ambari-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Darpan Patel <darpa...@gmail.com>
Subject Re: Need help in Ambari - Active Directory Integration
Date Fri, 18 Dec 2015 10:39:19 GMT
Hi Folks,

While trying to setup A/D for Ambari, I am not able to login to Ambari
console also using default admin/admin. Neither able to synch fully.

My Active Directory domain is : TEST.COM and one of the valid users in that
is Darpan Patel (principal : darpan@TEST.COM). Here are the list of
properties from /etc/ambari-server/conf/ambari.properties

With the following properties still I am not able to synch the users.

api.authenticate=true
authentication.ldap.baseDn=CN=Users,DC=test,DC=com
authentication.ldap.bindAnonymously=false
authentication.ldap.dnAttribute=CN=Users,DC=test,DC=com
authentication.ldap.groupMembershipAttr=uid
authentication.ldap.groupNamingAttr=cn
authentication.ldap.groupObjectClass=group
authentication.ldap.managerDn=CN=Darpan Patel,CN=users,DC=test,DC=com
authentication.ldap.managerPassword=/etc/ambari-server/conf/ldap-password.dat
authentication.ldap.primaryUrl=IP_OF_AD_MACHINE:389
authentication.ldap.referral=ignore
authentication.ldap.secondaryUrl=IP_OF_AD_MACHINE:389
authentication.ldap.useSSL=false
authentication.ldap.userObjectClass=person
authentication.ldap.usernameAttribute=sAMAccountName

Here is the list of sequence what I am trying to do :

1) $ ambari-server setup-ldap
2) Enter the above properties
3) Restart the ambari server
4) $ambari-server sync-ldap --all
5) Enter admin id/password (i.e. default Ambari Admin userid : admin/admin)
also tried with darpan, darpan@TEST.COM
6) In all the cases I see :
Syncing all.ERROR: Exiting with exit code 1.
*REASON: Sync event creation failed. Error details: HTTP Error 403: [LDAP:
error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment:
AcceptSecurityContext error, data 52e, v1db1]; nested exception is
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308:
LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e,
v1db1]*
7) Log shows :

18 Dec 2015 10:27:34,899  WARN [qtp-client-26]
AmbariLdapAuthenticationProvider:71 - Looks like LDAP manager credentials
(that are used for connecting to LDAP server) are invalid.
org.springframework.security.authentication.InternalAuthenticationServiceException:
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment:
AcceptSecurityContext error, data 52e, v1db1]; nested exception is
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308:
LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e,
v1db1]

--------------
Interesting thing is :* I am no longer to login to Ambari using admin/admin
user*. On the ambari portal : when I use admin/admin it says invalid
credentials.  So I tried resetting the password to default by changing in
the ambari.users db (update ambari.users set
user_password='538916f8943ec225d97a9a86a2c6ec0818c1cd400e09e03b660fdaaec4af29ddbb6f2b1033b81b00'
where user_name='admin')

To my curiosity when I see the ambari.users table few of the A/D users are
present in the table. for example :


ambari=> select * from ambari.users;
 user_id | principal_id | ldap_user |   user_name   |        create_time
      | active |
 --------+--------------+-----------+---------------+----------------------------+------
      12 |            4 |         1 | pratlu        | 2015-12-17
17:49:05.699    |1 |
       3 |            6 |         1 | darpan        | 2015-12-17
17:49:05.699    |1 |
      13 |            3 |         1 | administrator | 2015-12-17
17:49:05.699    |1 |
       4 |            5 |         1 | test          | 2015-12-17
17:49:05.699    |1 |
      14 |           11 |         1 | sanjay.sharma | 2015-12-17
17:49:05.699    |1 |
       8 |            7 |         1 | guest         | 2015-12-17
17:49:05.699    |1 |
      10 |           14 |         1 | hadoop.com$   | 2015-12-17
17:49:05.699    |1 |
       9 |           10 |         1 | devuser       | 2015-12-17
17:49:05.699    |1 |
      11 |           12 |         1 | dgotl         | 2015-12-17
17:49:05.699    |1 |
       7 |            9 |         1 | krbtgt        | 2015-12-17
17:49:05.699    |1 |
       1 |            1 |         1 | admin         | 2015-11-09
23:47:08.368558 |1 |

I also tried logging in to ambari web console using darpan, darpan@TEST.COM,
admin/admin but it does not work!!

Did any one face similar issue ? Or can anyone suggest work around?

Regards,
Arpan

On 17 December 2015 at 23:25, Darpan Patel <darpanbe@gmail.com> wrote:

