Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Kerberos/LDAP integration Errors on the UI. LDAP CLI Utility does not

Labels:
leo_atencio
Explorer

Created on ‎12-07-2018 09:15 PM - edited ‎08-17-2019 04:12 PM

I got an HDP 3.0 Ambari 2.7 Cluster on AWS EC2, which i'm trying to integrate with a Company LDAP.

Been having issues when trying to continue on the last step, when the wizard Tests Kerberos Connection, it asks me for the Admin principal and password. When doing that, i get an error on the test request (after the Credentials PUT request). When looking at the logs, i see:

javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment:
AcceptSecurityContext error, data 52e, v2580]

I also tried to test connection to the LDAP using ambari-server sync-ldap. After following the wizard, i was able to connect and get all users on the container.

I'm assuming this utility does not share some settings with the UI. If that is the case, what can i do to fix it?

My setup is attached

captura-de-pantalla-2018-12-07-a-las-40029-p-m.png

93799-captura-de-pantalla-2018-12-07-a-las-40144-p-m.png

captura-de-pantalla-2018-12-07-a-las-40334-p-m.pngcaptura-de-pantalla-2018-12-07-a-las-40452-p-m.png

963 Views
0 Kudos
2 REPLIES 2

gul_shad
Contributor

Created ‎12-07-2018 09:47 PM

It seems you are trying to use both MIT & AD together while enabling kerberos through Ambari. This is not possible at once.

If you want to use MIT KDC for hadoop service and AD/LDAP for user authentication you need to first enable kerberos using MIT KDC only and once your kerberos is enabled successfully go for configuring "One Way trust between MIT KDC and Active Directory".

With this setup all your hadoop services will be authenticated against MIT KDC and AD users will be autheticated against Active Directory. You can refer below links to do this setup:

1) Enable Kerberos using existing MIT KDC

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.5/bk_security/content/_launching_the_kerberos...

2) Setup trust between MIT and AD KDC

https://community.hortonworks.com/articles/59635/one-way-trust-mit-kdc-to-active-directory.html

In case you do not want to setup 2 KDC (MIT KDC for hadoop & AD KDC for bussiness users), You can go for complete MIT KDC setup or Complete AD KDC setup.

To address your issue:
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment:
AcceptSecurityContext error, data 52e, v2580]

LDAP: error code 49: usually means username is valid but password is invalid

You are getting this issue because you are trying to authenticate kadmin/admin user with AD KDC and it seems this particular user isn't available in AD.

893 Views
0 Kudos

leo_atencio
Explorer

Created ‎12-13-2018 03:20 PM

Thanks for your quick reply @Gulshad Ansari

With your suggestion, i was able to understand a little better my scenario. I need to use my AD domain for the admin principal, which i was not.

Anyways, when doing the change, i ran into an issue, where the test kerberos ticket created by the wizard still haves the old, incorrect domain. I did some quick research, and it seems to be an issue with the UI storing the old Domain Value. I tried the suggested steps on this thread without luck: https://community.hortonworks.com/questions/6437/when-kerberizing-via-ambari-against-an-ad-the-serv....

I also found the value was being stored on Chrome's LocalStorage, so i cleared it. After a second try, it haves the correct value, but the keytab file keeps ending up wrong.

Is there a way to make sure that value gets reset properly? I'm thinking on . destroying the cluster and starting anew at this point.

Thanks so much!

893 Views
0 Kudos
Take a Tour of the Community
Don't have an account?
Register
Your experience may be limited. Sign in to explore more.
Announcements
Product Announcements
[ANNOUNCE] Cloudera ODBC Driver 2.6.16 for Apache Hive Released
Community Announcements
March 2023 Community Highlights
What's New @ Cloudera
Cloudera DataFlow Designer for self-service data flow development is now generally available to all CDP Public Cloud customers
What's New @ Cloudera
Cloudera Operational Database (COD) UI provides the JWT configuration details to connect to your HBase client
What's New @ Cloudera
Cloudera Operational Database (COD) UI allows storage type selection when creating an operational database
View More Announcements