Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

AD Users Stop Working After Kerberos and SSSD Setup

Labels:
avatar
author-rank rgarcia
Expert Contributor

Created ‎10-29-2015 02:57 AM

I have configured Ambari to integrate with AD and all users was able to login to Ambari UI. After kerberizing the cluster and adding SSSD setup with AD, setting up SPNEGO, the AD Users no longer can login to Ambari UI.

Here's the error I'm getting /var/log/ambari-server/ambari-server.log:

28 Oct 2015 22:51:17,655  INFO [qtp-client-24] FilterBasedLdapUserSearch:89 - SearchBase not set. Searches will be performed from the root: ou=Rommel_Garcia_Accounts,dc=AD-HDP,dc=COM

28 Oct 2015 22:51:17,660  WARN [qtp-client-24] AmbariLdapAuthenticationProvider:71 - Looks like LDAP manager credentials (that are used for connecting to LDAP server) are invalid.

org.springframework.security.authentication.InternalAuthenticationServiceException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580^@]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580^@

.............

Caused by: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580^@]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580^@]
2,144 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank pcodding author-rank
Guru

Created ‎10-29-2015 03:08 AM

@rgarcia@hortonworks.com - that error code and 52e indicate that the bind credentials that you have given Ambari are no longer valid. We're trying to authenticate ourselves to AD to do a search, and we use the Manager DN and password for that authentication. I would re-check those credentials and if necessary update the Ambari Server with the credentials by editing the configuration, or re-running ambari-server setup-ldap with the updated credentials.

View solution in original post

1,577 Views
3 REPLIES 3

avatar
author-rank nsabharwal
Master Mentor

Created ‎10-29-2015 03:05 AM

@rgarcia@hortonworks.com

Could you check this?

Looks like LDAP manager credentials (that are used for connecting to LDAP server) are invalid.

1,577 Views
0 Kudos

avatar
author-rank pcodding author-rank
Guru

Created ‎10-29-2015 03:08 AM

@rgarcia@hortonworks.com - that error code and 52e indicate that the bind credentials that you have given Ambari are no longer valid. We're trying to authenticate ourselves to AD to do a search, and we use the Manager DN and password for that authentication. I would re-check those credentials and if necessary update the Ambari Server with the credentials by editing the configuration, or re-running ambari-server setup-ldap with the updated credentials.

1,578 Views

avatar
author-rank rgarcia
Expert Contributor

Created ‎10-29-2015 03:19 AM

I was finally able to resolve it. Somehow the DN for the LDAP Manager changed.

Was:

CN=adadmin,OU=MyUsers,DC=AD-HDP,DC=COM

Now:

CN=adadmin,DC=AD-HDP,DC=COM

Appreciate the hint their Paul.

1,577 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements