Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

LDAP: error code 49 when setting LDAP auth for HiveServer2

Labels:
avatar
author-rank Adija1
Super Collaborator

Created on ‎02-09-2016 04:20 PM - edited ‎08-19-2019 02:05 AM

Hello Gurus :) HDP 2.3.2 Ambari 2.1.2.1

I'm trying to setup HiveServer2 with LDAP authentication. It seems pretty straightforward: I performed the following: Changed HiveServer2 Authentication to LDAP

1954-1.png Then i setup my LDAP server url (as the Ambari requested): 1955-2.png Restarted the Hive but hiveserver2.log shows the following during it's startup: ERROR [HiveServer2-Handler-Pool: Thread-56]: transport.TSaslTransport (TSaslTransport.java:open(315)) - SASL negotiation failure javax.security.sasl.SaslException: Error validating the login [Caused by javax.security.sasl.AuthenticationException: Error validating LDAP user [Caused by javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]]]

According to the error LDAP 49 - 52e the problem is with the credentials that were passed to the LDAP server. I don't find any field \ parameter in which i set the LDAP user & password for authentication... Needless to say that the authentication acts as if it is set to NONE (which is a major problem....)

Any ideas ? Thanks in advance Adi J.

42,634 Views
0
2 ACCEPTED SOLUTIONS

avatar
author-rank amcbarnett
Guru

Created ‎02-10-2016 09:02 PM

@Adi Jabkowsky

Is this happening when HS2 is started ONLY or when you connect via Beeline or both?

Try the following:

  1. Your hive.server2.authentication.ldap.baseDN has a blank space. Remove the blank space and restart HS2 from Hosts in Ambari 
    #From
<property>
<name>hive.server2.authentication.ldap.baseDN</name>
<value> </value>
</property>

#To
<property>
<name>hive.server2.authentication.ldap.baseDN</name>
<value></value>
</property>
  2. Remove hive.server2.authentication.ldap.Domain or set to Blank. Then log into HS2 using beeline and set your user to myuser@corp.cellcom.co.il as your login and see if it authenticates
  3. Set hive.server2.enable.doAs to False so that Hive user executes the query,
  4. If you are using a Hive AD user, Double check that the hive AD UID is the same in /etc/passwd file. Make an archive of HS2 Logs, change /etc/passwd to have the same UUID as the AD hive user, and restart HS2.

View solution in original post

41,098 Views
0

avatar
author-rank florianc
Explorer

Created ‎06-29-2020 01:59 AM

Hi  @Adija1 .

 

Have you hever managed to find out where to indicate username and password for hiveserver2 to be able to auth against Ad LDAP ?

 

I currently have this error:

 

[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090446, comment: AcceptSecurityContext error, data 52e, v2580]
 
But I have nowhere in Hive config (Ambari 3.1) to say what user and password to use, and even though this question has been asked at least twice on this post, no one answered...

View solution in original post

36,439 Views
0 Kudos
0
41 REPLIES 41

avatar
author-rank Adija1
Super Collaborator

Created ‎02-10-2016 12:26 PM

@Neeraj Sabharwal Disregard the HUE error. It is probably because of old version of HUE that doesn't support LDAP. But still beeline doesn't work and i get the same error you get...

8,813 Views
0 Kudos

avatar
author-rank asish author-rank
Guru

Created ‎06-30-2020 01:06 AM

I see that you use Active DIrecyory

 

Did you use the below property?

 

+++

<property>

<name>hive.server2.authentication.ldap.Domain</name>

<value>AD_Domain</value>

</property>

+++

7,430 Views
0 Kudos

avatar
author-rank Adija1
Super Collaborator

Created ‎02-10-2016 12:42 PM

@Neeraj Sabharwal

Not exactly.

2016-02-10 14:38:33,237 ERROR [HiveServer2-Handler-Pool: Thread-51]: transport.TSaslTransport (TSaslTransport.java:open(315)) - SASL negotiation failure javax.security.sasl.SaslException: Error validating the login [Caused by javax.security.sasl.AuthenticationException: Error validating LDAP user [Caused by javax.naming.Authe nticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1^@]]]

7,649 Views
0 Kudos

avatar
author-rank Adija1
Super Collaborator

Created ‎02-10-2016 12:43 PM

@Neeraj Sabharwal

The error means that hive on startup tried to authenticate with a user but it's credentials are not correct. My guess is that the hive which is running on local user "hive" is trying to authenticate using this user (hive) and it doesn't exist on LDAP.

Theoretically if i will create "hive" user in my LDAP i guess it will work. The problem is that i'm not sure what it's password is....

7,649 Views
0 Kudos

avatar
author-rank nsabharwal
Master Mentor

Created ‎02-10-2016 12:45 PM

@Adi Jabkowsky I though so because I am using openladap

49, 52e = invalid cred

7,649 Views
0 Kudos

avatar
author-rank Adija1
Super Collaborator

Created ‎02-10-2016 12:55 PM

@Neeraj Sabharwal I will reset it's password and create this user in my LDAP. Will update on the result.

7,650 Views

avatar
author-rank Adija1
Super Collaborator

Created ‎02-10-2016 06:07 PM

@Neeraj Sabharwal

I created "hive" user in LDAP with the same password as in my linux machine that runs hive. Still problem remains. Every minute repeatedly the hiveserver2.log shows: LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, There must be someone out there who managed to get hive authentication with Active Directory...

7,650 Views

avatar
author-rank florianc
Explorer

Created ‎06-29-2020 01:59 AM

Hi  @Adija1 .

 

Have you hever managed to find out where to indicate username and password for hiveserver2 to be able to auth against Ad LDAP ?

 

I currently have this error:

 

[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090446, comment: AcceptSecurityContext error, data 52e, v2580]
 
But I have nowhere in Hive config (Ambari 3.1) to say what user and password to use, and even though this question has been asked at least twice on this post, no one answered...
36,440 Views
0 Kudos
0

avatar
author-rank amiller
Guru

Created ‎02-09-2016 06:12 PM

As described in the docs:

If you're using AD you should also define a custom hive-site property hive.server2.authentication.ldap.Domain

If you're using OpenLDAP you should also define a custom hive-site property hive.server2.authentication.ldap.baseDN

Also make sure to force HiveServer2 to restart in Ambari. Go to the host(s) running HS2, and use the drop-down next to HiveServer2 to 'Restart' which will push the new configs. There was an Ambari bug that would mark all other Hive components for restart, but NOT HS2, even when it's required, and the "Restart All Affected" will NOT push new HS2 configs in that case.

7,653 Views

avatar
author-rank Adija1
Super Collaborator

Created ‎02-10-2016 07:07 AM

@Alex Miller Hi Alex and thank you for your reply. I did add the hive.server2.authentication.ldap.Domain property with my domain name, and i'm configuring everything while HIVE is completely shutdown - so it's definitely not a restart problem. What i don't understand is where do i setup the user that is in charge of authentication against AD ? Where is the manager dn value located ? Maybe it's also a custom value ?

7,650 Views
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements