Member since
09-15-2015
75
Posts
33
Kudos Received
4
Solutions
My Accepted Solutions
| Title | Views | Posted |
|---|---|---|
| 1399 | 02-22-2016 09:32 PM | |
| 2245 | 12-11-2015 03:27 AM | |
| 8329 | 10-26-2015 10:16 PM | |
| 7353 | 10-15-2015 06:09 PM |
10-29-2015
03:19 AM
I was finally able to resolve it. Somehow the DN for the LDAP Manager changed. Was: CN=adadmin,OU=MyUsers,DC=AD-HDP,DC=COM
Now: CN=adadmin,DC=AD-HDP,DC=COM Appreciate the hint their Paul.
... View more
10-29-2015
02:57 AM
I have configured Ambari to integrate with AD and all users was able to login to Ambari UI. After kerberizing the cluster and adding SSSD setup with AD, setting up SPNEGO, the AD Users no longer can login to Ambari UI. Here's the error I'm getting /var/log/ambari-server/ambari-server.log: 28 Oct 2015 22:51:17,655 INFO [qtp-client-24] FilterBasedLdapUserSearch:89 - SearchBase not set. Searches will be performed from the root: ou=Rommel_Garcia_Accounts,dc=AD-HDP,dc=COM
28 Oct 2015 22:51:17,660 WARN [qtp-client-24] AmbariLdapAuthenticationProvider:71 - Looks like LDAP manager credentials (that are used for connecting to LDAP server) are invalid.
org.springframework.security.authentication.InternalAuthenticationServiceException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580^@]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580^@
.............
Caused by: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580^@]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580^@]
... View more
Labels:
- Labels:
-
Apache Ambari
10-26-2015
10:27 PM
I have SSSD working with AD on a kerberized cluster. When i login as the AD user, it requires me to append the REALM i.e. su - hr1@AD-HDP.COM. I'd like to remove the REALM appended to the username. How do I configure the users that when they login the REALM won't be required? Listed my configurations below. [sssd.conf] [sssd]
config_file_version = 2
domains = AD-HDP.COM
services = nss, pam
override_space = _
debug_level = 2
# [nss]: This is where we configure the NSS service
[nss]
# Filter out the users and groups that we don't want Hadoop to see. Not important. But feel free to add more if you like.
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75
# debug levels 5 to 7 seem to be appropriate while testing. I suggest starting with level five.
debug_level = 2
[domain/AD-HDP.COM]
# Uncomment if you need offline logins
# cache_credentials = true
enumerate = true
id_provider = ad
auth_provider = ad
#access_provider = ad
debug_level = 2
# Uncomment if service discovery is not working
ad_server = [host_name_taken_out]
# Uncomment if you want to use POSIX UIDs and GIDs set on the AD side
# ldap_id_mapping = False
# Comment out if the users have the shell and home dir set on the AD side
default_shell = /bin/bash
fallback_homedir = /home/%d/%u
# Uncomment and adjust if the default principal SHORTNAME$@REALM is not available
# ldap_sasl_authid = host/client.ad.example.com@AD.EXAMPLE.COM
# Comment out if you prefer to user shortnames.
use_fully_qualified_names = true
[nsswitch.conf] #
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
passwd: files sss
shadow: files sss
group: files sss
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: nisplus
automount: files sss
aliases: files nisplus
... View more
Labels:
10-26-2015
10:16 PM
There was a bug in CentOS 6.5 gdm module where it was not picking up the latest change in nsswitch.conf file and the only resolution available is to reboot the machine as stated in this RHEL thread https://bugzilla.redhat.com/show_bug.cgi?id=621700. SSD is now working with AD.
... View more
10-23-2015
02:42 AM
SSSD seems to work fine based on the sssd_nss.log below. When i run 'getent passswd' it returns all users from AD but I'm not able to get anything when I run 'id {ad_user}'. (Thu Oct 22 22:31:15 2015) [sssd[nss]] [sss_responder_ctx_destructor] (0x0400): Responder is being shut down
(Thu Oct 22 22:31:16 2015) [sssd[nss]] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb
(Thu Oct 22 22:31:16 2015) [sssd[nss]] [confdb_get_domain_internal] (0x1000): pwd_expiration_warning is -1
(Thu Oct 22 22:31:16 2015) [sssd[nss]] [sbus_init_connection] (0x0400): Adding connection 0x1965160
(Thu Oct 22 22:31:16 2015) [sssd[nss]] [sbus_conn_add_interface] (0x1000): Will register path /org/freedesktop/sssd/service without fallback
(Thu Oct 22 22:31:16 2015) [sssd[nss]] [monitor_common_send_id] (0x0100): Sending ID: (nss,1)
(Thu Oct 22 22:31:16 2015) [sssd[nss]] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))].
(Thu Oct 22 22:31:16 2015) [sssd[nss]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(Thu Oct 22 22:31:16 2015) [sssd[nss]] [sbus_init_connection] (0x0400): Adding connection 0x19639e0
(Thu Oct 22 22:31:16 2015) [sssd[nss]] [sbus_conn_add_interface] (0x1000): Will register path /org/freedesktop/sssd/dataprovider without fallback
(Thu Oct 22 22:31:16 2015) [sssd[nss]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,NSS)
(Thu Oct 22 22:31:16 2015) [sssd[nss]] [sysdb_domain_init_internal] (0x0200): DB File for AD-HDP.COM: /var/lib/sss/db/cache_AD-HDP.COM.ldb
(Thu Oct 22 22:31:16 2015) [sssd[nss]] [ldb] (0x0400): asq: Unable to register control with rootdse!
