ambari-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Levas <rle...@hortonworks.com>
Subject Re: Need help in Ambari - Active Directory Integration
Date Fri, 18 Dec 2015 11:31:29 GMT
Hey Darpan….

The error "LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext
error, data 52e, v1db1” Indicates that the password you are entering for the account is
incorrect.  See http://www-01.ibm.com/support/docview.wss?uid=swg21290631 – under “Common
Active Directory LDAP bind errors” it reads:

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 52e, v893
HEX: 0x52e - invalid credentials
DEC: 1326 - ERROR_LOGON_FAILURE (Logon failure: unknown user name or bad password.)
NOTE: Returns when username is valid but password/credential is invalid. Will prevent most
other errors from being displayed as noted.

As for your issue with no longer being allow to log in using local user accounts,  what version
of Ambari are you using?

Rob



From: Darpan Patel <darpanbe@gmail.com<mailto:darpanbe@gmail.com>>
Reply-To: "user@ambari.apache.org<mailto:user@ambari.apache.org>" <user@ambari.apache.org<mailto:user@ambari.apache.org>>
Date: Friday, December 18, 2015 at 5:39 AM
To: "user@ambari.apache.org<mailto:user@ambari.apache.org>" <user@ambari.apache.org<mailto:user@ambari.apache.org>>
Subject: Re: Need help in Ambari - Active Directory Integration

Hi Folks,

While trying to setup A/D for Ambari, I am not able to login to Ambari console also using
default admin/admin. Neither able to synch fully.

My Active Directory domain is : TEST.COM<http://TEST.COM> and one of the valid users
in that is Darpan Patel (principal : darpan@TEST.COM<mailto:darpan@TEST.COM>). Here
are the list of properties from /etc/ambari-server/conf/ambari.properties

With the following properties still I am not able to synch the users.

api.authenticate=true
authentication.ldap.baseDn=CN=Users,DC=test,DC=com
authentication.ldap.bindAnonymously=false
authentication.ldap.dnAttribute=CN=Users,DC=test,DC=com
authentication.ldap.groupMembershipAttr=uid
authentication.ldap.groupNamingAttr=cn
authentication.ldap.groupObjectClass=group
authentication.ldap.managerDn=CN=Darpan Patel,CN=users,DC=test,DC=com
authentication.ldap.managerPassword=/etc/ambari-server/conf/ldap-password.dat
authentication.ldap.primaryUrl=IP_OF_AD_MACHINE:389
authentication.ldap.referral=ignore
authentication.ldap.secondaryUrl=IP_OF_AD_MACHINE:389
authentication.ldap.useSSL=false
authentication.ldap.userObjectClass=person
authentication.ldap.usernameAttribute=sAMAccountName

Here is the list of sequence what I am trying to do :

1) $ ambari-server setup-ldap
2) Enter the above properties
3) Restart the ambari server
4) $ambari-server sync-ldap --all
5) Enter admin id/password (i.e. default Ambari Admin userid : admin/admin) also tried with
darpan, darpan@TEST.COM<mailto:darpan@TEST.COM>
6) In all the cases I see :
Syncing all.ERROR: Exiting with exit code 1.
REASON: Sync event creation failed. Error details: HTTP Error 403: [LDAP: error code 49 -
80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1];
nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308:
LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]
7) Log shows :

18 Dec 2015 10:27:34,899  WARN [qtp-client-26] AmbariLdapAuthenticationProvider:71 - Looks
like LDAP manager credentials (that are used for connecting to LDAP server) are invalid.
org.springframework.security.authentication.InternalAuthenticationServiceException: [LDAP:
error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data
52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49
- 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]

--------------
Interesting thing is : I am no longer to login to Ambari using admin/admin user. On the ambari
portal : when I use admin/admin it says invalid credentials.  So I tried resetting the password
to default by changing in the ambari.users db (update ambari.users set user_password='538916f8943ec225d97a9a86a2c6ec0818c1cd400e09e03b660fdaaec4af29ddbb6f2b1033b81b00'
where user_name='admin')

To my curiosity when I see the ambari.users table few of the A/D users are present in the
table. for example :


ambari=> select * from ambari.users;
 user_id | principal_id | ldap_user |   user_name   |        create_time         | active
|
 --------+--------------+-----------+---------------+----------------------------+------
      12 |            4 |         1 | pratlu        | 2015-12-17 17:49:05.699    |1 |
       3 |            6 |         1 | darpan        | 2015-12-17 17:49:05.699    |1 |
      13 |            3 |         1 | administrator | 2015-12-17 17:49:05.699    |1 |
       4 |            5 |         1 | test          | 2015-12-17 17:49:05.699    |1 |
      14 |           11 |         1 | sanjay.sharma | 2015-12-17 17:49:05.699    |1 |
       8 |            7 |         1 | guest         | 2015-12-17 17:49:05.699    |1 |
      10 |           14 |         1 | hadoop.com<http://hadoop.com>$   | 2015-12-17
17:49:05.699    |1 |
       9 |           10 |         1 | devuser       | 2015-12-17 17:49:05.699    |1 |
      11 |           12 |         1 | dgotl         | 2015-12-17 17:49:05.699    |1 |
       7 |            9 |         1 | krbtgt        | 2015-12-17 17:49:05.699    |1 |
       1 |            1 |         1 | admin         | 2015-11-09 23:47:08.368558 |1 |

I also tried logging in to ambari web console using darpan, darpan@TEST.COM<mailto:darpan@TEST.COM>,
admin/admin but it does not work!!

Did any one face similar issue ? Or can anyone suggest work around?

