Hi Folks, While trying to setup A/D for Ambari, I am not able to login to Ambari console also using default admin/admin. Neither able to synch fully.
My Active Directory domain is : TEST.COM and one of the valid users in that is Darpan Patel (principal : [email protected]). Here are the list of properties from /etc/ambari-server/conf/ambari.properties With the following properties still I am not able to synch the users. api.authenticate=true authentication.ldap.baseDn=CN=Users,DC=test,DC=com authentication.ldap.bindAnonymously=false authentication.ldap.dnAttribute=CN=Users,DC=test,DC=com authentication.ldap.groupMembershipAttr=uid authentication.ldap.groupNamingAttr=cn authentication.ldap.groupObjectClass=group authentication.ldap.managerDn=CN=Darpan Patel,CN=users,DC=test,DC=com authentication.ldap.managerPassword=/etc/ambari-server/conf/ldap-password.dat authentication.ldap.primaryUrl=IP_OF_AD_MACHINE:389 authentication.ldap.referral=ignore authentication.ldap.secondaryUrl=IP_OF_AD_MACHINE:389 authentication.ldap.useSSL=false authentication.ldap.userObjectClass=person authentication.ldap.usernameAttribute=sAMAccountName Here is the list of sequence what I am trying to do : 1) $ ambari-server setup-ldap 2) Enter the above properties 3) Restart the ambari server 4) $ambari-server sync-ldap --all 5) Enter admin id/password (i.e. default Ambari Admin userid : admin/admin) also tried with darpan, [email protected] 6) In all the cases I see : Syncing all.ERROR: Exiting with exit code 1. *REASON: Sync event creation failed. Error details: HTTP Error 403: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]* 7) Log shows : 18 Dec 2015 10:27:34,899 WARN [qtp-client-26] AmbariLdapAuthenticationProvider:71 - Looks like LDAP manager credentials (that are used for connecting to LDAP server) are invalid. org.springframework.security.authentication.InternalAuthenticationServiceException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1] -------------- Interesting thing is :* I am no longer to login to Ambari using admin/admin user*. On the ambari portal : when I use admin/admin it says invalid credentials. So I tried resetting the password to default by changing in the ambari.users db (update ambari.users set user_password='538916f8943ec225d97a9a86a2c6ec0818c1cd400e09e03b660fdaaec4af29ddbb6f2b1033b81b00' where user_name='admin') To my curiosity when I see the ambari.users table few of the A/D users are present in the table. for example : ambari=> select * from ambari.users; user_id | principal_id | ldap_user | user_name | create_time | active | --------+--------------+-----------+---------------+----------------------------+------ 12 | 4 | 1 | pratlu | 2015-12-17 17:49:05.699 |1 | 3 | 6 | 1 | darpan | 2015-12-17 17:49:05.699 |1 | 13 | 3 | 1 | administrator | 2015-12-17 17:49:05.699 |1 | 4 | 5 | 1 | test | 2015-12-17 17:49:05.699 |1 | 14 | 11 | 1 | sanjay.sharma | 2015-12-17 17:49:05.699 |1 | 8 | 7 | 1 | guest | 2015-12-17 17:49:05.699 |1 | 10 | 14 | 1 | hadoop.com$ | 2015-12-17 17:49:05.699 |1 | 9 | 10 | 1 | devuser | 2015-12-17 17:49:05.699 |1 | 11 | 12 | 1 | dgotl | 2015-12-17 17:49:05.699 |1 | 7 | 9 | 1 | krbtgt | 2015-12-17 17:49:05.699 |1 | 1 | 1 | 1 | admin | 2015-11-09 23:47:08.368558 |1 | I also tried logging in to ambari web console using darpan, [email protected], admin/admin but it does not work!! Did any one face similar issue ? Or can anyone suggest work around? Regards, Arpan On 17 December 2015 at 23:25, Darpan Patel <[email protected]> wrote: > Thanks Robert for the quick reply. > > I am copying the DN from Active directory : CN=Darpan > Patel,CN=Users,DC=test,DC=com and keeping the same while configuring the > Ambari LDAP setting. i.e. Manager DN*: CN=Darpan > Patel,CN=Users,DC=test,DC=com > > But the error is still the same : Syncing all.ERROR: Exiting with exit > code 1. > REASON: Sync event creation failed. Error details: HTTP Error 403: Bad > credentials > > > On 17 December 2015 at 21:51, Robert Levas <[email protected]> wrote: > >> Darpan… >> >> The Manger DN request is expecting a distinguished name value, not a >> principal name. A distinguished name would look something like >> *CN=darpan,CN=Users,DC=test,DC=com*, which may reference the same >> account as [email protected] (which would be the userPrincipalName) or >> darpan (which would be be sAMAccountName). >> >> Rob >> >> >> From: Darpan Patel <[email protected]> >> Reply-To: "[email protected]" <[email protected]> >> Date: Thursday, December 17, 2015 at 4:35 PM >> >> To: "[email protected]" <[email protected]> >> Subject: Re: Need help in Ambari - Active Directory Integration >> >> Many Thanks Robert. >> >> I made the corresponding changes and specifying bind anonymously to >> false. Thanks the old issue is gone now. But still I am facing strange >> issue. I am giving the Manager DN = [email protected] and trying to synch >> all the users of AD but on the console I see : >> >> *Syncing all.ERROR: Exiting with exit code 1.