@rgarcia@hortonworks.com - that error code and 52e indicate that the bind credentials that you have given Ambari are no longer valid. We're trying to authenticate ourselves to AD to do a search, and we use the Manager DN and password for that authentication. I would re-check those credentials and if necessary update the Ambari Server with the credentials by editing the configuration, or re-running ambari-server setup-ldap with the updated credentials. ... View more

Hey @sraghavan@hortonworks.com there is no plans to date to productize this practice, but it does seem like something that customers could do for their masters in situations where they want to easily be able to replace or move physical hosts and may be best dealt with as a run book addition or practice that can be documented with pro's/con's. ... View more

Hey Guys - just trying to summarize so we can wrap this thread up: Passwordless SSH access is only required if you want to automatically install and bootstrap the Ambari Agent using the Ambari UI. It is not needed if Ambari Agents are manually installed. The manual installation of the Ambari Agent is documented here as @mahadev@hortonworks.com pointed out: http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.2.0/bk_ambari_reference_guide/content/ch_amb_ref_installing_ambari_agents_manually.html During the manual installation you will place the ambari.repo as part of the Ambari Agent installation and all other repo's will be deployed as necessary during the installation wizard automatically. ... View more

Creation: Users are created in AD upon initial kerberization, as well as adding services, or hosts to the cluster. A test principal is created during the wizard to test the kerberos client configuration and operations, as well as all of the appropriate principals for the services that are deployed in the cluster. During that process, passwords are generated and set in Active Directory. Those passwords are not permanently stored in Ambari and are only used for keytab generation. Update: Post-wizard completion, the principal regeneration process will regenerate and set those passwords in AD. Deletion: During removal of services, or hosts, or disabling kerberos, the appropriate principals are removed from AD. ... View more

@hkropp - if you're talking about automatically prefixing all AD kerberos principal names that are created, it is possible. http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.2.0/bk_Ambari_Security_Guide/content/_launching_the_kerberos_wizard_automated_setup.html See 4.2.5.1g for some description on how specific LDAP attributes can be modified on creation for each of the principals (if necessary), and 4.2.1.8 on our default prefix which is the name of the cluster. ... View more