@ARUNKUMAR RAMASAMY If you turn on debugging, the error message will contain the reason for failure. I am not sure why we need to turn on debugging to get more information - you would think that this info would be normally available. To turn on debugging, edit /etc/ambari-server/conf/log4j.properties and set the following line (line #28) from: log4j.rootLogger=INFO,file to log4j.rootLogger=DEBUG,file Then restart ambari, try again and see what the error message is. Since the log will be rather verbose, you will want to search (or grep) for "KdcServerConnectionVerification". ... View more

@sunil kanthety You seem to be in an interesting state. What version of Ambari are you running? For the issue you posted where the error is "Security is enabled, but JCE policy zip is not specified". Check your ambari.properties file for a property named "jce.name". The file listed there should exist in /var/lib/ambari-server/resources. If the property or the file does not exist we need to investigate why. For starters, what version of Java are you using and did you have ambari-server setup install it or did you install Java manually? When enabling Kerberos via the UI. Does a button allowing you to skip the failed stage appear? If so, you should be able to click that and continue with the disable process. Once you complete disabling Kerberos, you should make sure that the Kerberos service is removed by issuing the following REST API call: DELETE /api/v1/clusters/CLUSTERNAME/services/KERBEROS For example, using curl on a cluster named C1 where the administrator username and password have not be changed from the default values: curl -H "X-Requested-By:ambari" -u admin:admin -X DELETE "http://<AMBARI-SERVER>:8080/api/v1/clusters/C1/services/KERBEROS After this, you should be able to retry enabling Kerberos again. ... View more

@Alan Watt The KDC verification process does not use the LDAP interface. It uses the KDC interface. So the port should be 88 not 636. This means that that in the KDC host field you entered in the LDAP details rather than the KDC admin details, thus the failure. Try setting the KDC host and KAdmin hosts to <servername>:88 and try again. ... View more

If Ambari is to manage the cluster's Kerberos identities in the Active Directory, than it must connect to the Active Director using LDAPS. This is to allow Ambari to set the account passwords. If LDAP is used, enabling Kerberos will fail since Ambari needs to set the relevant account passwords and the Active Directory will reject the calls to create accounts from Ambari. If you cannot use LDAPS, then you will need to select the manual option when enabling Kerberos where you will need to manually create the accounts in the active directory. You will then need to export keytab files and distribute them to the appropriate hosts. A CSV file is provided via the wizard to identify the identities and keytab files needed. ... View more