Support Questions

Find answers, ask questions, and share your expertise

Kerberos/LDAP integration Errors on the UI. LDAP CLI Utility does not


I got an HDP 3.0 Ambari 2.7 Cluster on AWS EC2, which i'm trying to integrate with a Company LDAP.

Been having issues when trying to continue on the last step, when the wizard Tests Kerberos Connection, it asks me for the Admin principal and password. When doing that, i get an error on the test request (after the Credentials PUT request). When looking at the logs, i see:

javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment:
AcceptSecurityContext error, data 52e, v2580]

I also tried to test connection to the LDAP using ambari-server sync-ldap. After following the wizard, i was able to connect and get all users on the container.

I'm assuming this utility does not share some settings with the UI. If that is the case, what can i do to fix it?

My setup is attached






It seems you are trying to use both MIT & AD together while enabling kerberos through Ambari. This is not possible at once.

If you want to use MIT KDC for hadoop service and AD/LDAP for user authentication you need to first enable kerberos using MIT KDC only and once your kerberos is enabled successfully go for configuring "One Way trust between MIT KDC and Active Directory".

With this setup all your hadoop services will be authenticated against MIT KDC and AD users will be autheticated against Active Directory. You can refer below links to do this setup:

1) Enable Kerberos using existing MIT KDC

2) Setup trust between MIT and AD KDC

In case you do not want to setup 2 KDC (MIT KDC for hadoop & AD KDC for bussiness users), You can go for complete MIT KDC setup or Complete AD KDC setup.

To address your issue:
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment:
AcceptSecurityContext error, data 52e, v2580] 

LDAP: error code 49: usually means username is valid but password is invalid

You are getting this issue because you are trying to authenticate kadmin/admin user with AD KDC and it seems this particular user isn't available in AD.


Thanks for your quick reply @Gulshad Ansari

With your suggestion, i was able to understand a little better my scenario. I need to use my AD domain for the admin principal, which i was not.

Anyways, when doing the change, i ran into an issue, where the test kerberos ticket created by the wizard still haves the old, incorrect domain. I did some quick research, and it seems to be an issue with the UI storing the old Domain Value. I tried the suggested steps on this thread without luck:

I also found the value was being stored on Chrome's LocalStorage, so i cleared it. After a second try, it haves the correct value, but the keytab file keeps ending up wrong.

Is there a way to make sure that value gets reset properly? I'm thinking on . destroying the cluster and starting anew at this point.

Thanks so much!