question Re: Enable Kerberos wizard created AD SamAccountName as $K5V500-1ET1B4KFE6C4, how to change to regular username in Support Questions

Enable Kerberos wizard created AD SamAccountName as $K5V500-1ET1B4KFE6C4, how to change to regular username

skonduru — Fri, 16 Sep 2022 09:45:13 GMT

How to change SamAccountName : $K5V500-1ET1B4KFE6C4 to username storm-poc.

Ambari 2.1.2 enable kerberos wizard created AD account SamAccountName : $K5V500-1ET1B4KFE6C4.

Get-ADUser -Identity '$K5V500-1ET1B4KFE6C4' -Properties *
AccountExpirationDate  :
accountExpires  : 0
AccountLockoutTime  :
AccountNotDelegated  : False
AllowReversiblePasswordEncryption  : False
BadLogonCount  : 0
badPasswordTime  : 0
badPwdCount  : 0
CannotChangePassword  : False
CanonicalName  : ldap.customer.com/HDP/Domain Accounts/Service Accounts/storm-poc
Certificates  : {}
City  :
CN  : storm-poc
codePage  : 0
Company  :
Country  :
countryCode  : 0
Created  : 10/16/2015 12:54:07 PM
createTimeStamp  : 10/16/2015 12:54:07 PM
Deleted  :
Department  :
Description  :
DisplayName  :
DistinguishedName  : CN=storm-poc,OU=Service Accounts,OU=Domain Accounts,OU=HDP,DC=poc,DC=customer,DC=com
Division  :
DoesNotRequirePreAuth  : False
dSCorePropagationData  : {12/31/1600 7:00:00 PM}
EmailAddress  :
EmployeeID  :
EmployeeNumber  :
Enabled  : True
Fax  :
GivenName  :
HomeDirectory  :
HomedirRequired  : False
HomeDrive  :
HomePage  :
HomePhone  :
Initials  :
instanceType  : 4
isDeleted  :
LastBadPasswordAttempt  :
LastKnownParent  :
lastLogoff  : 0
lastLogon  : 130898381140333887
LastLogonDate  : 10/16/2015 12:54:07 PM
lastLogonTimestamp  : 130894880477406005
LockedOut  : False
logonCount  : 60159
LogonWorkstations  :
Manager  :
MemberOf  : {}
MNSLogonAccount  : False
MobilePhone  :
Modified  : 10/16/2015 12:54:07 PM
modifyTimeStamp  : 10/16/2015 12:54:07 PM
msDS-User-Account-Control-Computed : 0
Name  : storm-poc
nTSecurityDescriptor  : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory  : CN=Person,CN=Schema,CN=Configuration,DC=poc,DC=customer,DC=com
ObjectClass  : user
ObjectGUID  : 6d7826eb-4729-4074-8e4a-3705c9adcd40
objectSid  : S-1-5-21-568884682-143551100-1954249272-195764
Office  :
OfficePhone  :
Organization  :
OtherName  :
PasswordExpired  : False
PasswordLastSet  : 10/16/2015 12:54:07 PM
PasswordNeverExpires  : True
PasswordNotRequired  : False
POBox  :
PostalCode  :
PrimaryGroup  : CN=Domain Users,CN=Users,DC=poc,DC=customer,DC=com
primaryGroupID  : 513
ProfilePath  :
ProtectedFromAccidentalDeletion  : False
pwdLastSet  : 130894880476781969
SamAccountName  : $K5V500-1ET1B4KFE6C4
sAMAccountType  : 805306368
ScriptPath  :
sDRightsEffective  : 15
ServicePrincipalNames  : {}
SID  : S-1-5-21-568884682-143551100-1954249272-195764
SIDHistory  : {}
SmartcardLogonRequired  : False
State  :
StreetAddress  :
Surname  :
Title  :
TrustedForDelegation  : False
TrustedToAuthForDelegation  : False
UseDESKeyOnly  : False
userAccountControl  : 66048
userCertificate  : {}
UserPrincipalName  : storm-poc@ldap.customer.com
uSNChanged  : 9889735
uSNCreated  : 9889732
whenChanged  : 10/16/2015 12:54:07 PM
whenCreated  : 10/16/2015 12:54:07 PM

