Support Questions

Find answers, ask questions, and share your expertise

Enable Kerberos wizard created AD SamAccountName as $K5V500-1ET1B4KFE6C4, how to change to regular username

avatar
Contributor

How to change SamAccountName : $K5V500-1ET1B4KFE6C4 to username storm-poc.

Ambari 2.1.2 enable kerberos wizard created AD account SamAccountName : $K5V500-1ET1B4KFE6C4.

Get-ADUser -Identity '$K5V500-1ET1B4KFE6C4' -Properties *
AccountExpirationDate  :
accountExpires  : 0
AccountLockoutTime  :
AccountNotDelegated  : False
AllowReversiblePasswordEncryption  : False
BadLogonCount  : 0
badPasswordTime  : 0
badPwdCount  : 0
CannotChangePassword  : False
CanonicalName  : ldap.customer.com/HDP/Domain Accounts/Service Accounts/storm-poc
Certificates  : {}
City  :
CN  : storm-poc
codePage  : 0
Company  :
Country  :
countryCode  : 0
Created  : 10/16/2015 12:54:07 PM
createTimeStamp  : 10/16/2015 12:54:07 PM
Deleted  :
Department  :
Description  :
DisplayName  :
DistinguishedName  : CN=storm-poc,OU=Service Accounts,OU=Domain Accounts,OU=HDP,DC=poc,DC=customer,DC=com
Division  :
DoesNotRequirePreAuth  : False
dSCorePropagationData  : {12/31/1600 7:00:00 PM}
EmailAddress  :
EmployeeID  :
EmployeeNumber  :
Enabled  : True
Fax  :
GivenName  :
HomeDirectory  :
HomedirRequired  : False
HomeDrive  :
HomePage  :
HomePhone  :
Initials  :
instanceType  : 4
isDeleted  :
LastBadPasswordAttempt  :
LastKnownParent  :
lastLogoff  : 0
lastLogon  : 130898381140333887
LastLogonDate  : 10/16/2015 12:54:07 PM
lastLogonTimestamp  : 130894880477406005
LockedOut  : False
logonCount  : 60159
LogonWorkstations  :
Manager  :
MemberOf  : {}
MNSLogonAccount  : False
MobilePhone  :
Modified  : 10/16/2015 12:54:07 PM
modifyTimeStamp  : 10/16/2015 12:54:07 PM
msDS-User-Account-Control-Computed : 0
Name  : storm-poc
nTSecurityDescriptor  : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory  : CN=Person,CN=Schema,CN=Configuration,DC=poc,DC=customer,DC=com
ObjectClass  : user
ObjectGUID  : 6d7826eb-4729-4074-8e4a-3705c9adcd40
objectSid  : S-1-5-21-568884682-143551100-1954249272-195764
Office  :
OfficePhone  :
Organization  :
OtherName  :
PasswordExpired  : False
PasswordLastSet  : 10/16/2015 12:54:07 PM
PasswordNeverExpires  : True
PasswordNotRequired  : False
POBox  :
PostalCode  :
PrimaryGroup  : CN=Domain Users,CN=Users,DC=poc,DC=customer,DC=com
primaryGroupID  : 513
ProfilePath  :
ProtectedFromAccidentalDeletion  : False
pwdLastSet  : 130894880476781969
SamAccountName  : $K5V500-1ET1B4KFE6C4
sAMAccountType  : 805306368
ScriptPath  :
sDRightsEffective  : 15
ServicePrincipalNames  : {}
SID  : S-1-5-21-568884682-143551100-1954249272-195764
SIDHistory  : {}
SmartcardLogonRequired  : False
State  :
StreetAddress  :
Surname  :
Title  :
TrustedForDelegation  : False
TrustedToAuthForDelegation  : False
UseDESKeyOnly  : False
userAccountControl  : 66048
userCertificate  : {}
UserPrincipalName  : storm-poc@ldap.customer.com
uSNChanged  : 9889735
uSNCreated  : 9889732
whenChanged  : 10/16/2015 12:54:07 PM
whenCreated  : 10/16/2015 12:54:07 PM
1 ACCEPTED SOLUTION

avatar

Once the account has been created, you can use the "Active Directory Users and Computers" applet on the Windows Server, find the account, open up the properties, and perform one of the following:

Option A:

  • Click on the "Account" tab
  • Edit the 2nd box of the "Windows login name (pre-Windows 2000)" field
  • Click the "Apply" button

Option B:

