It appears that the truststore may be invalid. Did you set up a truststore for Ambari. For example, using the Ambari CLI [root@c7401 ~]# ambari-server setup-security Using python /usr/bin/python Security setup options... =========================================================================== Choose one of the following options: [1] Enable HTTPS for Ambari server. [2] Encrypt passwords stored in ambari.properties file. [3] Setup Ambari kerberos JAAS configuration. [4] Setup truststore. [5] Import certificate to truststore. =========================================================================== Enter choice, (1-5): 4 If so, you should check to make sure Ambari can read that file and has the proper password to access it. You should also make sure that the Active Directory's SSL certificate chain has been imported into the truststore. If you did not set up a truststore, you should. Here are some steps to follow: 1) Get the Active Directory's SSL certificate openssl s_client -connect ad.mycompay.dom:636 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > ad_server.pem 2) Import this certificate into a new or existing truststore keytool -importcert -file ad_server.pem -alias adserver -trustcacerts -storetype JKS -keystore /var/lib/ambari-server/keys/truststore.jks 3) Run ambari-server setup-security, selecting option #4 ("Setup truststore") 4) Restart Ambari Note: If Ambari's truststore is already set up you can run ambari-server setup-security and select option #5 ("Import certificate to truststore"). Then provide the path to the retrieved AD server PEM file when prompted - rather than using keytool manually to do this. ... View more

@Gagandeep Singh Chawla I do not believe that an AD-specific script is provided with Ambari; however some of the Hortonworks support or professional services folks may have something. The provided script may be out of date and is geared towards the MIT KDC. It will not work with an Active Directory. Active Directory would prefer that all account creation and keytab export routines be executed on the Windows server, itself. However, since AD has an LDAP interface that can be used to add new objects to the database, Ambari is able to create principals and set password. Thus giving it the ability to automate creating principals and keytab files remotely - the keytab files are actually generated by Ambari and not exported from the AD. If you are looking for steps on how Ambari does this, take a look at the HCC article How to create AD principal accounts using OpenLdap utilities and adding it to a keytab. This is not exactly what Ambari does, but it is really close. Using details from that article, I can imagine that a script can be built to read an Ambari-provided CSV file and create the needed principals and keytab files. ... View more