question Re: Not able to sync users of Active Directory in Active Directory in Support Questions

Not able to sync users of Active Directory in Active Directory

darpan_be — Mon, 21 Dec 2015 19:43:55 GMT

Hi Experts,

I am trying to integrate A/D 2012 Server with Ambari 2.1.2. HDP version 2.3.

I've tried various permutation combinations with the properties but still I am not successful in integrating the AD with Ambari. I could successfully integrate AD with Ranger and Knox trying to use the properties in the similar lines.

Active directory domain controller name is : TEST.COM, AD is running on 10.0.2.10 One of the valid users in AD is "Darpan Patel" and has the principal : darpan@TEST.COM and all the users are in "Users" container.

We are running Ambari as a root user.

Here are the properties I am setting for Ambari - AD integration from /etc/ambari-server/conf/ambari.properties

api.authenticate=true
authentication.ldap.baseDn=CN=Users,DC=test,DC=com 
authentication.ldap.bindAnonymously=false 
authentication.ldap.dnAttribute=CN=Users,DC=test,DC=com 
authentication.ldap.groupMembershipAttr=uid 
authentication.ldap.groupNamingAttr=cn 
authentication.ldap.groupObjectClass=group 
authentication.ldap.managerDn=CN=Darpan Patel,CN=users,DC=test,DC=com 
# also tried with 
# CN=users,DC=test,DC=com 
# CN=darpan,DC=test,DC=com 
# CN=darpan@TEST.COM,DC=test,DC=com
authentication.ldap.managerPassword=/etc/ambari-server/conf/ldap-password.dat
authentication.ldap.primaryUrl=10.0.2.10:389
authentication.ldap.referral=ignore
authentication.ldap.secondaryUrl=10.0.2.10:389
authentication.ldap.useSSL=false
authentication.ldap.userObjectClass=person
authentication.ldap.usernameAttribute=sAMAccountName

Here is the list of sequence what I am trying to do:

$ ambari-server setup-ldap
Enter the above properties
Restart the ambari server
$ambari-server sync-ldap --all
Enter admin id/password (i.e. default Ambari Admin userid : admin/admin) also tried with darpan, darpan@TEST.COM
In all the cases I see :

Syncing all.ERROR: Exiting with exit code 1. REASON: Sync event creation failed. Error details: HTTP Error 403: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]

7) Log shows :

18 Dec 2015 10:27:34,899 WARN [qtp-client-26] AmbariLdapAuthenticationProvider:71 - Looks like LDAP manager credentials (that are used for connecting to LDAP server) are invalid. org.springframework.security.authentication.InternalAuthenticationServiceException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]

I thought that password could be wrong for the AD user but with the same ad user I am able to issue a TGT. i.e. for the user in ambari properties : authentication.ldap.managerDn=CN=Darpan Patel,CN=users,DC=test,DC=com I am able to get a ticket : kinit darpan@TEST.COM.

------------------

Interesting thing is : I am no longer to login to Ambari using admin/admin user. On the ambari portal : when I use admin/admin it says invalid credentials. So I tried resetting the password to default by changing in the ambari.users db (update ambari.users set user_password='538916f8943ec225d97a9a86a2c6ec0818c1cd400e09e03b660fdaaec4af29ddbb6f2b1033b81b00' where user_name='admin')

To my curiosity when I see the ambari.users table few of the A/D users are present in the table. for example :

ambari=> select * from ambari.users;

user_id | principal_id | ldap_user | user_name | create_time | active |
--------+--------------+-----------+---------------+----------------------------+------
12 | 4 | 1 | pratlu | 2015-12-17 17:49:05.699 |1 |
3 | 6 |1 | darpan | 2015-12-17 17:49:05.699 |1 |
13 | 3 | 1 | administrator | 2015-12-17 17:49:05.699 |1 |
4 | 5 | 1 | test | 2015-12-17 17:49:05.699 |1 |
14 | 11 | 1 | sanjay.sharma | 2015-12-17 17:49:05.699 |1 |
I also tried logging in to ambari web console using darpan, darpan@TEST.COM, admin/admin but it does not work!!

Did any one face similar issue ? Or can anyone suggest work around?