(Thu Oct 22 22:31:16 2015) [sssd[nss]] [sss_process_init] (0x0400): Responder Initialization complete
(Thu Oct 22 22:31:16 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root
(Thu Oct 22 22:31:16 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/AD-HDP.COM/root] to negative cache permanently
(Thu Oct 22 22:31:16 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root
(Thu Oct 22 22:31:16 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/AD-HDP.COM/root] to negative cache permanently
(Thu Oct 22 22:31:16 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /bin/sh in /etc/shells
(Thu Oct 22 22:31:16 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /bin/bash in /etc/shells
(Thu Oct 22 22:31:16 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /sbin/nologin in /etc/shells
(Thu Oct 22 22:31:16 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /bin/dash in /etc/shells
(Thu Oct 22 22:31:16 2015) [sssd[nss]] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192]
(Thu Oct 22 22:31:16 2015) [sssd[nss]] [sss_names_init_from_args] (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)].
(Thu Oct 22 22:31:16 2015) [sssd[nss]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(Thu Oct 22 22:31:16 2015) [sssd[nss]] [nss_process_init] (0x0400): NSS Initialization complete
(Thu Oct 22 22:31:16 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x41df60:domains@AD-HDP.COM]
(Thu Oct 22 22:31:16 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [AD-HDP.COM][]
(Thu Oct 22 22:31:16 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x41df60:domains@AD-HDP.COM]
(Thu Oct 22 22:31:16 2015) [sssd[nss]] [id_callback] (0x0100): Got id ack and version (1) from Monitor
(Thu Oct 22 22:31:16 2015) [sssd[nss]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP
(Thu Oct 22 22:31:16 2015) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success
(Thu Oct 22 22:31:16 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x41df60:domains@AD-HDP.COM]
... View more
10-21-2015
08:11 PM
After integrating HDP 2.3.2 with AD, Kerberized it successfully I installed SSSD across all node and applied the configuration below, SSSD is not able to communicate with AD. [sssd]
config_file_version = 2
domains = AD-HDP.COM
services = nss
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75
debug_level = 5
[domain/AD-HDP.COM]
id_provider = ldap
ldap_default_bind_dn = CN=adadmin,CN=Rommel_Garcia_Accounts,DC=AD-HDP,DC=COM
ldap_default_authtok_type = password
ldap_default_authtok = ldappw
auth_provider = none
min_id = 1000
ad_server = ad-hdp-com.cloud.hortonworks.com
ldap_uri = ldaps://ad-hdp-com.cloud.hortonworks.com
ldap_schema = ad
ldap_id_mapping = true
cache_credentials = true
ldap_referrals = false
When I try to run in any of the HDP node 'su - hr1', hr1 is not recognized as a user but it exists in AD. Here's the sssd log entries. /var/log/sssd/sssd.log: (Wed Oct 21 08:59:40:805458 2015) [sssd] [get_monitor_config] (0x0010): Invalid service ns
(Wed Oct 21 08:59:40:805637 2015) [sssd] [main] (0x0020): SSSD couldn't load the configuration database.
/var/log/sssd/sssd_nss.log (Wed Oct 21 09:03:52 2015) [sssd[nss]] [monitor_common_send_id] (0x0100): Sending ID: (nss,1)
(Wed Oct 21 09:03:52 2015) [sssd[nss]] [sss_names_init_from_args] (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)].
(Wed Oct 21 09:03:52 2015) [sssd[nss]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(Wed Oct 21 09:03:52 2015) [sssd[nss]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,NSS)
(Wed Oct 21 09:03:52 2015) [sssd[nss]] [sysdb_domain_init_internal] (0x0200): DB File for AD-HDP.COM: /var/lib/sss/db/cache_AD-HDP.COM.ldb
(Wed Oct 21 09:03:52 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root
(Wed Oct 21 09:03:52 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root
(Wed Oct 21 09:03:52 2015) [sssd[nss]] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192]
(Wed Oct 21 09:03:52 2015) [sssd[nss]] [sss_names_init_from_args] (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)].
(Wed Oct 21 09:03:52 2015) [sssd[nss]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(Wed Oct 21 09:03:52 2015) [sssd[nss]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP
(Wed Oct 21 09:03:52 2015) [sssd[nss]] [id_callback] (0x0100): Got id ack and version (1) from Monitor
All of the SSSD services across all nodes runs fine. Do I need to configure SSSD to work with Kerberos? How?
... View more
Labels:
10-16-2015
08:40 PM
Finally found the fix: I tried re-running the sync by using ambari-server sync-ldap —users users.txt and —groups groups.txt and this time it worked. I was expecting the —all flag to work as it should since it takes in all users in AD and sync it to Ambari. Is this a bug?
... View more
10-16-2015
06:12 PM
1 Kudo
I have synced AD users to Ambari and they all work. But i added a group in AD and assigned users their respective groups then re-sync Ambari with AD. It brings in the groups but it didn't link the users to their respective groups in Ambari. how do I link them since Ambari won't let you do it - add user to group function is greyed out. Is it possible to just go into postgresql and delete all the ldap user entries and their groups from users and groups table respectively the resync afterwards?
... View more
Labels:
- Labels:
-
Apache Ambari
10-15-2015
06:09 PM
2 Kudos
I was able to resolve my issue by going into Active Directory and changing all the user's password policy from "User must change password at next logon" to "Password never expires". Now all users are able to login to Ambari. ad-users.png
... View more
10-15-2015
05:17 PM
Ambari is using PostgreSQL and I've updated the active flag of local "admin" user in the users table and now am able to login as admin/admin. Now the AD users appear in the Ambari Users list. However, if I try to login as one of the AD users, its giving this error Unable to sign in. Invalid username/password combination.
... View more