> Thanks Robert for the quick reply.
>
> I am copying the DN from Active directory : CN=Darpan
> Patel,CN=Users,DC=test,DC=com and keeping the same while configuring the
> Ambari LDAP setting.  i.e. Manager DN*: CN=Darpan
> Patel,CN=Users,DC=test,DC=com
>
> But the error is still the same : Syncing all.ERROR: Exiting with exit
> code 1.
> REASON: Sync event creation failed. Error details: HTTP Error 403: Bad
> credentials
>
>
> On 17 December 2015 at 21:51, Robert Levas <rlevas@hortonworks.com> wrote:
>
>> Darpan…
>>
>> The Manger DN request is expecting a distinguished name value, not a
>> principal name.  A distinguished name would look something like
>> *CN=darpan,CN=Users,DC=test,DC=com*, which may reference the same
>> account as darpan@TEST.COM (which would be the userPrincipalName) or
>> darpan (which would be be sAMAccountName).
>>
>> Rob
>>
>>
>> From: Darpan Patel <darpanbe@gmail.com>
>> Reply-To: "user@ambari.apache.org" <user@ambari.apache.org>
>> Date: Thursday, December 17, 2015 at 4:35 PM
>>
>> To: "user@ambari.apache.org" <user@ambari.apache.org>
>> Subject: Re: Need help in Ambari - Active Directory Integration
>>
>> Many Thanks Robert.
>>
>> I made the corresponding changes and specifying bind anonymously to
>> false.  Thanks the old issue is gone now. But still I am facing strange
>> issue. I am giving the Manager DN = darpan@TEST.COM and trying to synch
>> all the users of AD but on the console I see :
>>
>> *Syncing all.ERROR: Exiting with exit code 1.*
>> *REASON: Sync event creation failed. Error details: HTTP Error 403: Bad
>> credentials*
>>
>> *(It is kind of strange because I just issued the valid TGT using kinit
>> darpan@TEST.COM <darpan@TEST.COM> without any issues!!!!)*
>>
>> There is only one line the logs:
>> 17 Dec 2015 21:24:07,682  INFO [qtp-client-23]
>> FilterBasedLdapUserSearch:89 - SearchBase not set. Searches will be
>> performed from the root: cn=Users,dc=test,dc=com
>>
>> Regards,
>> DP
>>
>>
>> On 17 December 2015 at 17:55, Robert Levas <rlevas@hortonworks.com>
>> wrote:
>>
>>> However, I don’t think that these changes will help with the
>>> authentication/bind issue.  For that, when asked to bind anonymously, you
>>> should answer *false* and then set the Manager DN value to the DN of a
>>> user with read access to the specified container in your Active Directory.
>>>
>>> I hope this helps,
>>>
>>> Rob
>>>
>>>
>>> From: Darpan Patel <darpanbe@gmail.com>
>>> Reply-To: "user@ambari.apache.org" <user@ambari.apache.org>
>>> Date: Thursday, December 17, 2015 at 12:20 PM
>>> To: "user@ambari.apache.org" <user@ambari.apache.org>
>>> Subject: Re: Need help in Ambari - Active Directory Integration
>>>
>>> Forgot to mention that logs show Naming Exception.
>>> [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In
>>> order to perform this operation a successful bind must be completed on the
>>> connection., data 0, v1db1]; remaining name 'CN=Users,DC=test,DC=com'
>>>
>>> 17 Dec 2015 16:36:08,801 FATAL [pool-7-thread-1]
>>> AbstractRequestControlDirContextProcessor:186 - No matching response
>>> control found for paged results - looking for 'class
>>> javax.naming.ldap.PagedResultsResponseControl
>>> 17 Dec 2015 16:36:08,802 ERROR [pool-7-thread-1]
>>> LdapSyncEventResourceProvider:434 - Caught exception running LDAP sync.
>>> *org.springframework.ldap.UncategorizedLdapException: Uncategorized
>>> exception occured during LDAP processing; nested exception is
>>> javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr:
>>> DSID-0C0906E8, comment: In order to perform this operation a successful
>>> bind must be completed on the connection., data 0, v1db1]; remaining name
>>> 'CN=Users,DC=test,DC=com'*
>>>         at
>>> org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:217)
>>>         at
>>> org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:319)
>>>         at
>>> org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:259)
>>>         at
>>> org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:606)
>>>         at
>>> org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.getFilteredLdapUsers(AmbariLdapDataPopulator.java:549)
>>>
>>>
>>> On 17 December 2015 at 17:19, Darpan Patel <darpanbe@gmail.com> wrote:
>>>
>>>> Hi guys,
>>>>
>>>> I am trying to integrate A/D 2012 Server with Ambari.
>>>> I have doubt that some of the properties are not correct.
>>>> I am tried various permutation combinations but not successful yet.
>>>> Could anyone review and help fixing it ?
>>>>
>>>> *Active directory domain controller* name is : TEST.COM
>>>>
>>>> On the console here are the values I am passing:
>>>> *$ambari-server setup-ldap*
>>>>
>>>> Setting up LDAP properties...
>>>> *Primary URL* {host:port}* :IP_OF_AD_SERVER:389
>>>> *Use SSL* [true/false] *: false
>>>> *User object class** :person
>>>> *User name attribute** :sAMAccountName
>>>> *Group object class* :*User
>>>> *Group name attribute* : *User
>>>> *Group member attribute* :*member
>>>> *Distinguished name attribute* :*CN=Users,DC=test,DC=com
>>>> *Base DN* :*CN=Users,DC=test,DC=com
>>>> *Referral method [follow/ignore] :*ignore
>>>> *Bind anonymously* [*true/false] :true
>>>>
>>>> ====================
>>>> Review Settings
>>>> ====================
>>>> Save settings [y/n] (y)?y
>>>> Saving...done
>>>> Ambari Server 'setup-ldap' completed successfully.
>>>>
>>>>
>>>> Regards,
>>>> DP
>>>>
>>>
>>>
>>
>

Mime
View raw message