Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

AD user sync issue

Labels:
samant_thakur
Contributor

Created ‎09-05-2017 01:37 PM

Hi, I m getting below user sync error while integrating AD through Ambari. Please assist resolving the issue.Thanks in advance.

AD Authentication Failed:org.springframework.security.authentication.BadCredentialsException: Bad credentials

atorg.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:185)atorg.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:61)atorg.apache.ranger.security.handler.RangerAuthenticationProvider.getADBindAuthentication(RangerAuthenticationProvider.java:405

Unable to load native-hadoop library for your platform... using builtin-java classes where applicable INFO UnixAuthenticationService [main] - Enabling Protocol: [SSLv2Hello]

INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1]

INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1.1]

INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1.2]

ERROR UserGroupSync [UnixUserSyncThread] - Failed to initialize UserGroup source/sink. Will retry after 3600000 milliseconds. Error details: com.sun.jersey.api.client.UniformInterfaceException: GET Unauthorized at com.sun.jersey.api.client.WebResource.handle(WebResource.java:686) at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74) at com.sun.jersey.api.client.WebResource$Builder.get(WebResource.java:507)uster.

1,404 Views
0 Kudos
4 REPLIES 4

pbhagade
Rising Star

Created ‎09-06-2017 01:06 PM

Hi Samant,

Could you please share HDP version as well, it will be helpful.
Meantime could you disable Enable Group Search First and restart ranger usersync. See if that helps.
Ambari > Ranger > Config > Ranger User info > Group Config > at last Group Search First {disable it}

1,154 Views
0 Kudos

samant_thakur
Contributor

Created ‎09-07-2017 10:55 AM

Thanks a lot @Pravin Bhagade for responding to my query. I observed that I missed the first line of the error while pasting it on the portal.We are getting "AD Authentication Failed:org.springframework.security.authentication.BadCredentialsException: Bad credentials" error.

We have checked the credential for bind user & credentials are absolutely correct.Apparently, Bind user is not able to access the AD domain server through ranger. we concluded this based on response from AD team who told us that there is no logs for bind user for bad credentials.If particular user enters bad credentials n access the AD server then AD team gets the logs for that particular user.we are using HDP-2.4.3.0. Please shed some light on this issue.

Thanks a lot!!

1,154 Views
0 Kudos

pbhagade
Rising Star

Created ‎09-07-2017 11:23 AM

Can you verify ldapsearch cmd works successfully from Ranger server using same bind credentials used in Ranger Usersync conf.
If it works, than you can refer below link

HDP-2.4.3.0 might not have ldap check tool. Check under ls /usr/hdp/current/ranger-usersync/ldaptool

LDAP Connection Check Tool

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.1/bk_command-line-installation/content/using_...

1,154 Views
0 Kudos

spolavarapu
Expert Contributor

Created ‎09-08-2017 11:48 PM

@Samant Thakur

Looks like the logs you posted are from two different log files.

>>>>>>>>>>>>>

AD Authentication Failed:org.springframework.security.authentication.BadCredentialsException: Bad credentials

atorg.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:185)atorg.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:61)atorg.apache.ranger.security.handler.RangerAuthenticationProvider.getADBindAuthentication(RangerAuthenticationProvider.java:405

>>>>>>>>>>>>>>

Can you please verify the configuration under Ranger --> Configs --> Advanced --> ADSettings?

>>>>>>>>>>>>>>

ERROR UserGroupSync [UnixUserSyncThread] - Failed to initialize UserGroup source/sink. Will retry after 3600000 milliseconds. Error details: com.sun.jersey.api.client.UniformInterfaceException: GET Unauthorized at com.sun.jersey.api.client.WebResource.handle(WebResource.java:686) at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74) at com.sun.jersey.api.client.WebResource$Builder.get(WebResource.java:507)

>>>>>>>>>>>>>>>>>>

This is related to usersync and the issue here is usersync failed to communicate with ranger admin. usersync module uses "rangerusersync" user to talk to ranger admin. Can you please confirm is you have changed the password for this user?

Thanks,

Sailaja.

1,154 Views
0 Kudos
Take a Tour of the Community
Don't have an account?
Register
Your experience may be limited. Sign in to explore more.
Announcements
Community Announcements
March 2023 Community Highlights
What's New @ Cloudera
Cloudera DataFlow Designer for self-service data flow development is now generally available to all CDP Public Cloud customers
What's New @ Cloudera
Cloudera Operational Database (COD) UI provides the JWT configuration details to connect to your HBase client
What's New @ Cloudera
Cloudera Operational Database (COD) UI allows storage type selection when creating an operational database
What's New @ Cloudera
Release of Cloudera Streaming Analytics (CSA) 1.9.0 for CDP 7.1.7 SP2 & CDP 7.1.8
View More Announcements