Created on 01-17-2023 02:57 PM - edited 01-17-2023 02:58 PM
Hello,
I am in process of setting up a CDP 7.1.7 cluster.
At the moment, CM 7.6.1 is installed and integrated to AD on LDAPS protocol (Had to select authentication type as LDAP for the integration to work even though we have AD being used).
Next step is I have added few basic services i.e. HDFS, YARN and Zookeeper and now I am enabling Kerberos.
At the step of Generating credentials it fails with attached screenshot.
However, in the same window I noticed that CM is trying to connect to AD on LDAP protocol on port 389. Ideally it should be connecting via LDAPS on 636 as we have TLS also configured and enabled. Not sure if this is even relevant.
From where does CM gets the LDAP URL? I tried to understand gen_credentials_ad.sh script at /opt/cloudera/cm/bin, however, did not completely interpret.
Please help as this is bit urgent.
Thanks
snm1523
Created 01-18-2023 08:14 PM
Hello @snm1523,
The exit code 50 refers to the LDAP error code, which translates to 'insufficientAccessRights'. Cloudera Manager Server must have the correct Kerberos principal configured. Specifically, Cloudera Manager Server must have a Kerberos principal that has privileges to create other accounts in Active Directory.
Make sure that the Cloudera Manager Server account does have the ability to create/delete accounts in Active Directory and that it does belong to a Global group.
Hope this helps,
Tarun
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs-up button.
Created 01-18-2023 08:14 PM
Hello @snm1523,
The exit code 50 refers to the LDAP error code, which translates to 'insufficientAccessRights'. Cloudera Manager Server must have the correct Kerberos principal configured. Specifically, Cloudera Manager Server must have a Kerberos principal that has privileges to create other accounts in Active Directory.
Make sure that the Cloudera Manager Server account does have the ability to create/delete accounts in Active Directory and that it does belong to a Global group.
Hope this helps,
Tarun
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs-up button.
Created 01-18-2023 11:15 PM
Thank you for the response @tj2007. We have ensured that the required permissions are assigned to the account that is provided to Cloudera to create principals.
we further tweaked some settings and also after a quick modification to gen_credentials_ad.sh script (post discussion with Cloudera support) got through with error. However, now getting below error:
We have scheduled a call later today with Cloudera once again to discuss this. However, if you may be able to suggest something would be helpful.
Thanks
snm1523
Created 02-08-2023 03:22 AM
Was able to get this fixed. We ultimately identified there were some permissions for child objects not given yet. We got on a call with AD team and asked for a screen share to validate the permissions and then found it is not assigned yet.
Thanks