Hey Darpan…. The error "LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1” Indicates that the password you are entering for the account is incorrect. See http://www-01.ibm.com/support/docview.wss?uid=swg21290631 – under “Common Active Directory LDAP bind errors” it reads:
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 52e, v893 HEX: 0x52e - invalid credentials DEC: 1326 - ERROR_LOGON_FAILURE (Logon failure: unknown user name or bad password.) NOTE: Returns when username is valid but password/credential is invalid. Will prevent most other errors from being displayed as noted. As for your issue with no longer being allow to log in using local user accounts, what version of Ambari are you using? Rob From: Darpan Patel <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Friday, December 18, 2015 at 5:39 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: Need help in Ambari - Active Directory Integration Hi Folks, While trying to setup A/D for Ambari, I am not able to login to Ambari console also using default admin/admin. Neither able to synch fully. My Active Directory domain is : TEST.COM<http://TEST.COM> and one of the valid users in that is Darpan Patel (principal : [email protected]<mailto:[email protected]>). Here are the list of properties from /etc/ambari-server/conf/ambari.properties With the following properties still I am not able to synch the users. api.authenticate=true authentication.ldap.baseDn=CN=Users,DC=test,DC=com authentication.ldap.bindAnonymously=false authentication.ldap.dnAttribute=CN=Users,DC=test,DC=com authentication.ldap.groupMembershipAttr=uid authentication.ldap.groupNamingAttr=cn authentication.ldap.groupObjectClass=group authentication.ldap.managerDn=CN=Darpan Patel,CN=users,DC=test,DC=com authentication.ldap.managerPassword=/etc/ambari-server/conf/ldap-password.dat authentication.ldap.primaryUrl=IP_OF_AD_MACHINE:389 authentication.ldap.referral=ignore authentication.ldap.secondaryUrl=IP_OF_AD_MACHINE:389 authentication.ldap.useSSL=false authentication.ldap.userObjectClass=person authentication.ldap.usernameAttribute=sAMAccountName Here is the list of sequence what I am trying to do : 1) $ ambari-server setup-ldap 2) Enter the above properties 3) Restart the ambari server 4) $ambari-server sync-ldap --all 5) Enter admin id/password (i.e. default Ambari Admin userid : admin/admin) also tried with darpan, [email protected]<mailto:[email protected]> 6) In all the cases I see : Syncing all.ERROR: Exiting with exit code 1. REASON: Sync event creation failed. Error details: HTTP Error 403: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1] 7) Log shows : 18 Dec 2015 10:27:34,899 WARN [qtp-client-26] AmbariLdapAuthenticationProvider:71 - Looks like LDAP manager credentials (that are used for connecting to LDAP server) are invalid. org.springframework.security.authentication.InternalAuthenticationServiceException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1] -------------- Interesting thing is : I am no longer to login to Ambari using admin/admin user. On the ambari portal : when I use admin/admin it says invalid credentials. So I tried resetting the password to default by changing in the ambari.users db (update ambari.users set user_password='538916f8943ec225d97a9a86a2c6ec0818c1cd400e09e03b660fdaaec4af29ddbb6f2b1033b81b00' where user_name='admin') To my curiosity when I see the ambari.users table few of the A/D users are present in the table. for example : ambari=> select * from ambari.users; user_id | principal_id | ldap_user | user_name | create_time | active | --------+--------------+-----------+---------------+----------------------------+------ 12 | 4 | 1 | pratlu | 2015-12-17 17:49:05.699 |1 | 3 | 6 | 1 | darpan | 2015-12-17 17:49:05.699 |1 | 13 | 3 | 1 | administrator | 2015-12-17 17:49:05.699 |1 | 4 | 5 | 1 | test | 2015-12-17 17:49:05.699 |1 | 14 | 11 | 1 | sanjay.sharma | 2015-12-17 17:49:05.699 |1 | 8 | 7 | 1 | guest | 2015-12-17 17:49:05.699 |1 | 10 | 14 | 1 | hadoop.com<http://hadoop.com>$ | 2015-12-17 17:49:05.699 |1 | 9 | 10 | 1 | devuser | 2015-12-17 17:49:05.699 |1 | 11 | 12 | 1 | dgotl | 2015-12-17 17:49:05.699 |1 | 7 | 9 | 1 | krbtgt | 2015-12-17 17:49:05.699 |1 | 1 | 1 | 1 | admin | 2015-11-09 23:47:08.368558 |1 | I also tried logging in to ambari web console using darpan, [email protected]<mailto:[email protected]>, admin/admin but it does not work!! Did any one face similar issue ? Or can anyone suggest work around? Regards, Arpan On 17 December 2015 at 23:25, Darpan Patel <[email protected]<mailto:[email protected]>> wrote: Thanks