Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

AD Users Stop Working After Kerberos and SSSD Setup

Labels:
avatar
author-rank rgarcia
Expert Contributor

Created ‎10-29-2015 02:57 AM

I have configured Ambari to integrate with AD and all users was able to login to Ambari UI. After kerberizing the cluster and adding SSSD setup with AD, setting up SPNEGO, the AD Users no longer can login to Ambari UI.

Here's the error I'm getting /var/log/ambari-server/ambari-server.log:

28 Oct 2015 22:51:17,655  INFO [qtp-client-24] FilterBasedLdapUserSearch:89 - SearchBase not set. Searches will be performed from the root: ou=Rommel_Garcia_Accounts,dc=AD-HDP,dc=COM

28 Oct 2015 22:51:17,660  WARN [qtp-client-24] AmbariLdapAuthenticationProvider:71 - Looks like LDAP manager credentials (that are used for connecting to LDAP server) are invalid.

org.springframework.security.authentication.InternalAuthenticationServiceException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580^@]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580^@

.............

Caused by: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580^@]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580^@]
2,086 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank pcodding author-rank
Guru

Created ‎10-29-2015 03:08 AM

@rgarcia@hortonworks.com - that error code and 52e indicate that the bind credentials that you have given Ambari are no longer valid. We're trying to authenticate ourselves to AD to do a search, and we use the Manager DN and password for that authentication. I would re-check those credentials and if necessary update the Ambari Server with the credentials by editing the configuration, or re-running ambari-server setup-ldap with the updated credentials.

View solution in original post

1,519 Views
3 REPLIES 3

avatar
author-rank nsabharwal
Master Mentor

Created ‎10-29-2015 03:05 AM

@rgarcia@hortonworks.com

Could you check this?

Looks like LDAP manager credentials (that are used for connecting to LDAP server) are invalid.

1,519 Views
0 Kudos

avatar
author-rank pcodding author-rank
Guru

Created ‎10-29-2015 03:08 AM

@rgarcia@hortonworks.com - that error code and 52e indicate that the bind credentials that you have given Ambari are no longer valid. We're trying to authenticate ourselves to AD to do a search, and we use the Manager DN and password for that authentication. I would re-check those credentials and if necessary update the Ambari Server with the credentials by editing the configuration, or re-running ambari-server setup-ldap with the updated credentials.

1,520 Views

avatar
author-rank rgarcia
Expert Contributor

Created ‎10-29-2015 03:19 AM

I was finally able to resolve it. Somehow the DN for the LDAP Manager changed.

Was:

CN=adadmin,OU=MyUsers,DC=AD-HDP,DC=COM

Now:

CN=adadmin,DC=AD-HDP,DC=COM

Appreciate the hint their Paul.

1,519 Views
0 Kudos
Announcements
Community Announcements
October 2024 Community Highlights
What's New @ Cloudera
Accelerate Your AI with the Cloudera AI Inference Service wi...
What's New @ Cloudera
Updates to the HDFS clusters on AWS environments to add supp...
What's New @ Cloudera
Enhancements to the create-database command
Community Announcements
September 2024 Community Highlights
View More Announcements