Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Not able to sync users of Active Directory in Active Directory

avatar
Rising Star

Hi Experts,

I am trying to integrate A/D 2012 Server with Ambari 2.1.2. HDP version 2.3.

I've tried various permutation combinations with the properties but still I am not successful in integrating the AD with Ambari. I could successfully integrate AD with Ranger and Knox trying to use the properties in the similar lines.

Active directory domain controller name is : TEST.COM, AD is running on 10.0.2.10 One of the valid users in AD is "Darpan Patel" and has the principal : darpan@TEST.COM and all the users are in "Users" container.

We are running Ambari as a root user.

Here are the properties I am setting for Ambari - AD integration from /etc/ambari-server/conf/ambari.properties

api.authenticate=true
authentication.ldap.baseDn=CN=Users,DC=test,DC=com 
authentication.ldap.bindAnonymously=false 
authentication.ldap.dnAttribute=CN=Users,DC=test,DC=com 
authentication.ldap.groupMembershipAttr=uid 
authentication.ldap.groupNamingAttr=cn 
authentication.ldap.groupObjectClass=group 
authentication.ldap.managerDn=CN=Darpan Patel,CN=users,DC=test,DC=com 
# also tried with 
# CN=users,DC=test,DC=com 
# CN=darpan,DC=test,DC=com 
# CN=darpan@TEST.COM,DC=test,DC=com
authentication.ldap.managerPassword=/etc/ambari-server/conf/ldap-password.dat
authentication.ldap.primaryUrl=10.0.2.10:389
authentication.ldap.referral=ignore
authentication.ldap.secondaryUrl=10.0.2.10:389
authentication.ldap.useSSL=false
authentication.ldap.userObjectClass=person
authentication.ldap.usernameAttribute=sAMAccountName 

Here is the list of sequence what I am trying to do:

  1. $ ambari-server setup-ldap
  2. Enter the above properties
  3. Restart the ambari server
  4. $ambari-server sync-ldap --all
  5. Enter admin id/password (i.e. default Ambari Admin userid : admin/admin) also tried with darpan, darpan@TEST.COM
  6. In all the cases I see :

Syncing all.ERROR: Exiting with exit code 1. REASON: Sync event creation failed. Error details: HTTP Error 403: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]

7) Log shows :

18 Dec 2015 10:27:34,899 WARN [qtp-client-26] AmbariLdapAuthenticationProvider:71 - Looks like LDAP manager credentials (that are used for connecting to LDAP server) are invalid. org.springframework.security.authentication.InternalAuthenticationServiceException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]

I thought that password could be wrong for the AD user but with the same ad user I am able to issue a TGT. i.e. for the user in ambari properties : authentication.ldap.managerDn=CN=Darpan Patel,CN=users,DC=test,DC=com I am able to get a ticket : kinit darpan@TEST.COM.

------------------

Interesting thing is : I am no longer to login to Ambari using admin/admin user. On the ambari portal : when I use admin/admin it says invalid credentials. So I tried resetting the password to default by changing in the ambari.users db (update ambari.users set user_password='538916f8943ec225d97a9a86a2c6ec0818c1cd400e09e03b660fdaaec4af29ddbb6f2b1033b81b00' where user_name='admin')

To my curiosity when I see the ambari.users table few of the A/D users are present in the table. for example :

ambari=> select * from ambari.users;

user_id | principal_id | ldap_user | user_name | create_time | active |

--------+--------------+-----------+---------------+----------------------------+------

12 | 4 | 1 | pratlu | 2015-12-17 17:49:05.699 |1 |

3 | 6 |1 | darpan | 2015-12-17 17:49:05.699 |1 |

13 | 3 | 1 | administrator | 2015-12-17 17:49:05.699 |1 |

4 | 5 | 1 | test | 2015-12-17 17:49:05.699 |1 |

14 | 11 | 1 | sanjay.sharma | 2015-12-17 17:49:05.699 |1 |

I also tried logging in to ambari web console using darpan, darpan@TEST.COM, admin/admin but it does not work!!

Did any one face similar issue ? Or can anyone suggest work around?

Regards,

DP

1 ACCEPTED SOLUTION

avatar
Master Mentor

@Darpan Patel

https://confluence.atlassian.com/display/CONFKB/Us...

52einvalid credentials

Regarding: admin use invalid credentials, it looks like your AD setup did change admin user settings in the database.

For example:

ambari213=> select ldap_user from users where user_name='admin';

ldap_user

-----------

1

(1 row)

ambari213=> update users set ldap_user=0 where user_name='admin';

UPDATE 1

ambari213=>

ambari213=> select ldap_user from users where user_name='admin';

ldap_user

-----------

0

(1 row)

then try login with admin cred.

View solution in original post

12 REPLIES 12

avatar

Try doing a search for the principal you are using to make sure it's record has the same DN as the one you are using as the Kerberos identity.

ldapsearch -h 10.0.2.10 -D darpan@TEST.COM -W -b CN=Users,DC=test,DC=com '(userPrincipalName=darpan@TEST.COM)' dn

Also, I noticed that your distinguished name attribute is still incorrect:

Is: 
  authentication.ldap.dnAttribute=CN=Users,DC=test,DC=com 
Should Be:
  authentication.ldap.dnAttribute=distinguishedName

avatar
Rising Star

Thanks Robert,

By executing the ldapsearch I get the :

# Darpan Patel, Users, test.com
dn: CN=Darpan Patel,CN=Users,DC=test,DC=com
# search result
search: 2
result: 0 Success

I also made changes : authentication.ldap.dnAttribute=distinguishedName .

However when I give admin/admin while doing sync outcome is :

[root@gateway ~]# ambari-server sync-ldap --all

Using python /usr/bin/python2.7 Syncing with LDAP...

Enter Ambari Admin login: admin

Enter Ambari Admin password: Syncing all.ERROR: Exiting with exit code 1. REASON: Sync event creation failed. Error details: HTTP Error 403: Bad credentials

avatar
Master Mentor

@Darpan Patel

https://confluence.atlassian.com/display/CONFKB/Us...

52einvalid credentials

Regarding: admin use invalid credentials, it looks like your AD setup did change admin user settings in the database.

For example:

ambari213=> select ldap_user from users where user_name='admin';

ldap_user

-----------

1

(1 row)

ambari213=> update users set ldap_user=0 where user_name='admin';

UPDATE 1

ambari213=>

ambari213=> select ldap_user from users where user_name='admin';

ldap_user

-----------

0

(1 row)

then try login with admin cred.

avatar
Rising Star

I logged in to Ambari database and resetted the password to 'admin'. But still it did not work.

avatar
Master Mentor

@Darpan Patel Please see my previous message. It seems like that your admin user is set to ldap user.

avatar
Rising Star

You were right. The admin users had ldap_user flag set to 1. Not sure how it changed it...

avatar
Rising Star

One more observation @Neeraj Sabharwal

: I updated the admin user's ldap_user flag to 0 as you mentioned and tried running the ambari ldap sync operation .

On the console get the error :

Enter Ambari Admin password: Syncing all.......

ERROR: Exiting with exit code 1.

REASON: Sync event check failed. Error details: HTTP Error 403: Bad credentials

Now I am checking the users table in the ambari database. I see few more users have been imported in the user's table. And the admin user's ldap_user flag is again set to 1. 🙂

avatar
Master Mentor

@Darpan Patel Perfect! It looks like the ldap sync is working but you need to check credentials.

avatar
Rising Star

@Neeraj Sabharwal

Yeah looks like users are getting Synch-ed.

However I think here is the problem that : local user admin is being changed to ldap user ( flag changes in the user table) Is it expected behavior ?