Support Questions

Find answers, ask questions, and share your expertise

Problems with Enable Kerberos using the wizard

avatar
Explorer

When the wizard generates credentials, it reports Insufficient access (50) ldap error, like this:

/opt/cloudera/cm/bin/gen_credentials_ad.sh failed with exit code 50 and output of <<
+ export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin
+ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin
+ KEYTAB_OUT=/var/run/cloudera-scm-server/cmf3782202571582054951.keytab
+ PRINC=HTTP/cradle3302t.priv.cwru.edu@ADS.CASE.EDU
+ USER=PruWGPfsVZ
+ PASSWD=REDACTED
+ DELETE_ON_REGENERATE=true
+ SET_ENCRYPTION_TYPES=false
+ ENC_TYPES_MASK=4
+ USERACCOUNTCONTROL=66048
+ ACCOUNTEXPIRES=0
+ OBJECTCLASSES='objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
'
+ EXTRA_ATTRIBUTES=
+ DIST_NAME='CN=PruWGPfsVZ,OU=cradle33,OU=Hadoop,OU=Research Computing,OU=Information Technology Services,OU=Delegated Departments,DC=ads,DC=case,DC=edu'
+ [[ -z ADS.CASE.EDU ]]
+ echo 'CMF_REALM is: ADS.CASE.EDU'
+ '[' -z /var/run/cloudera-scm-server/krb5125639301910663789.conf ']'
+ echo 'Using custom config path '\''/var/run/cloudera-scm-server/krb5125639301910663789.conf'\'', contents below:'
+ cat /var/run/cloudera-scm-server/krb5125639301910663789.conf
++ mktemp /tmp/cm_ldap.XXXXXXXX
+ LDAP_CONF=/tmp/cm_ldap.jOaAAbDw
+ echo 'TLS_REQCERT never'
+ echo 'sasl_secprops minssf=0,maxssf=0'
+ SIMPLE_PWD_STR=
+ LDAP_URL=
+ '[' REDACTED = '' ']'
+ SIMPLE_PWD_STR='-x -D rcci-hadoop-sa@ADS.CASE.EDU -w REDACTED'
+ LDAP_URL=ldaps://ads.case.edu:636
+ export LDAPCONF=/tmp/cm_ldap.jOaAAbDw
+ LDAPCONF=/tmp/cm_ldap.jOaAAbDw
++ ldapsearch -LLL -H ldaps://ads.case.edu:636 -b 'OU=cradle33,OU=Hadoop,OU=Research Computing,OU=Information Technology Services,OU=Delegated Departments,DC=ads,DC=case,DC=edu' -x -D rcci-hadoop-sa@ADS.CASE.EDU -w REDACTED userPrincipalName=HTTP/cradle3302t.priv.cwru.edu@ADS.CASE.EDU
+ PRINC_SEARCH=
++ echo ''
++ sed -n '1 {h; $ !d}; $ {x; s/\n //g; p}; /^ / {H; d}; /^ /! {x; s/\n //g; p}'
+ RESULTS_UNWRAPPED=
+ echo “”
+ set +e
+ echo
+ grep -q userPrincipalName
+ '[' 1 -eq 0 ']'
+ set -e
+ '[' false = true ']'
+ ldapmodify -H ldaps://ads.case.edu:636 -x -D rcci-hadoop-sa@ADS.CASE.EDU -w REDACTED
++ echo 'objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
'
++ sed /str/d
++ echo HTTP/cradle3302t.priv.cwru.edu@ADS.CASE.EDU
++ sed -e 's/\@ADS.CASE.EDU//g'
++ echo -n '"REDACTED"'
++ iconv -f UTF8 -t UTF16LE
++ base64 -w 0
++ echo ''
ldap_add: Insufficient access (50)
additional info: 00000005: SecErr: DSID-03152E13, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0


>>

I know the service account has full access for sure.

Is anyone know the reason why it is failed in this way?

1 ACCEPTED SOLUTION

avatar
Expert Contributor

Hi @MaraWang 

 please work with AD team to enusre the bind user have required rights (add, delete and modify) in order to do required actions in AD using the user. And you can refer the KB article below to have additional permission for all machine accounts ("objectclass=computer") associated with the cluster hosts. KB article : https://my.cloudera.com/knowledge/Cloudera-Customer-Advisory-590-Microsoft-AD-November-2021?id=35025...

View solution in original post

2 REPLIES 2

avatar
Expert Contributor

Hi @MaraWang 

 please work with AD team to enusre the bind user have required rights (add, delete and modify) in order to do required actions in AD using the user. And you can refer the KB article below to have additional permission for all machine accounts ("objectclass=computer") associated with the cluster hosts. KB article : https://my.cloudera.com/knowledge/Cloudera-Customer-Advisory-590-Microsoft-AD-November-2021?id=35025...

avatar
Community Manager

@MaraWang, Did the response assist in resolving your query? If it did, kindly mark the relevant reply as the solution, as it will aid others in locating the answer more easily in the future. 



Regards,

Vidya Sargur,
Community Manager


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community: