Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ranger LDAP sync failing after Kerberization using AD

Ranger LDAP sync failing after Kerberization using AD

Contributor

Dear experts,

We have installed Ranger with LDAP sync and after few days we have enabled Kerberos using AD. After which the usersync is getting failed with the below error, please suggest

21 Jun 2018 17:47:58 INFO UnixAuthenticationService [main] - Starting User Sync Service! 21 Jun 2018 17:47:58 INFO AbstractMapper [UnixUserSyncThread] - Initializing for ranger.usersync.mapping.username.regex 21 Jun 2018 17:47:58 INFO AbstractMapper [UnixUserSyncThread] - Initializing for ranger.usersync.mapping.groupname.regex 21 Jun 2018 17:47:58 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder created 21 Jun 2018 17:47:58 INFO UserGroupSyncConfig [UnixUserSyncThread] - Sleep Time Between Cycle can not be lower than [3600000] millisec. resetting to min value. 21 Jun 2018 17:47:58 INFO UserGroupSync [UnixUserSyncThread] - initializing sink: org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilder 21 Jun 2018 17:47:58 WARN NativeCodeLoader [UnixUserSyncThread] - Unable to load native-hadoop library for your platform... using builtin-java classes where applicable 21 Jun 2018 17:47:59 INFO AbstractMapper [UnixUserSyncThread] - Initializing for ranger.usersync.mapping.username.regex 21 Jun 2018 17:47:59 INFO AbstractMapper [UnixUserSyncThread] - Initializing for ranger.usersync.mapping.groupname.regex 21 Jun 2018 17:47:59 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder created 21 Jun 2018 17:47:59 INFO UserGroupSync [UnixUserSyncThread] - initializing source: org.apache.ranger.ldapusersync.process.LdapDeltaUserGroupBuilder 21 Jun 2018 17:47:59 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder initialization started 21 Jun 2018 17:47:59 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder initialization completed with -- ldapUrl: ldap://XXXXX:389, ldapBindDn: CN=XXXX,OU=XXXX,DC=XXX,DC=XXX, ldapBindPassword: ***** , ldapAuthenticationMechanism: simple, searchBase: DC=aero,DC=local, userSearchBase: [OU=XXX,DC=XX,DC=XXX], userSearchScope: 2, userObjectClass: user, userSearchFilter: , extendedUserSearchFilter: null, userNameAttribute: sAMAccountName, userSearchAttributes: [uSNChanged, sAMAccountName, modifytimestamp], userGroupNameAttributeSet: null, pagedResultsEnabled: true, pagedResultsSize: 500, groupSearchEnabled: true, groupSearchBase: [XXXX], groupSearchScope: 2, groupObjectClass: group, groupSearchFilter: , extendedGroupSearchFilter: (&null(|(member={0})(member={1}))), extendedAllGroupsSearchFilter: null, groupMemberAttributeName: member, groupNameAttribute: name, groupSearchAttributes: [uSNChanged, name, member, modifytimestamp], groupUserMapSyncEnabled: true, groupSearchFirstEnabled: false, userSearchEnabled: false, ldapReferral: ignore 21 Jun 2018 17:47:59 INFO UserGroupSync [UnixUserSyncThread] - Begin: initial load of user/group from source==>sink 21 Jun 2018 17:47:59 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - LdapDeltaUserGroupBuilder updateSink started 21 Jun 2018 17:47:59 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - Performing user search first 21 Jun 2018 17:47:59 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - extendedUserSearchFilter = (&(objectclass=user)(|(uSNChanged>=0)(modifyTimestamp>=19700101120000Z))) 21 Jun 2018 17:47:59 INFO LdapDeltaUserGroupBuilder [UnixUserSyncThread] - uSNChangedVal = 225739and currentDeltaSyncTime = 225739 21 Jun 2018 17:47:59 ERROR LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - Failed to add User : com.sun.jersey.api.client.UniformInterfaceException: POST http://10.1.1.5:6080/service/users/default returned a response status of 401 Unauthorized at com.sun.jersey.api.client.WebResource.handle(WebResource.java:686) at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74) at com.sun.jersey.api.client.WebResource$Builder.post(WebResource.java:568) at org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilder.getMUser(LdapPolicyMgrUserGroupBuilder.java:672) at org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilder.access$500(LdapPolicyMgrUserGroupBuilder.java:73) at org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilder$6.run(LdapPolicyMgrUserGroupBuilder.java:645) at org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilder$6.run(LdapPolicyMgrUserGroupBuilder.java:641) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:360) at org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilder.addMUser(LdapPolicyMgrUserGroupBuilder.java:641) at org.apache.ranger.ldapusersync.process.LdapPolicyMgrUserGroupBuilder.addOrUpdateUser(LdapPolicyMgrUserGroupBuilder.java:273) at org.apache.ranger.ldapusersync.process.LdapDeltaUserGroupBuilder.getUsers(LdapDeltaUserGroupBuilder.java:468) at org.apache.ranger.ldapusersync.process.LdapDeltaUserGroupBuilder.updateSink(LdapDeltaUserGroupBuilder.java:311) at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58) at java.lang.Thread.run(Thread.java:748) 21 Jun 2018 17:47:59 ERROR LdapPolicyMgrUserGroupBuilder [UnixUserSyncThread] - Failed to add portal user

77801-config1.png

77799-config1.png

77800-config2.png

1 REPLY 1
Highlighted

Re: Ranger LDAP sync failing after Kerberization using AD

Contributor

@Chiranjeevi Nimmala

there seems to be issue with your Spengo Service Principal.

POST http://10.1.1.5:6080/service/users/default returned a response status of 401 Unauthorized

Could you try the below on the node where ranger usersync process is runing

1. export KRB5_TRACE=/tmp/krb.log

2. #kinit rangerusersync/<hostname>@<REALM>

3. curl --negotiate -ivk -X GET -u: "http://<ranger-admin>:6080/service/xusers/users"

attach or share the output of

/tmp/krb.log