Support Questions

Find answers, ask questions, and share your expertise

URGENT: Enabling AD KDC on CDP 7.1.7

avatar
Expert Contributor

Hello,

 

I am in process of setting up a CDP 7.1.7 cluster.

At the moment, CM 7.6.1 is installed and integrated to AD on LDAPS protocol (Had to select authentication type as LDAP for the integration to work even though we have AD being used).

Next step is I have added few basic services i.e. HDFS, YARN and Zookeeper and now I am enabling Kerberos.

At the step of Generating credentials it fails with attached screenshot.

snm1523_0-1673995944778.png

However, in the same window I noticed that CM is trying to connect to AD on LDAP protocol on port 389. Ideally it should be connecting via LDAPS on 636 as we have TLS also configured and enabled. Not sure if this is even relevant.

 

From where does CM gets the LDAP URL? I tried to understand gen_credentials_ad.sh script at /opt/cloudera/cm/bin, however, did not completely interpret.

 

Please help as this is bit urgent.

 

Thanks

snm1523

1 ACCEPTED SOLUTION

avatar
Super Collaborator

Hello @snm1523,

The exit code 50 refers to the LDAP error code, which translates to 'insufficientAccessRights'. Cloudera Manager Server must have the correct Kerberos principal configured. Specifically, Cloudera Manager Server must have a Kerberos principal that has privileges to create other accounts in Active Directory.

 

Make sure that the Cloudera Manager Server account does have the ability to create/delete accounts in Active Directory and that it does belong to a Global group.

 

Ref: https://docs.cloudera.com/cdp-private-cloud-base/7.1.6/security-kerberos-authentication/topics/cm-se...

 

Hope this helps,

Tarun

Was your question answered? Make sure to mark the answer as the accepted solution.

If you find a reply useful, say thanks by clicking on the thumbs-up button.

View solution in original post

3 REPLIES 3

avatar
Super Collaborator

Hello @snm1523,

The exit code 50 refers to the LDAP error code, which translates to 'insufficientAccessRights'. Cloudera Manager Server must have the correct Kerberos principal configured. Specifically, Cloudera Manager Server must have a Kerberos principal that has privileges to create other accounts in Active Directory.

 

Make sure that the Cloudera Manager Server account does have the ability to create/delete accounts in Active Directory and that it does belong to a Global group.

 

Ref: https://docs.cloudera.com/cdp-private-cloud-base/7.1.6/security-kerberos-authentication/topics/cm-se...

 

Hope this helps,

Tarun

Was your question answered? Make sure to mark the answer as the accepted solution.

If you find a reply useful, say thanks by clicking on the thumbs-up button.

avatar
Expert Contributor

Thank you for the response @tj2007. We have ensured that the required permissions are assigned to the account that is provided to Cloudera to create principals.

 

we further tweaked some settings and also after a quick modification to gen_credentials_ad.sh script (post discussion with Cloudera support) got through with error. However, now getting below error:

 

514532AC-0CAA-4AEF-9B6B-EBB51A0C8DCD.jpeg

We have scheduled a call later today with Cloudera once again to discuss this. However, if you may be able to suggest something would be helpful.


Thanks

snm1523

avatar
Expert Contributor

Was able to get this fixed. We ultimately identified there were some permissions for child objects not given yet. We got on a call with AD team and asked for a screen share to validate the permissions and then found it is not assigned yet.

 

Thanks