Regards,
Arpan

On 17 December 2015 at 23:25, Darpan Patel <darpanbe@gmail.com<mailto:darpanbe@gmail.com>>
wrote:
Thanks Robert for the quick reply.

I am copying the DN from Active directory : CN=Darpan Patel,CN=Users,DC=test,DC=com and keeping
the same while configuring the Ambari LDAP setting.  i.e. Manager DN*: CN=Darpan Patel,CN=Users,DC=test,DC=com

But the error is still the same : Syncing all.ERROR: Exiting with exit code 1.
REASON: Sync event creation failed. Error details: HTTP Error 403: Bad credentials


On 17 December 2015 at 21:51, Robert Levas <rlevas@hortonworks.com<mailto:rlevas@hortonworks.com>>
wrote:
Darpan…

The Manger DN request is expecting a distinguished name value, not a principal name.  A distinguished
name would look something like CN=darpan,CN=Users,DC=test,DC=com, which may reference the
same account as darpan@TEST.COM<mailto:darpan@TEST.COM> (which would be the userPrincipalName)
or darpan (which would be be sAMAccountName).

Rob


From: Darpan Patel <darpanbe@gmail.com<mailto:darpanbe@gmail.com>>
Reply-To: "user@ambari.apache.org<mailto:user@ambari.apache.org>" <user@ambari.apache.org<mailto:user@ambari.apache.org>>
Date: Thursday, December 17, 2015 at 4:35 PM

To: "user@ambari.apache.org<mailto:user@ambari.apache.org>" <user@ambari.apache.org<mailto:user@ambari.apache.org>>
Subject: Re: Need help in Ambari - Active Directory Integration

Many Thanks Robert.

I made the corresponding changes and specifying bind anonymously to false.  Thanks the old
issue is gone now. But still I am facing strange issue. I am giving the Manager DN = darpan@TEST.COM<mailto:darpan@TEST.COM>
and trying to synch all the users of AD but on the console I see :

Syncing all.ERROR: Exiting with exit code 1.
REASON: Sync event creation failed. Error details: HTTP Error 403: Bad credentials

(It is kind of strange because I just issued the valid TGT using kinit darpan@TEST.COM<mailto:darpan@TEST.COM>
without any issues!!!!)

There is only one line the logs:
17 Dec 2015 21:24:07,682  INFO [qtp-client-23] FilterBasedLdapUserSearch:89 - SearchBase not
set. Searches will be performed from the root: cn=Users,dc=test,dc=com

Regards,
DP


On 17 December 2015 at 17:55, Robert Levas <rlevas@hortonworks.com<mailto:rlevas@hortonworks.com>>
wrote:
However, I don’t think that these changes will help with the authentication/bind issue.
 For that, when asked to bind anonymously, you should answer false and then set the Manager
DN value to the DN of a user with read access to the specified container in your Active Directory.

I hope this helps,

Rob


From: Darpan Patel <darpanbe@gmail.com<mailto:darpanbe@gmail.com>>
Reply-To: "user@ambari.apache.org<mailto:user@ambari.apache.org>" <user@ambari.apache.org<mailto:user@ambari.apache.org>>
Date: Thursday, December 17, 2015 at 12:20 PM
To: "user@ambari.apache.org<mailto:user@ambari.apache.org>" <user@ambari.apache.org<mailto:user@ambari.apache.org>>
Subject: Re: Need help in Ambari - Active Directory Integration

Forgot to mention that logs show Naming Exception.
[LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this
operation a successful bind must be completed on the connection., data 0, v1db1]; remaining
name 'CN=Users,DC=test,DC=com'

17 Dec 2015 16:36:08,801 FATAL [pool-7-thread-1] AbstractRequestControlDirContextProcessor:186
- No matching response control found for paged results - looking for 'class javax.naming.ldap.PagedResultsResponseControl
17 Dec 2015 16:36:08,802 ERROR [pool-7-thread-1] LdapSyncEventResourceProvider:434 - Caught
exception running LDAP sync.
org.springframework.ldap.UncategorizedLdapException: Uncategorized exception occured during
LDAP processing; nested exception is javax.naming.NamingException: [LDAP: error code 1 - 000004DC:
LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must
be completed on the connection., data 0, v1db1]; remaining name 'CN=Users,DC=test,DC=com'
        at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:217)
        at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:319)
        at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:259)
        at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:606)
        at org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.getFilteredLdapUsers(AmbariLdapDataPopulator.java:549)


On 17 December 2015 at 17:19, Darpan Patel <darpanbe@gmail.com<mailto:darpanbe@gmail.com>>
wrote:
Hi guys,

I am trying to integrate A/D 2012 Server with Ambari.
I have doubt that some of the properties are not correct.
I am tried various permutation combinations but not successful yet.  Could anyone review and
help fixing it ?

Active directory domain controller name is : TEST.COM<http://TEST.COM>

On the console here are the values I am passing:
$ambari-server setup-ldap

Setting up LDAP properties...
Primary URL* {host:port} :IP_OF_AD_SERVER:389
Use SSL* [true/false] : false
User object class* :person
User name attribute* :sAMAccountName
Group object class* :User
Group name attribute* : User
Group member attribute* :member
Distinguished name attribute* :CN=Users,DC=test,DC=com
Base DN* :CN=Users,DC=test,DC=com
Referral method [follow/ignore] :ignore
Bind anonymously* [true/false] :true

====================
Review Settings
====================
Save settings [y/n] (y)?y
Saving...done
Ambari Server 'setup-ldap' completed successfully.


Regards,
DP




Mime
View raw message