Created 10-29-2015 02:57 AM
I have configured Ambari to integrate with AD and all users was able to login to Ambari UI. After kerberizing the cluster and adding SSSD setup with AD, setting up SPNEGO, the AD Users no longer can login to Ambari UI.
Here's the error I'm getting /var/log/ambari-server/ambari-server.log:
28 Oct 2015 22:51:17,655 INFO [qtp-client-24] FilterBasedLdapUserSearch:89 - SearchBase not set. Searches will be performed from the root: ou=Rommel_Garcia_Accounts,dc=AD-HDP,dc=COM 28 Oct 2015 22:51:17,660 WARN [qtp-client-24] AmbariLdapAuthenticationProvider:71 - Looks like LDAP manager credentials (that are used for connecting to LDAP server) are invalid. org.springframework.security.authentication.InternalAuthenticationServiceException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580^@]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580^@ ............. Caused by: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580^@]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580^@]
Created 10-29-2015 03:08 AM
@rgarcia@hortonworks.com - that error code and 52e indicate that the bind credentials that you have given Ambari are no longer valid. We're trying to authenticate ourselves to AD to do a search, and we use the Manager DN and password for that authentication. I would re-check those credentials and if necessary update the Ambari Server with the credentials by editing the configuration, or re-running ambari-server setup-ldap with the updated credentials.
Created 10-29-2015 03:05 AM
@rgarcia@hortonworks.com
Could you check this?
Looks like LDAP manager credentials (that are used for connecting to LDAP server) are invalid.
Created 10-29-2015 03:08 AM
@rgarcia@hortonworks.com - that error code and 52e indicate that the bind credentials that you have given Ambari are no longer valid. We're trying to authenticate ourselves to AD to do a search, and we use the Manager DN and password for that authentication. I would re-check those credentials and if necessary update the Ambari Server with the credentials by editing the configuration, or re-running ambari-server setup-ldap with the updated credentials.
Created 10-29-2015 03:19 AM
I was finally able to resolve it. Somehow the DN for the LDAP Manager changed.
Was:
CN=adadmin,OU=MyUsers,DC=AD-HDP,DC=COM
Now:
CN=adadmin,DC=AD-HDP,DC=COM
Appreciate the hint their Paul.