Problems with Enable Kerberos using the wizard

MaraWang — Thu, 20 Jun 2024 20:49:30 GMT

When the wizard generates credentials, it reports Insufficient access (50) ldap error, like this:

/opt/cloudera/cm/bin/gen_credentials_ad.sh failed with exit code 50 and output of <<
+ export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin
+ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin
+ KEYTAB_OUT=/var/run/cloudera-scm-server/cmf3782202571582054951.keytab
+ PRINC=HTTP/cradle3302t.priv.cwru.edu@ADS.CASE.EDU
+ USER=PruWGPfsVZ
+ PASSWD=REDACTED
+ DELETE_ON_REGENERATE=true
+ SET_ENCRYPTION_TYPES=false
+ ENC_TYPES_MASK=4
+ USERACCOUNTCONTROL=66048
+ ACCOUNTEXPIRES=0
+ OBJECTCLASSES='objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
'
+ EXTRA_ATTRIBUTES=
+ DIST_NAME='CN=PruWGPfsVZ,OU=cradle33,OU=Hadoop,OU=Research Computing,OU=Information Technology Services,OU=Delegated Departments,DC=ads,DC=case,DC=edu'
+ [[ -z ADS.CASE.EDU ]]
+ echo 'CMF_REALM is: ADS.CASE.EDU'
+ '[' -z /var/run/cloudera-scm-server/krb5125639301910663789.conf ']'
+ echo 'Using custom config path '\''/var/run/cloudera-scm-server/krb5125639301910663789.conf'\'', contents below:'
+ cat /var/run/cloudera-scm-server/krb5125639301910663789.conf
++ mktemp /tmp/cm_ldap.XXXXXXXX
+ LDAP_CONF=/tmp/cm_ldap.jOaAAbDw
+ echo 'TLS_REQCERT never'
+ echo 'sasl_secprops minssf=0,maxssf=0'
+ SIMPLE_PWD_STR=
+ LDAP_URL=
+ '[' REDACTED = '' ']'
+ SIMPLE_PWD_STR='-x -D rcci-hadoop-sa@ADS.CASE.EDU -w REDACTED'
+ LDAP_URL=ldaps://ads.case.edu:636
+ export LDAPCONF=/tmp/cm_ldap.jOaAAbDw
+ LDAPCONF=/tmp/cm_ldap.jOaAAbDw
++ ldapsearch -LLL -H ldaps://ads.case.edu:636 -b 'OU=cradle33,OU=Hadoop,OU=Research Computing,OU=Information Technology Services,OU=Delegated Departments,DC=ads,DC=case,DC=edu' -x -D rcci-hadoop-sa@ADS.CASE.EDU -w REDACTED userPrincipalName=HTTP/cradle3302t.priv.cwru.edu@ADS.CASE.EDU
+ PRINC_SEARCH=
++ echo ''
++ sed -n '1 {h; $ !d}; $ {x; s/\n //g; p}; /^ / {H; d}; /^ /! {x; s/\n //g; p}'
+ RESULTS_UNWRAPPED=
+ echo “”
+ set +e
+ echo
+ grep -q userPrincipalName
+ '[' 1 -eq 0 ']'
+ set -e
+ '[' false = true ']'
+ ldapmodify -H ldaps://ads.case.edu:636 -x -D rcci-hadoop-sa@ADS.CASE.EDU -w REDACTED
++ echo 'objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
'
++ sed /str/d
++ echo HTTP/cradle3302t.priv.cwru.edu@ADS.CASE.EDU
++ sed -e 's/\@ADS.CASE.EDU//g'
++ echo -n '"REDACTED"'
++ iconv -f UTF8 -t UTF16LE
++ base64 -w 0
++ echo ''
ldap_add: Insufficient access (50)
additional info: 00000005: SecErr: DSID-03152E13, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

I know the service account has full access for sure.

Is anyone know the reason why it is failed in this way?

Re: Problems with Enable Kerberos using the wizard

vamsi_redd — Fri, 21 Jun 2024 05:47:36 GMT

Hi @MaraWang

please work with AD team to enusre the bind user have required rights (add, delete and modify) in order to do required actions in AD using the user. And you can refer the KB article below to have additional permission for all machine accounts ("objectclass=computer") associated with the cluster hosts. KB article : https://my.cloudera.com/knowledge/Cloudera-Customer-Advisory-590-Microsoft-AD-November-2021?id=350255

Re: Problems with Enable Kerberos using the wizard

VidyaSargur — Wed, 26 Jun 2024 05:35:07 GMT

@MaraWang, Did the response assist in resolving your query? If it did, kindly mark the relevant reply as the solution, as it will aid others in locating the answer more easily in the future.

question Problems with Enable Kerberos using the wizard in Support Questions

Problems with Enable Kerberos using the wizard

Re: Problems with Enable Kerberos using the wizard

Re: Problems with Enable Kerberos using the wizard