or TCP) is not reachable for some reason. Make sure there are no firewalls in the way and that the Ambari server host can resolve that DNS name.

If you enable debug logging, you might be able to get more information since the cause will be reported as well. To turn on the debug log for this, add the following to /etc/ambari-server/conf/log4j.properties:

log4j.logger.org.apache.ambari.server.KdcServerConnectionVerification

avatar
New Contributor

I installed HDP 2.6 and faced same problem while setting up kerberos. it's jar problem. Download policy jars for java:

http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html extract and place them in all the servers under /usr/java/jdk1.8.0_112/jre/lib/security/ . Then restart ambari server and restart krb5kds and kadmin services..now check your kdc connection will be pass