Thank you @Robert Levas @dvillarreal Yes, I am using a newer version of ambari and also tried FreeIPA since openLDAP didn't seem to work art all with kerberos. I followed the exact steps as on https://community.hortonworks.com/articles/59645/ambari-24-kerberos-with-freeipa.html - everything seems to be working fine but fails when kerberizing the cluster. I get the following error: Also, important to note that while I get the following error: DNS query for data2.testhdp.com. A failed: The DNS operation timed out after 30.0005660057 seconds DNS resolution for hostname data2.testhdp.com failed: The DNS operation timed out after 30.0005660057 seconds Failed to update DNS records. Missing A/AAAA record(s) for host data2.testhdp.com: 172.31.6.79. Missing reverse record(s) for address(es): 172.31.6.79. I installed server as: ipa-server-install --domain=testhdp.com \ --realm=TESTHDP.COM \ --hostname=ldap2.testhdp.com \ --setup-dns \ --forwarder=8.8.8.8 \ --reverse-zone=3.2.1.in-addr.arpa. and the clients on each node as ipa-client-install --domain=testhdp.com \ --server=ldap2.testhdp.com \ --realm=TESTHDP.COM \ --principal=hadoopadmin@TESTHDP.COM\ --enable-dns-updates Also, that post doing the following step: echo "nameserver ldap2.testhdp.com" > /etc/resolv.conf my yum is broken and I need to revert to make it work. Do you guys have any idea about it? I thought that there is no need of DNS as I have resolution of *.testhdp.com in my hostfile on all nodes. ... View more

@Robert Levas thank you for the clarification - I understand things better. So, now that I am using openLDAP, what KDC type then should I use then? Ambari setup only gives me two types for automated kerberos setup: AD and MIT KDC. ... View more

@Robert Levas thank you so very much. Your answer makes a lot of sense and I think this is exactly what is causing the problem. I'll create a new "OU" 'ou=hadoop,dc=testhdp,dc=com' in openLDAP right? Now my admin user in ambari is (admin) and for kerberos it is (root/admin), how do I provide it access to create the users in there? Can you please help me there? - sorry to bug you again. ... View more

@Robert Levas thank you for the quick response. I tried your suggestion and passed through the initial step (see pic1). However on proceeding further, I get an error while testing the kerberos client (see pic2 and pic3). On checking ambari-server logs, I notice the error: Caused by: org.apache.ambari.server.AmbariException: Unexpected error condition at org.apache.ambari.server.controller.KerberosHelperImpl.validateKDCCredentials(KerberosHelperImpl.java:1935) at org.apache.ambari.server.controller.KerberosHelperImpl.handleTestIdentity(KerberosHelperImpl.java:2230) at org.apache.ambari.server.controller.KerberosHelperImpl.createTestIdentity(KerberosHelperImpl.java:1029) at org.apache.ambari.server.controller.AmbariManagementControllerImpl.createAction(AmbariManagementControllerImpl.java:4216) at org.apache.ambari.server.controller.internal.RequestResourceProvider$1.invoke(RequestResourceProvider.java:263) at org.apache.ambari.server.controller.internal.RequestResourceProvider$1.invoke(RequestResourceProvider.java:192) at org.apache.ambari.server.controller.internal.AbstractResourceProvider.invokeWithRetry(AbstractResourceProvider.java:455) at org.apache.ambari.server.controller.internal.AbstractResourceProvider.createResources(AbstractResourceProvider.java:278) Caused by: javax.naming.InvalidNameException: [LDAP: error code 34 - invalid DN] at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3077) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2883) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2797) at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) at javax.naming.InitialContext.init(InitialContext.java:244) at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154) at org.apache.ambari.server.serveraction.kerberos.ADKerberosOperationHandler.createInitialLdapContext(ADKerberosOperationHandler.java:514) at org.apache.ambari.server.serveraction.kerberos.ADKerberosOperationHandler.createLdapContext(ADKerberosOperationHandler.java:465) ... 102 more I am not sure what is causing this error and couldn't find any support online either. My base domain for LDAP is dc=testhdp,dc=com which works fine while authenticating using (open)LDAP alone (see pic4). But here I get the error "Caused by: javax.naming.InvalidNameException: [LDAP: error code 34 - invalid DN]" Can you please help me what I am doing wrong to setup LDAP working with kerberos. I have attached relevant ambari-server logs.logs.txt Thanks ... View more

Hi @Robert Levas @Shyam Shaw, can you please help me with how to "remove the entries in the kerberos_principal_host and kerberos_principal where the principal_name column". Sorry for re-opening this, but I am facing a similar problem and unable to delete this from ambari database. ... View more