Support Questions

Find answers, ask questions, and share your expertise

AD Users Stop Working After Kerberos and SSSD Setup

avatar
Expert Contributor

I have configured Ambari to integrate with AD and all users was able to login to Ambari UI. After kerberizing the cluster and adding SSSD setup with AD, setting up SPNEGO, the AD Users no longer can login to Ambari UI.

Here's the error I'm getting /var/log/ambari-server/ambari-server.log:

28 Oct 2015 22:51:17,655  INFO [qtp-client-24] FilterBasedLdapUserSearch:89 - SearchBase not set. Searches will be performed from the root: ou=Rommel_Garcia_Accounts,dc=AD-HDP,dc=COM

28 Oct 2015 22:51:17,660  WARN [qtp-client-24] AmbariLdapAuthenticationProvider:71 - Looks like LDAP manager credentials (that are used for connecting to LDAP server) are invalid.

org.springframework.security.authentication.InternalAuthenticationServiceException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580^@]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580^@

.............

Caused by: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580^@]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580^@]
1 ACCEPTED SOLUTION

avatar

@rgarcia@hortonworks.com - that error code and 52e indicate that the bind credentials that you have given Ambari are no longer valid. We're trying to authenticate ourselves to AD to do a search, and we use the Manager DN and password for that authentication. I would re-check those credentials and if necessary update the Ambari Server with the credentials by editing the configuration, or re-running ambari-server setup-ldap with the updated credentials.

View solution in original post

3 REPLIES 3

avatar
Master Mentor

@rgarcia@hortonworks.com

Could you check this?

Looks like LDAP manager credentials (that are used for connecting to LDAP server) are invalid.

avatar

@rgarcia@hortonworks.com - that error code and 52e indicate that the bind credentials that you have given Ambari are no longer valid. We're trying to authenticate ourselves to AD to do a search, and we use the Manager DN and password for that authentication. I would re-check those credentials and if necessary update the Ambari Server with the credentials by editing the configuration, or re-running ambari-server setup-ldap with the updated credentials.

avatar
Expert Contributor

I was finally able to resolve it. Somehow the DN for the LDAP Manager changed.

Was:

CN=adadmin,OU=MyUsers,DC=AD-HDP,DC=COM

Now:

CN=adadmin,DC=AD-HDP,DC=COM 

Appreciate the hint their Paul.