Regards,

Re: Not able to sync users of Active Directory in Active Directory

rlevas — Mon, 21 Dec 2015 20:20:35 GMT

Try doing a search for the principal you are using to make sure it's record has the same DN as the one you are using as the Kerberos identity.

ldapsearch -h 10.0.2.10 -D darpan@TEST.COM -W -b CN=Users,DC=test,DC=com '(userPrincipalName=darpan@TEST.COM)' dn

Also, I noticed that your distinguished name attribute is still incorrect:

Is: 
  authentication.ldap.dnAttribute=CN=Users,DC=test,DC=com 
Should Be:
  authentication.ldap.dnAttribute=distinguishedName

Re: Not able to sync users of Active Directory in Active Directory

darpan_be — Mon, 21 Dec 2015 21:08:17 GMT

Thanks Robert,

By executing the ldapsearch I get the :

# Darpan Patel, Users, test.com
dn: CN=Darpan Patel,CN=Users,DC=test,DC=com
# search result
search: 2
result: 0 Success

I also made changes : authentication.ldap.dnAttribute=distinguishedName .

However when I give admin/admin while doing sync outcome is :

[root@gateway ~]# ambari-server sync-ldap --all

Using python /usr/bin/python2.7 Syncing with LDAP...

Enter Ambari Admin login: admin

Enter Ambari Admin password: Syncing all.ERROR: Exiting with exit code 1. REASON: Sync event creation failed. Error details: HTTP Error 403: Bad credentials

Re: Not able to sync users of Active Directory in Active Directory

nsabharwal — Mon, 21 Dec 2015 21:18:15 GMT

@Darpan Patel

https://confluence.atlassian.com/display/CONFKB/Us...

52einvalid credentials

Regarding: admin use invalid credentials, it looks like your AD setup did change admin user settings in the database.

For example:

ambari213=> select ldap_user from users where user_name='admin';

ldap_user

-----------

(1 row)

ambari213=> update users set ldap_user=0 where user_name='admin';

UPDATE 1

ambari213=>

ambari213=> select ldap_user from users where user_name='admin';

ldap_user

-----------

(1 row)

then try login with admin cred.

Re: Not able to sync users of Active Directory in Active Directory

darpan_be — Mon, 21 Dec 2015 21:30:43 GMT

I logged in to Ambari database and resetted the password to 'admin'. But still it did not work.

Re: Not able to sync users of Active Directory in Active Directory

nsabharwal — Mon, 21 Dec 2015 21:35:41 GMT

@Darpan Patel Please see my previous message. It seems like that your admin user is set to ldap user.

Re: Not able to sync users of Active Directory in Active Directory

darpan_be — Mon, 21 Dec 2015 21:41:07 GMT

You were right. The admin users had ldap_user flag set to 1. Not sure how it changed it...

Re: Not able to sync users of Active Directory in Active Directory

darpan_be — Mon, 21 Dec 2015 21:50:31 GMT

One more observation @Neeraj Sabharwal

: I updated the admin user's ldap_user flag to 0 as you mentioned and tried running the ambari ldap sync operation .

On the console get the error :

Enter Ambari Admin password: Syncing all.......
ERROR: Exiting with exit code 1.
REASON: Sync event check failed. Error details: HTTP Error 403: Bad credentials

Now I am checking the users table in the ambari database. I see few more users have been imported in the user's table. And the admin user's ldap_user flag is again set to 1. 🙂

Re: Not able to sync users of Active Directory in Active Directory

nsabharwal — Mon, 21 Dec 2015 21:52:13 GMT

@Darpan Patel Perfect! It looks like the ldap sync is working but you need to check credentials.

Re: Not able to sync users of Active Directory in Active Directory

darpan_be — Mon, 21 Dec 2015 22:34:31 GMT

@Neeraj Sabharwal

Yeah looks like users are getting Synch-ed.

However I think here is the problem that : local user admin is being changed to ldap user ( flag changes in the user table) Is it expected behavior ?

Re: Not able to sync users of Active Directory in Active Directory

nsabharwal — Mon, 21 Dec 2015 23:13:09 GMT

@Darpan Patel Do you have admin user in AD? I guess yes

Re: Not able to sync users of Active Directory in Active Directory

darpan_be — Mon, 21 Dec 2015 23:46:16 GMT

@Neeraj SabharwalI've a local KDC. in the local KDC I've admin/admin but non in the AD.

Re: Not able to sync users of Active Directory in Active Directory

nsabharwal — Mon, 21 Dec 2015 23:48:20 GMT

@Darpan Patel Ok. If issue is resolved then please accept one of the answers to close the thread.