ambari-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Darpan Patel <darpa...@gmail.com>
Subject Re: Need help in Ambari - Active Directory Integration
Date Fri, 18 Dec 2015 12:12:38 GMT
I thought that password could be wrong for the AD user but with the same ad
user I am able to issue a TGT.
i.e. for the user in ambari properties :
authentication.ldap.managerDn=CN=Darpan Patel,CN=users,DC=test,DC=com
I am able go get a ticket : kinit darpan@TEST.COM.
I am not sure what setting is not correct !!!

About Ambari version : 2.1.2

Thanks,
DP

On 18 December 2015 at 11:31, Robert Levas <rlevas@hortonworks.com> wrote:

> Hey Darpan….
>
> The error "LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9,
> comment: AcceptSecurityContext error, data 52e, v1db1” Indicates that the
> password you are entering for the account is incorrect.  See
> http://www-01.ibm.com/support/docview.wss?uid=swg21290631 – under “Common
> Active Directory LDAP bind errors” it reads:
>
> 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error,
> data 52e, v893
> HEX: 0x52e - invalid credentials
> DEC: 1326 - ERROR_LOGON_FAILURE (Logon failure: unknown user name or bad
> password.)
> NOTE: Returns when username is valid but password/credential is invalid.
> Will prevent most other errors from being displayed as noted.
>
> As for your issue with no longer being allow to log in using local user
> accounts,  what version of Ambari are you using?
>
> Rob
>
>
>
> From: Darpan Patel <darpanbe@gmail.com>
> Reply-To: "user@ambari.apache.org" <user@ambari.apache.org>
> Date: Friday, December 18, 2015 at 5:39 AM
>
> To: "user@ambari.apache.org" <user@ambari.apache.org>
> Subject: Re: Need help in Ambari - Active Directory Integration
>
> Hi Folks,
>
> While trying to setup A/D for Ambari, I am not able to login to Ambari
> console also using default admin/admin. Neither able to synch fully.
>
> My Active Directory domain is : TEST.COM and one of the valid users in
> that is Darpan Patel (principal : darpan@TEST.COM). Here are the list of
> properties from /etc/ambari-server/conf/ambari.properties
>
> With the following properties still I am not able to synch the users.
>
> api.authenticate=true
> authentication.ldap.baseDn=CN=Users,DC=test,DC=com
> authentication.ldap.bindAnonymously=false
> authentication.ldap.dnAttribute=CN=Users,DC=test,DC=com
> authentication.ldap.groupMembershipAttr=uid
> authentication.ldap.groupNamingAttr=cn
> authentication.ldap.groupObjectClass=group
> authentication.ldap.managerDn=CN=Darpan Patel,CN=users,DC=test,DC=com
>
> authentication.ldap.managerPassword=/etc/ambari-server/conf/ldap-password.dat
> authentication.ldap.primaryUrl=IP_OF_AD_MACHINE:389
> authentication.ldap.referral=ignore
> authentication.ldap.secondaryUrl=IP_OF_AD_MACHINE:389
> authentication.ldap.useSSL=false
> authentication.ldap.userObjectClass=person
> authentication.ldap.usernameAttribute=sAMAccountName
>
> Here is the list of sequence what I am trying to do :
>
> 1) $ ambari-server setup-ldap
> 2) Enter the above properties
> 3) Restart the ambari server
> 4) $ambari-server sync-ldap --all
> 5) Enter admin id/password (i.e. default Ambari Admin userid :
> admin/admin) also tried with darpan, darpan@TEST.COM
> 6) In all the cases I see :
> Syncing all.ERROR: Exiting with exit code 1.
> *REASON: Sync event creation failed. Error details: HTTP Error 403: [LDAP:
> error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment:
> AcceptSecurityContext error, data 52e, v1db1]; nested exception is
> javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308:
> LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e,
> v1db1]*
> 7) Log shows :
>
> 18 Dec 2015 10:27:34,899  WARN [qtp-client-26]
> AmbariLdapAuthenticationProvider:71 - Looks like LDAP manager credentials
> (that are used for connecting to LDAP server) are invalid.
> org.springframework.security.authentication.InternalAuthenticationServiceException:
