Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Not able to sync users of Active Directory in Active Directory

Labels:
avatar
author-rank darpan_be
Rising Star

Created ‎12-21-2015 11:43 AM

Hi Experts,

I am trying to integrate A/D 2012 Server with Ambari 2.1.2. HDP version 2.3.

I've tried various permutation combinations with the properties but still I am not successful in integrating the AD with Ambari. I could successfully integrate AD with Ranger and Knox trying to use the properties in the similar lines.

Active directory domain controller name is : TEST.COM, AD is running on 10.0.2.10 One of the valid users in AD is "Darpan Patel" and has the principal : darpan@TEST.COM and all the users are in "Users" container.

We are running Ambari as a root user.

Here are the properties I am setting for Ambari - AD integration from /etc/ambari-server/conf/ambari.properties 

api.authenticate=true
authentication.ldap.baseDn=CN=Users,DC=test,DC=com 
authentication.ldap.bindAnonymously=false 
authentication.ldap.dnAttribute=CN=Users,DC=test,DC=com 
authentication.ldap.groupMembershipAttr=uid 
authentication.ldap.groupNamingAttr=cn 
authentication.ldap.groupObjectClass=group 
authentication.ldap.managerDn=CN=Darpan Patel,CN=users,DC=test,DC=com 
# also tried with 
# CN=users,DC=test,DC=com 
# CN=darpan,DC=test,DC=com 
# CN=darpan@TEST.COM,DC=test,DC=com
authentication.ldap.managerPassword=/etc/ambari-server/conf/ldap-password.dat
authentication.ldap.primaryUrl=10.0.2.10:389
authentication.ldap.referral=ignore
authentication.ldap.secondaryUrl=10.0.2.10:389
authentication.ldap.useSSL=false
authentication.ldap.userObjectClass=person
authentication.ldap.usernameAttribute=sAMAccountName

Here is the list of sequence what I am trying to do:

  1. $ ambari-server setup-ldap
  2. Enter the above properties
  3. Restart the ambari server
  4. $ambari-server sync-ldap --all
  5. Enter admin id/password (i.e. default Ambari Admin userid : admin/admin) also tried with darpan, darpan@TEST.COM
  6. In all the cases I see :

Syncing all.ERROR: Exiting with exit code 1. REASON: Sync event creation failed. Error details: HTTP Error 403: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]

7) Log shows :

18 Dec 2015 10:27:34,899 WARN [qtp-client-26] AmbariLdapAuthenticationProvider:71 - Looks like LDAP manager credentials (that are used for connecting to LDAP server) are invalid. org.springframework.security.authentication.InternalAuthenticationServiceException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]

I thought that password could be wrong for the AD user but with the same ad user I am able to issue a TGT. i.e. for the user in ambari properties : authentication.ldap.managerDn=CN=Darpan Patel,CN=users,DC=test,DC=com I am able to get a ticket : kinit darpan@TEST.COM.

------------------

Interesting thing is : I am no longer to login to Ambari using admin/admin user. On the ambari portal : when I use admin/admin it says invalid credentials. So I tried resetting the password to default by changing in the ambari.users db (update ambari.users set user_password='538916f8943ec225d97a9a86a2c6ec0818c1cd400e09e03b660fdaaec4af29ddbb6f2b1033b81b00' where user_name='admin')

To my curiosity when I see the ambari.users table few of the A/D users are present in the table. for example :

ambari=> select * from ambari.users;

user_id | principal_id | ldap_user | user_name | create_time | active |

--------+--------------+-----------+---------------+----------------------------+------

12 | 4 | 1 | pratlu | 2015-12-17 17:49:05.699 |1 |

3 | 6 |1 | darpan | 2015-12-17 17:49:05.699 |1 |

13 | 3 | 1 | administrator | 2015-12-17 17:49:05.699 |1 |

4 | 5 | 1 | test | 2015-12-17 17:49:05.699 |1 |

14 | 11 | 1 | sanjay.sharma | 2015-12-17 17:49:05.699 |1 |

I also tried logging in to ambari web console using darpan, darpan@TEST.COM, admin/admin but it does not work!!

Did any one face similar issue ? Or can anyone suggest work around?

Regards,

DP

7,064 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank nsabharwal
Master Mentor

Created ‎12-21-2015 01:18 PM

@Darpan Patel

https://confluence.atlassian.com/display/CONFKB/Us...

52einvalid credentials

Regarding: admin use invalid credentials, it looks like your AD setup did change admin user settings in the database.

For example:

ambari213=> select ldap_user from users where user_name='admin';

ldap_user

-----------

1

(1 row)

ambari213=> update users set ldap_user=0 where user_name='admin';

UPDATE 1

ambari213=>

ambari213=> select ldap_user from users where user_name='admin';

ldap_user

-----------

0

(1 row)

then try login with admin cred.

View solution in original post

5,050 Views
12 REPLIES 12

avatar
author-rank nsabharwal
Master Mentor

Created ‎12-21-2015 03:13 PM

@Darpan Patel Do you have admin user in AD? I guess yes

1,793 Views
0 Kudos

avatar
author-rank darpan_be
Rising Star

Created ‎12-21-2015 03:46 PM

@Neeraj SabharwalI've a local KDC. in the local KDC I've admin/admin but non in the AD.

1,793 Views
0 Kudos

avatar
author-rank nsabharwal
Master Mentor

Created ‎12-21-2015 03:48 PM

@Darpan Patel Ok. If issue is resolved then please accept one of the answers to close the thread.

1,793 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
View More Announcements