Robert for the quick reply. I am copying the DN from Active directory : CN=Darpan Patel,CN=Users,DC=test,DC=com and keeping the same while configuring the Ambari LDAP setting. i.e. Manager DN*: CN=Darpan Patel,CN=Users,DC=test,DC=com But the error is still the same : Syncing all.ERROR: Exiting with exit code 1. REASON: Sync event creation failed. Error details: HTTP Error 403: Bad credentials On 17 December 2015 at 21:51, Robert Levas <[email protected]<mailto:[email protected]>> wrote: Darpan… The Manger DN request is expecting a distinguished name value, not a principal name. A distinguished name would look something like CN=darpan,CN=Users,DC=test,DC=com, which may reference the same account as [email protected]<mailto:[email protected]> (which would be the userPrincipalName) or darpan (which would be be sAMAccountName). Rob From: Darpan Patel <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Thursday, December 17, 2015 at 4:35 PM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: Need help in Ambari - Active Directory Integration Many Thanks Robert. I made the corresponding changes and specifying bind anonymously to false. Thanks the old issue is gone now. But still I am facing strange issue. I am giving the Manager DN = [email protected]<mailto:[email protected]> and trying to synch all the users of AD but on the console I see : Syncing all.ERROR: Exiting with exit code 1. REASON: Sync event creation failed. Error details: HTTP Error 403: Bad credentials (It is kind of strange because I just issued the valid TGT using kinit [email protected]<mailto:[email protected]> without any issues!!!!) There is only one line the logs: 17 Dec 2015 21:24:07,682 INFO [qtp-client-23] FilterBasedLdapUserSearch:89 - SearchBase not set. Searches will be performed from the root: cn=Users,dc=test,dc=com Regards, DP On 17 December 2015 at 17:55, Robert Levas <[email protected]<mailto:[email protected]>> wrote: However, I don’t think that these changes will help with the authentication/bind issue. For that, when asked to bind anonymously, you should answer false and then set the Manager DN value to the DN of a user with read access to the specified container in your Active Directory. I hope this helps, Rob From: Darpan Patel <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Thursday, December 17, 2015 at 12:20 PM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: Need help in Ambari - Active Directory Integration Forgot to mention that logs show Naming Exception. [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1]; remaining name 'CN=Users,DC=test,DC=com' 17 Dec 2015 16:36:08,801 FATAL [pool-7-thread-1] AbstractRequestControlDirContextProcessor:186 - No matching response control found for paged results - looking for 'class javax.naming.ldap.PagedResultsResponseControl 17 Dec 2015 16:36:08,802 ERROR [pool-7-thread-1] LdapSyncEventResourceProvider:434 - Caught exception running LDAP sync. org.springframework.ldap.UncategorizedLdapException: Uncategorized exception occured during LDAP processing; nested exception is javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1]; remaining name 'CN=Users,DC=test,DC=com' at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:217) at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:319) at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:259) at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:606) at org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.getFilteredLdapUsers(AmbariLdapDataPopulator.java:549) On 17 December 2015 at 17:19, Darpan Patel <[email protected]<mailto:[email protected]>> wrote: Hi guys, I am trying to integrate A/D 2012 Server with Ambari. I have doubt that some of the properties are not correct. I am tried various permutation combinations but not successful yet. Could anyone review and help fixing it ? Active directory domain controller name is : TEST.COM<http://TEST.COM> On the console here are the values I am passing: $ambari-server setup-ldap Setting up LDAP properties... Primary URL* {host:port} :IP_OF_AD_SERVER:389 Use SSL* [true/false] : false User object class* :person User name attribute* :sAMAccountName Group object class* :User Group name attribute* : User Group member attribute* :member Distinguished name attribute* :CN=Users,DC=test,DC=com Base DN* :CN=Users,DC=test,DC=com Referral method [follow/ignore] :ignore Bind anonymously* [true/false] :true ==================== Review Settings ==================== Save settings [y/n] (y)?y Saving...done Ambari Server 'setup-ldap' completed successfully. Regards, DP