Re: Enable Kerberos wizard created AD SamAccountName as $K5V500-1ET1B4KFE6C4, how to change to regular username

rlevas — Fri, 23 Oct 2015 23:27:43 GMT

Once the account has been created, you can use the "Active Directory Users and Computers" applet on the Windows Server, find the account, open up the properties, and perform one of the following:

Option A:

Click on the "Account" tab
Edit the 2nd box of the "Windows login name (pre-Windows 2000)" field
Click the "Apply" button

Option B:

Click on the "Attribute Editor" tab (shown if "Advanced Features" is turned on)
Look for "sAMAccountName" in the listbox
Double click on the "sAMAccountName" item - a small dialog box will pop up
Edit the name in the textbox
Click the "OK" button (closed the dialog box)
Click the "Apply" button

If you haven't enabled Kerberos yet, you can edit the Active Directory "Account Attribute Template" value under the "Advanced kerberos-env" section on the "Configure Kerberos" page of the "Enable Kerberos Wizard" and add something like:

"sAMAccountName": "$principal_name"

However this field is limited to 20 characters so you will need to do some additional stuff to limit the value and hope that it is unique. For example:

#set( $sAMAccountName = "${principal_primary}-${principal_digest}" )
{
 "objectClass": ["top","person","organizationalPerson","user"],
 "cn": "$principal_name",
 "sAMAccountName": "$sAMAccountName.substring(0,20)",
 #if( $is_service )
 "servicePrincipalName": "$principal_name",
 #end
 "userPrincipalName": "$normalized_principal",
 "unicodePwd": "$password",
 "accountExpires": "0",
 "userAccountControl": "66048"
}

Re: Enable Kerberos wizard created AD SamAccountName as $K5V500-1ET1B4KFE6C4, how to change to regular username

skonduru — Fri, 30 Oct 2015 08:32:59 GMT

thank you for the details, next week I will test in new cluster build.

Re: Enable Kerberos wizard created AD SamAccountName as $K5V500-1ET1B4KFE6C4, how to change to regular username

aervits — Wed, 03 Feb 2016 01:30:19 GMT

@skonduru has this been resolved? Can you accept the best answer or provide your own solution?

Re: Enable Kerberos wizard created AD SamAccountName as $K5V500-1ET1B4KFE6C4, how to change to regular username

daleb — Mon, 18 Jul 2016 16:09:44 GMT

How did this go for you @skonduru ? Did you have to do the additional stuff to limit the value?

Re: Enable Kerberos wizard created AD SamAccountName as $K5V500-1ET1B4KFE6C4, how to change to regular username

skonduru — Tue, 19 Jul 2016 11:55:00 GMT

It went well with Robert L suggested changes.

We recommended customer AD team to limit sAMAccountName characters to <=15

-------

When using an Active Directory server and the user name is mapped to theuserPrincipalNameattribute, theActiveDirectoryMembershipProviderclass will automatically generate a random 20-character user name for thesAMAccountNameparameter on your behalf.

Parameters default to the following maximum lengths.

Parameter	Maximum length
username	64 characters if using theuserPrincipalNameattribute. If using thesAMAccountNameattribute, the common restriction is 20 characters or less.
password	128 characters.
email	256 characters.
passwordQuestion	256 characters.
passwordAnswer	128 characters before and after encrypting.

----------

for more details Maximum Length User Logon Name (Pre Windows 2000) https://msdn.microsoft.com/en-us/library/system.web.security.activedirectorymembershipprovider.createuser.aspx

Re: Enable Kerberos wizard created AD SamAccountName as $K5V500-1ET1B4KFE6C4, how to change to regular username

daleb — Wed, 20 Jul 2016 22:08:38 GMT

@skonduru interestingly, setting

"sAMAccountName":"$sAMAccountName.substring(0,20)",

failed for me when installing kerberos. And wouldn't this also result in an inconsistent naming convention?

E.g. sAMAccountName for HDFS would be: hdfs/node01.hadoop.p

but sAMAccountName for Zookeeper would be: zookeeper/node01.had

Is there a better way to achieve a consistent naming convention?

Re: Enable Kerberos wizard created AD SamAccountName as $K5V500-1ET1B4KFE6C4, how to change to regular username

skonduru — Sun, 24 Jul 2016 00:19:52 GMT

We didn't used any regex for "sAMAccountName":

Looklike your AD configured sAMAccountName as UPN. See following notes may helpful to differentiate both properties. http://www.morgantechspace.com/2014/04/samaccountname-vs-userprincipalname.html