We are having trouble using the Kerberos wizard in Ambari
when testing the connection to our AD domain controllers over LDAPS. They sit behind a load-balancer which is
secured using a third-party trusted certificate. Originally we thought that the certificate was
at issue as testing with an openssl client was producing a “self-signed”
warning. This was corrected though when
we updated the underlying OS software and it presumably updated the root
certificate.
The errors we receive in the log are the following:
ERROR [ambari-kdc-verify] KdcConnection:380 - Authentication failed
ERROR [ambari-kdc-verify] KdcConnection:380 - Authentication failed
WARN [qtp-ambari-client-23]KdcServerConnectionVerification:167 - Failed to connect to the KDC server at <servername>:636 over TCP
WARN [qtp-ambari-client-23] KdcServerConnectionVerification:197 - Timeout occurred while attempting to communicate with KDC server at <servername>:636 over UDP
ERROR[qtp-ambari-client-23] KdcServerConnectionVerification:113 - Failed to connect to
the KDC at <servername>:636 using either TCP or UDP
We have tested the port on the load balancer using netcat/openssl
and ran a search using ldapsearch, they were all able to connect to that port
and ldapsearch returned results. Using
the test option in the wizard also works when the connection is to a standard
domain controller over port 389. We’ve
also been able to setup LDAPS authentication for the Ambari web console to the
same load balancer address which also works fine.
Any insights into what might be wrong or should we move forward
with manual creation/distribution of keytabs and principals?