> [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment:
> AcceptSecurityContext error, data 52e, v1db1]; nested exception is
> javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308:
> LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e,
> v1db1]
>
> --------------
> Interesting thing is :* I am no longer to login to Ambari using
> admin/admin user*. On the ambari portal : when I use admin/admin it says
> invalid credentials.  So I tried resetting the password to default by
> changing in the ambari.users db (update ambari.users set
> user_password='538916f8943ec225d97a9a86a2c6ec0818c1cd400e09e03b660fdaaec4af29ddbb6f2b1033b81b00'
> where user_name='admin')
>
> To my curiosity when I see the ambari.users table few of the A/D users are
> present in the table. for example :
>
>
> ambari=> select * from ambari.users;
>  user_id | principal_id | ldap_user |   user_name   |        create_time
>         | active |
>
>  --------+--------------+-----------+---------------+----------------------------+------
>       12 |            4 |         1 | pratlu        | 2015-12-17
> 17:49:05.699    |1 |
>        3 |            6 |         1 | darpan        | 2015-12-17
> 17:49:05.699    |1 |
>       13 |            3 |         1 | administrator | 2015-12-17
> 17:49:05.699    |1 |
>        4 |            5 |         1 | test          | 2015-12-17
> 17:49:05.699    |1 |
>       14 |           11 |         1 | sanjay.sharma | 2015-12-17
> 17:49:05.699    |1 |
>        8 |            7 |         1 | guest         | 2015-12-17
> 17:49:05.699    |1 |
>       10 |           14 |         1 | hadoop.com$   | 2015-12-17
> 17:49:05.699    |1 |
>        9 |           10 |         1 | devuser       | 2015-12-17
> 17:49:05.699    |1 |
>       11 |           12 |         1 | dgotl         | 2015-12-17
> 17:49:05.699    |1 |
>        7 |            9 |         1 | krbtgt        | 2015-12-17
> 17:49:05.699    |1 |
>        1 |            1 |         1 | admin         | 2015-11-09
> 23:47:08.368558 |1 |
>
> I also tried logging in to ambari web console using darpan,
> darpan@TEST.COM, admin/admin but it does not work!!
>
> Did any one face similar issue ? Or can anyone suggest work around?
>
> Regards,
> Arpan
>
> On 17 December 2015 at 23:25, Darpan Patel <darpanbe@gmail.com> wrote:
>
>> Thanks Robert for the quick reply.
>>
>> I am copying the DN from Active directory : CN=Darpan
>> Patel,CN=Users,DC=test,DC=com and keeping the same while configuring the
>> Ambari LDAP setting.  i.e. Manager DN*: CN=Darpan
>> Patel,CN=Users,DC=test,DC=com
>>
>> But the error is still the same : Syncing all.ERROR: Exiting with exit
>> code 1.
>> REASON: Sync event creation failed. Error details: HTTP Error 403: Bad
>> credentials
>>
>>
>> On 17 December 2015 at 21:51, Robert Levas <rlevas@hortonworks.com>
>> wrote:
>>
>>> Darpan…
>>>
>>> The Manger DN request is expecting a distinguished name value, not a
>>> principal name.  A distinguished name would look something like
>>> *CN=darpan,CN=Users,DC=test,DC=com*, which may reference the same
>>> account as darpan@TEST.COM (which would be the userPrincipalName) or
>>> darpan (which would be be sAMAccountName).
>>>
>>> Rob
>>>
>>>
>>> From: Darpan Patel <darpanbe@gmail.com>
>>> Reply-To: "user@ambari.apache.org" <user@ambari.apache.org>
>>> Date: Thursday, December 17, 2015 at 4:35 PM
>>>
>>> To: "user@ambari.apache.org" <user@ambari.apache.org>
>>> Subject: Re: Need help in Ambari - Active Directory Integration
>>>
>>> Many Thanks Robert.
>>>
>>> I made the corresponding changes and specifying bind anonymously to
>>> false.  Thanks the old issue is gone now. But still I am facing strange
>>> issue. I am giving the Manager DN = darpan@TEST.COM and trying to synch
>>> all the users of AD but on the console I see :
>>>
>>> *Syncing all.ERROR: Exiting with exit code 1.*
>>> *REASON: Sync event creation failed. Error details: HTTP Error 403: Bad
>>> credentials*