* >> *REASON: Sync event creation failed. Error details: HTTP Error 403: Bad >> credentials* >> >> *(It is kind of strange because I just issued the valid TGT using kinit >> [email protected] <[email protected]> without any issues!!!!)* >> >> There is only one line the logs: >> 17 Dec 2015 21:24:07,682 INFO [qtp-client-23] >> FilterBasedLdapUserSearch:89 - SearchBase not set. Searches will be >> performed from the root: cn=Users,dc=test,dc=com >> >> Regards, >> DP >> >> >> On 17 December 2015 at 17:55, Robert Levas <[email protected]> >> wrote: >> >>> However, I don’t think that these changes will help with the >>> authentication/bind issue. For that, when asked to bind anonymously, you >>> should answer *false* and then set the Manager DN value to the DN of a >>> user with read access to the specified container in your Active Directory. >>> >>> I hope this helps, >>> >>> Rob >>> >>> >>> From: Darpan Patel <[email protected]> >>> Reply-To: "[email protected]" <[email protected]> >>> Date: Thursday, December 17, 2015 at 12:20 PM >>> To: "[email protected]" <[email protected]> >>> Subject: Re: Need help in Ambari - Active Directory Integration >>> >>> Forgot to mention that logs show Naming Exception. >>> [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In >>> order to perform this operation a successful bind must be completed on the >>> connection., data 0, v1db1]; remaining name 'CN=Users,DC=test,DC=com' >>> >>> 17 Dec 2015 16:36:08,801 FATAL [pool-7-thread-1] >>> AbstractRequestControlDirContextProcessor:186 - No matching response >>> control found for paged results - looking for 'class >>> javax.naming.ldap.PagedResultsResponseControl >>> 17 Dec 2015 16:36:08,802 ERROR [pool-7-thread-1] >>> LdapSyncEventResourceProvider:434 - Caught exception running LDAP sync. >>> *org.springframework.ldap.UncategorizedLdapException: Uncategorized >>> exception occured during LDAP processing; nested exception is >>> javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: >>> DSID-0C0906E8, comment: In order to perform this operation a successful >>> bind must be completed on the connection., data 0, v1db1]; remaining name >>> 'CN=Users,DC=test,DC=com'* >>> at >>> org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:217) >>> at >>> org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:319) >>> at >>> org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:259) >>> at >>> org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:606) >>> at >>> org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.getFilteredLdapUsers(AmbariLdapDataPopulator.java:549) >>> >>> >>> On 17 December 2015 at 17:19, Darpan Patel <[email protected]> wrote: >>> >>>> Hi guys, >>>> >>>> I am trying to integrate A/D 2012 Server with Ambari. >>>> I have doubt that some of the properties are not correct. >>>> I am tried various permutation combinations but not successful yet. >>>> Could anyone review and help fixing it ? >>>> >>>> *Active directory domain controller* name is : TEST.COM >>>> >>>> On the console here are the values I am passing: >>>> *$ambari-server setup-ldap* >>>> >>>> Setting up LDAP properties... >>>> *Primary URL* {host:port}* :IP_OF_AD_SERVER:389 >>>> *Use SSL* [true/false] *: false >>>> *User object class** :person >>>> *User name attribute** :sAMAccountName >>>> *Group object class* :*User >>>> *Group name attribute* : *User >>>> *Group member attribute* :*member >>>> *Distinguished name attribute* :*CN=Users,DC=test,DC=com >>>> *Base DN* :*CN=Users,DC=test,DC=com >>>> *Referral method [follow/ignore] :*ignore >>>> *Bind anonymously* [*true/false] :true >>>> >>>> ==================== >>>> Review Settings >>>> ==================== >>>> Save settings [y/n] (y)?y >>>> Saving...done >>>> Ambari Server 'setup-ldap' completed successfully. >>>> >>>> >>>> Regards, >>>> DP >>>> >>> >>> >> >