  • Click on the "Attribute Editor" tab (shown if "Advanced Features" is turned on)
  • Look for "sAMAccountName" in the listbox
  • Double click on the "sAMAccountName" item - a small dialog box will pop up
  • Edit the name in the textbox
  • Click the "OK" button (closed the dialog box)
  • Click the "Apply" button

If you haven't enabled Kerberos yet, you can edit the Active Directory "Account Attribute Template" value under the "Advanced kerberos-env" section on the "Configure Kerberos" page of the "Enable Kerberos Wizard" and add something like:

"sAMAccountName": "$principal_name"

However this field is limited to 20 characters so you will need to do some additional stuff to limit the value and hope that it is unique. For example:

#set( $sAMAccountName = "${principal_primary}-${principal_digest}" )
{
 "objectClass": ["top","person","organizationalPerson","user"],
 "cn": "$principal_name",
 "sAMAccountName": "$sAMAccountName.substring(0,20)",
 #if( $is_service )
 "servicePrincipalName": "$principal_name",
 #end
 "userPrincipalName": "$normalized_principal",
 "unicodePwd": "$password",
 "accountExpires": "0",
 "userAccountControl": "66048"
}

View solution in original post

7 REPLIES 7

avatar

Once the account has been created, you can use the "Active Directory Users and Computers" applet on the Windows Server, find the account, open up the properties, and perform one of the following:

Option A:

  • Click on the "Account" tab
  • Edit the 2nd box of the "Windows login name (pre-Windows 2000)" field
  • Click the "Apply" button

Option B:

  • Click on the "Attribute Editor" tab (shown if "Advanced Features" is turned on)
  • Look for "sAMAccountName" in the listbox
  • Double click on the "sAMAccountName" item - a small dialog box will pop up
  • Edit the name in the textbox
  • Click the "OK" button (closed the dialog box)
  • Click the "Apply" button

If you haven't enabled Kerberos yet, you can edit the Active Directory "Account Attribute Template" value under the "Advanced kerberos-env" section on the "Configure Kerberos" page of the "Enable Kerberos Wizard" and add something like:

"sAMAccountName": "$principal_name"

However this field is limited to 20 characters so you will need to do some additional stuff to limit the value and hope that it is unique. For example:

#set( $sAMAccountName = "${principal_primary}-${principal_digest}" )
{
 "objectClass": ["top","person","organizationalPerson","user"],
 "cn": "$principal_name",
 "sAMAccountName": "$sAMAccountName.substring(0,20)",
 #if( $is_service )
 "servicePrincipalName": "$principal_name",
 #end
 "userPrincipalName": "$normalized_principal",
 "unicodePwd": "$password",
 "accountExpires": "0",
 "userAccountControl": "66048"
}

avatar
Contributor

thank you for the details, next week I will test in new cluster build.

avatar
Expert Contributor

How did this go for you @skonduru ? Did you have to do the additional stuff to limit the value?

avatar
Master Mentor

@skonduru has this been resolved? Can you accept the best answer or provide your own solution?

avatar
Contributor

It went well with Robert L suggested changes.

We recommended customer AD team to limit sAMAccountName characters to <=15

-------

When using an Active Directory server and the user name is mapped to theuserPrincipalNameattribute, theActiveDirectoryMembershipProviderclass will automatically generate a random 20-character user name for thesAMAccountNameparameter on your behalf.

Parameters default to the following maximum lengths.

Parameter

Maximum length

username64 characters if using theuserPrincipalNameattribute. If using thesAMAccountNameattribute, the common restriction is 20 characters or less.
password128 characters.
email256 characters.
passwordQuestion256 characters.
passwordAnswer128 characters before and after encrypting.

----------

for more details Maximum Length User Logon Name (Pre Windows 2000) https://msdn.microsoft.com/en-us/library/system.web.security.activedirectorymembershipprovider.creat...

avatar
Expert Contributor

@skonduru interestingly, setting

"sAMAccountName":"$sAMAccountName.substring(0,20)",

failed for me when installing kerberos. And wouldn't this also result in an inconsistent naming convention?

E.g. sAMAccountName for HDFS would be: hdfs/node01.hadoop.p

but sAMAccountName for Zookeeper would be: zookeeper/node01.had

Is there a better way to achieve a consistent naming convention?

avatar
Contributor

We didn't used any regex for "sAMAccountName":

Looklike your AD configured sAMAccountName as UPN. See following notes may helpful to differentiate both properties. http://www.morgantechspace.com/2014/04/samaccountname-vs-userprincipalname.html