>>>
>>> *(It is kind of strange because I just issued the valid TGT using kinit
>>> darpan@TEST.COM <darpan@TEST.COM> without any issues!!!!)*
>>>
>>> There is only one line the logs:
>>> 17 Dec 2015 21:24:07,682  INFO [qtp-client-23]
>>> FilterBasedLdapUserSearch:89 - SearchBase not set. Searches will be
>>> performed from the root: cn=Users,dc=test,dc=com
>>>
>>> Regards,
>>> DP
>>>
>>>
>>> On 17 December 2015 at 17:55, Robert Levas <rlevas@hortonworks.com>
>>> wrote:
>>>
>>>> However, I don’t think that these changes will help with the
>>>> authentication/bind issue.  For that, when asked to bind anonymously, you
>>>> should answer *false* and then set the Manager DN value to the DN of a
>>>> user with read access to the specified container in your Active Directory.
>>>>
>>>> I hope this helps,
>>>>
>>>> Rob
>>>>
>>>>
>>>> From: Darpan Patel <darpanbe@gmail.com>
>>>> Reply-To: "user@ambari.apache.org" <user@ambari.apache.org>
>>>> Date: Thursday, December 17, 2015 at 12:20 PM
>>>> To: "user@ambari.apache.org" <user@ambari.apache.org>
>>>> Subject: Re: Need help in Ambari - Active Directory Integration
>>>>
>>>> Forgot to mention that logs show Naming Exception.
>>>> [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In
>>>> order to perform this operation a successful bind must be completed on the
>>>> connection., data 0, v1db1]; remaining name 'CN=Users,DC=test,DC=com'
>>>>
>>>> 17 Dec 2015 16:36:08,801 FATAL [pool-7-thread-1]
>>>> AbstractRequestControlDirContextProcessor:186 - No matching response
>>>> control found for paged results - looking for 'class
>>>> javax.naming.ldap.PagedResultsResponseControl
>>>> 17 Dec 2015 16:36:08,802 ERROR [pool-7-thread-1]
>>>> LdapSyncEventResourceProvider:434 - Caught exception running LDAP sync.
>>>> *org.springframework.ldap.UncategorizedLdapException: Uncategorized
>>>> exception occured during LDAP processing; nested exception is
>>>> javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr:
>>>> DSID-0C0906E8, comment: In order to perform this operation a successful
>>>> bind must be completed on the connection., data 0, v1db1]; remaining name
>>>> 'CN=Users,DC=test,DC=com'*
>>>>         at
>>>> org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:217)
>>>>         at
>>>> org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:319)
>>>>         at
>>>> org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:259)
>>>>         at
>>>> org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:606)
>>>>         at
>>>> org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.getFilteredLdapUsers(AmbariLdapDataPopulator.java:549)
>>>>
>>>>
>>>> On 17 December 2015 at 17:19, Darpan Patel <darpanbe@gmail.com> wrote:
>>>>
>>>>> Hi guys,
>>>>>
>>>>> I am trying to integrate A/D 2012 Server with Ambari.
>>>>> I have doubt that some of the properties are not correct.
>>>>> I am tried various permutation combinations but not successful yet.
>>>>> Could anyone review and help fixing it ?
>>>>>
>>>>> *Active directory domain controller* name is : TEST.COM
>>>>>
>>>>> On the console here are the values I am passing:
>>>>> *$ambari-server setup-ldap*
>>>>>
>>>>> Setting up LDAP properties...
>>>>> *Primary URL* {host:port}* :IP_OF_AD_SERVER:389
>>>>> *Use SSL* [true/false] *: false
>>>>> *User object class** :person
>>>>> *User name attribute** :sAMAccountName
>>>>> *Group object class* :*User
>>>>> *Group name attribute* : *User
>>>>> *Group member attribute* :*member
>>>>> *Distinguished name attribute* :*CN=Users,DC=test,DC=com
>>>>> *Base DN* :*CN=Users,DC=test,DC=com
>>>>> *Referral method [follow/ignore] :*ignore
>>>>> *Bind anonymously* [*true/false] :true
>>>>>
>>>>> ====================
>>>>> Review Settings
>>>>> ====================
>>>>> Save settings [y/n] (y)?y
>>>>> Saving...done
>>>>> Ambari Server 'setup-ldap' completed successfully.
>>>>>
>>>>>
>>>>> Regards,
>>>>> DP
>>>>>
>>>>
>>>>
>>>
>>
>

Mime
View raw message