Support Questions

markus_baettig · ‎04-10-2018

Hi guys

It's my turn to secure our cluster right now. But I have some trouble already with the LDAP connection of Ambari. On the production system I get the following error and I don't know where I can find the error anymore. Can you give me possible points where I should look for the error?

The certificates of the AD servers are imported and ldapsearch is working fine. I have add to the ambari-server.properties file the following content:

authentication.ldap.primaryUrl=dc1.ad.test.com:636
authentication.ldap.secondaryUrl=dc02.ad.test.com:636 authentication.ldap.useSSL=true
authentication.ldap.dnAttribute=distinguishedName authentication.ldap.usernameAttribute=sAMAccountName
authentication.ldap.baseDn="DC=ad,DC=test,DC=com" authentication.ldap.bindAnonymously=false
authentication.ldap.managerDn="CN=Service Account Hortonworks,OU=50.50.20 HadoopServiceUser,OU=50.50 Hortonworks,OU=50 Service User,DC=ad,DC=test,DC=com" authentication.ldap.userObjectClass=user
authentication.ldap.groupObjectClass=group
authentication.ldap.groupMembershipAttr=member
authentication.ldap.groupNamingAttr=cn

afterwards I run

[user1@ad.test.com home]$ sudo ambari-server setup-ldap

and validate the adjustments of the ambari-server.properties. Then I restart the server and agent

[user1@ad.test.com home]$ sudo ambari-server restart 
[user1@ad.test.com home]$ sudo ambari-agent restart

I create a file with only one entry: The Group with the Hadoop administrators.

[user1@ad.test.com home]$ echo HadoopAdmin > groups.txt

after that I want to import the HadoopAdmin group into Ambari

[user1@ad.test.com home]$ sudo ambari-server sync-ldap --groups=groups.txt

Using python  /usr/bin/python
Syncing with LDAP...
Enter Ambari Admin login: admin
Enter Ambari Admin password:
Syncing all...ERROR: Exiting with exit code 1.
REASON: Caught exception running LDAP sync. [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839]

In the Ambari Log I found the following error:

09 Apr 2018 16:37:00,577 ERROR [pool-18-thread-5] LdapSyncEventResourceProvider:460 - Caught exception running LDAP sync.
org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839]
        at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:191)
        at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:356)
        at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:140)
        at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:159)
        at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:357)
        at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:309)
        at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:642)
        at org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.getFilteredLdapUsers(AmbariLdapDataPopulator.java:667)
        at org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.getExternalLdapUserInfo(AmbariLdapDataPopulator.java:644)
        at org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.synchronizeAllLdapUsers(AmbariLdapDataPopulator.java:212)
        at org.apache.ambari.server.controller.AmbariManagementControllerImpl.synchronizeLdapUsersAndGroups(AmbariManagementControllerImpl.java:5178)
        at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider.syncLdap(LdapSyncEventResourceProvider.java:490)
        at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider.processSyncEvents(LdapSyncEventResourceProvider.java:448)
        at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider.access$000(LdapSyncEventResourceProvider.java:65)
        at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider$1.run(LdapSyncEventResourceProvider.java:259)
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839]
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3135)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3081)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2883)
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2797)
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
        at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
        at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
        at javax.naming.InitialContext.init(InitialContext.java:244)
        at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
        at org.springframework.ldap.core.support.LdapContextSource.getDirContextInstance(LdapContextSource.java:42)
        at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:344)
        ... 18 more

athacker · ‎04-10-2018

Bill,

LDAP: error code 49 / data 52e indicates an Active Directory (AD) AcceptSecurityContext error, which is returned when the username is valid but the combination of password and user credential is invalid. You might want to check the admin credentials (/password) that you are using are as expected and probably even password policies for this user in AD.

Since you don't seem to be binding anonymously, I'm assuming you are providing the right manager password. Also, since you are using SSL, assuming the certs are imported fine in jks or default JDK keystore. You might also want to ensure the group entry in groups.txt is based off of groupMembershipAttr.

View solution in original post

athacker · ‎04-10-2018

Bill,

LDAP: error code 49 / data 52e indicates an Active Directory (AD) AcceptSecurityContext error, which is returned when the username is valid but the combination of password and user credential is invalid. You might want to check the admin credentials (/password) that you are using are as expected and probably even password policies for this user in AD.

Since you don't seem to be binding anonymously, I'm assuming you are providing the right manager password. Also, since you are using SSL, assuming the certs are imported fine in jks or default JDK keystore. You might also want to ensure the group entry in groups.txt is based off of groupMembershipAttr.

Cloudera Community

Support Questions

Can't sync Ambari with LDAP