Support Questions
Find answers, ask questions, and share your expertise

LDAPS connection failure while using Ambari Kerberos wizard

New Contributor

We are having trouble using the Kerberos wizard in Ambari when testing the connection to our AD domain controllers over LDAPS. They sit behind a load-balancer which is secured using a third-party trusted certificate. Originally we thought that the certificate was at issue as testing with an openssl client was producing a “self-signed” warning. This was corrected though when we updated the underlying OS software and it presumably updated the root certificate.

The errors we receive in the log are the following:

ERROR [ambari-kdc-verify] KdcConnection:380 - Authentication failed
ERROR [ambari-kdc-verify] KdcConnection:380 - Authentication failed
WARN [qtp-ambari-client-23]KdcServerConnectionVerification:167 - Failed to connect to the KDC server at <servername>:636 over TCP 
WARN [qtp-ambari-client-23] KdcServerConnectionVerification:197 - Timeout occurred while attempting to communicate with KDC server at <servername>:636 over UDP 
ERROR[qtp-ambari-client-23] KdcServerConnectionVerification:113 - Failed to connect to
the KDC at <servername>:636 using either TCP or UDP

We have tested the port on the load balancer using netcat/openssl and ran a search using ldapsearch, they were all able to connect to that port and ldapsearch returned results. Using the test option in the wizard also works when the connection is to a standard domain controller over port 389. We’ve also been able to setup LDAPS authentication for the Ambari web console to the same load balancer address which also works fine.

Any insights into what might be wrong or should we move forward with manual creation/distribution of keytabs and principals?

1 ACCEPTED SOLUTION

@Alan Watt

The KDC verification process does not use the LDAP interface. It uses the KDC interface. So the port should be 88 not 636. This means that that in the KDC host field you entered in the LDAP details rather than the KDC admin details, thus the failure.

Try setting the KDC host and KAdmin hosts to <servername>:88 and try again.

View solution in original post

2 REPLIES 2

@Alan Watt

The KDC verification process does not use the LDAP interface. It uses the KDC interface. So the port should be 88 not 636. This means that that in the KDC host field you entered in the LDAP details rather than the KDC admin details, thus the failure.

Try setting the KDC host and KAdmin hosts to <servername>:88 and try again.

New Contributor

Many thanks, I've changed the port and the connection test is passing.

; ;