I thought that password could be wrong for the AD user but with the same ad user I am able to issue a TGT. i.e. for the user in ambari properties : authentication.ldap.managerDn=CN=Darpan Patel,CN=users,DC=test,DC=com I am able go get a ticket : kinit [email protected]. I am not sure what setting is not correct !!!
About Ambari version : 2.1.2 Thanks, DP On 18 December 2015 at 11:31, Robert Levas <[email protected]> wrote: > Hey Darpan…. > > The error "LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, > comment: AcceptSecurityContext error, data 52e, v1db1” Indicates that the > password you are entering for the account is incorrect. See > http://www-01.ibm.com/support/docview.wss?uid=swg21290631 – under “Common > Active Directory LDAP bind errors” it reads: > > 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, > data 52e, v893 > HEX: 0x52e - invalid credentials > DEC: 1326 - ERROR_LOGON_FAILURE (Logon failure: unknown user name or bad > password.) > NOTE: Returns when username is valid but password/credential is invalid. > Will prevent most other errors from being displayed as noted. > > As for your issue with no longer being allow to log in using local user > accounts, what version of Ambari are you using? > > Rob > > > > From: Darpan Patel <[email protected]> > Reply-To: "[email protected]" <[email protected]> > Date: Friday, December 18, 2015 at 5:39 AM > > To: "[email protected]" <[email protected]> > Subject: Re: Need help in Ambari - Active Directory Integration > > Hi Folks, > > While trying to setup A/D for Ambari, I am not able to login to Ambari > console also using default admin/admin. Neither able to synch fully. > > My Active Directory domain is : TEST.COM and one of the valid users in > that is Darpan Patel (principal : [email protected]). Here are the list of > properties from /etc/ambari-server/conf/ambari.properties > > With the following properties still I am not able to synch the users. > > api.authenticate=true > authentication.ldap.baseDn=CN=Users,DC=test,DC=com > authentication.ldap.bindAnonymously=false > authentication.ldap.dnAttribute=CN=Users,DC=test,DC=com > authentication.ldap.groupMembershipAttr=uid > authentication.ldap.groupNamingAttr=cn > authentication.ldap.groupObjectClass=group > authentication.ldap.managerDn=CN=Darpan Patel,CN=users,DC=test,DC=com > > authentication.ldap.managerPassword=/etc/ambari-server/conf/ldap-password.dat > authentication.ldap.primaryUrl=IP_OF_AD_MACHINE:389 > authentication.ldap.referral=ignore > authentication.ldap.secondaryUrl=IP_OF_AD_MACHINE:389 > authentication.ldap.useSSL=false > authentication.ldap.userObjectClass=person > authentication.ldap.usernameAttribute=sAMAccountName > > Here is the list of sequence what I am trying to do : > > 1) $ ambari-server setup-ldap > 2) Enter the above properties > 3) Restart the ambari server > 4) $ambari-server sync-ldap --all > 5) Enter admin id/password (i.e. default Ambari Admin userid : > admin/admin) also tried with darpan, [email protected] > 6) In all the cases I see : > Syncing all.ERROR: Exiting with exit code 1. > *REASON: Sync event creation failed. Error details: HTTP Error 403: [LDAP: > error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: > AcceptSecurityContext error, data 52e, v1db1]; nested exception is > javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: > LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, > v1db1]* > 7) Log shows : > > 18 Dec 2015 10:27:34,899 WARN [qtp-client-26] > AmbariLdapAuthenticationProvider:71 - Looks like LDAP manager credentials > (that are used for connecting to LDAP server) are invalid. > org.springframework.security.authentication.InternalAuthenticationServiceException: > [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: > AcceptSecurityContext error, data 52e, v1db1]; nested exception is > javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: > LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, > v1db1] > > -------------- > Interesting thing is :* I am no longer to login to Ambari using > admin/admin user*. On the ambari portal : when I use admin/admin it says > invalid credentials. So I tried resetting the password to default by > changing in the ambari.users db (update ambari.users set > user_password='538916f8943ec225d97a9a86a2c6ec0818c1cd400e09e03b660fdaaec4af29ddbb6f2b1033b81b00' > where user_name='admin') > > To my curiosity when I see the ambari.users table few of the A/D users are > present in the table. for example : > > > ambari=> select * from ambari.users; > user_id | principal_id | ldap_user | user_name | create_time > | active | > > > --------+--------------+-----------+---------------+----------------------------+------ > 12 | 4 | 1 | pratlu | 2015-12-17 > 17:49:05.699 |1 | > 3 | 6 | 1 | darpan | 2015-12-17 > 17:49:05.699 |1 | > 13 | 3 | 1 | administrator | 2015-12-17 > 17:49:05.699 |1 | > 4 | 5 | 1 | test | 2015-12-17 > 17:49:05.699 |1 | > 14 | 11 | 1 | sanjay.sharma | 2015-12-17 > 17:49:05.699 |1 | > 8 | 7 | 1 | guest | 2015-12-17 > 17:49:05.699 |1 | > 10 | 14 | 1 | hadoop.com$ | 2015-12-17 > 17:49:05.699 |1 | > 9 | 10 | 1 | devuser | 2015-12-17 > 17:49:05.699 |1 | > 11 | 12 | 1 | dgotl | 2015-12-17 > 17:49:05.699 |1 | > 7 | 9 | 1 | krbtgt | 2015-12-17 > 17:49:05.699 |1 | > 1 | 1 | 1 | admin | 2015-11-09 > 23:47:08.368558 |1 | > > I also tried logging in to ambari web console using darpan, > [email protected], admin/admin but it does not work!! > > Did any one face similar issue ? Or can anyone suggest work around? > > Regards, > Arpan > > On 17 December 2015 at 23:25, Darpan Patel <[email protected]> wrote: > >> Thanks Robert for the quick reply. >> >> I am copying the DN from Active directory : CN=Darpan >> Patel,CN=Users,DC=test,DC=com and keeping the same while configuring the >> Ambari LDAP setting. i.e. Manager DN*: CN=Darpan >> Patel,CN=Users,DC=test,DC=com >> >> But the error is still the same : Syncing all.ERROR: Exiting with exit >> code 1. >> REASON: Sync event creation failed. Error details: HTTP Error 403: Bad >> credentials >> >> >> On 17 December 2015 at 21:51, Robert Levas <[email protected]> >> wrote: >> >>> Darpan… >>> >>> The Manger DN request is expecting a distinguished name value, not a >>> principal name. A distinguished name would look something like >>> *CN=darpan,CN=Users,DC=test,DC=com*, which may reference the same >>> account as [email protected] (which would be the userPrincipalName) or >>> darpan (which would be be sAMAccountName). >>> >>> Rob >>> >>> >>> From: Darpan Patel <[email protected]> >>> Reply-To: "[email protected]" <[email protected]> >>> Date: Thursday, December 17, 2015 at 4:35 PM >>> >>> To: "[email protected]" <[email protected]> >>> Subject: Re: Need help in Ambari - Active Directory Integration >>> >>> Many Thanks Robert. >>> >>> I made the corresponding changes and specifying bind anonymously to >>> false. Thanks the old issue is gone now. But still I am facing strange >>> issue. I am giving the Manager DN = [email protected] and trying to synch >>> all the users of AD but on the console I see : >>> >>> *Syncing all.ERROR: Exiting with exit code 1.* >>> *REASON: Sync event creation failed. Error details: HTTP Error 403: Bad >>> credentials* >>> >>> *(It is kind of strange because I just issued the valid TGT using kinit >>> [email protected] <[email protected]> without any issues!!!!)* >>> >>> There is only one line the logs: >>> 17 Dec 2015 21:24:07,682 INFO [qtp-client-23] >>> FilterBasedLdapUserSearch:89 - SearchBase not set. Searches will be >>> performed from the root: cn=Users,dc=test,dc=com >>> >>> Regards, >>> DP >>> >>> >>> On 17 December 2015 at 17:55, Robert Levas <[email protected]> >>> wrote: >>> >>>> However, I don’t think that these changes will help with the >>>> authentication/bind issue. For that, when asked to bind anonymously, you >>>> should answer *false* and then set the Manager DN value to the DN of a >>>> user with read access to the specified container in your Active Directory. >>>> >>>> I hope this helps, >>>> >>>> Rob >>>> >>>> >>>> From: Darpan Patel <[email protected]> >>>> Reply-To: "[email protected]" <[email protected]> >>>> Date: Thursday, December 17, 2015 at 12:20 PM >>>> To: "[email protected]" <[email protected]> >>>> Subject: Re: Need help in Ambari - Active Directory Integration >>>> >>>> Forgot to mention that logs show Naming Exception. >>>> [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In >>>> order to perform this operation a successful bind must be completed on the >>>> connection., data 0, v1db1]; remaining name 'CN=Users,DC=test,DC=com' >>>> >>>> 17 Dec 2015 16:36:08,801 FATAL [pool-7-thread-1] >>>> AbstractRequestControlDirContextProcessor:186 - No matching response >>>> control found for paged results - looking for 'class >>>> javax.naming.ldap.PagedResultsResponseControl >>>> 17 Dec 2015 16:36:08,802 ERROR [pool-7-thread-1] >>>> LdapSyncEventResourceProvider:434 - Caught exception running LDAP sync. >>>> *org.springframework.ldap.UncategorizedLdapException: Uncategorized >>>> exception occured during LDAP processing; nested exception is >>>> javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: >>>> DSID-0C0906E8, comment: In order to perform this operation a successful >>>> bind must be completed on the connection., data 0, v1db1]; remaining name >>>> 'CN=Users,DC=test,DC=com'* >>>> at >>>> org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:217) >>>> at >>>> org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:319) >>>> at >>>> org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:259) >>>> at >>>> org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:606) >>>> at >>>> org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.getFilteredLdapUsers(AmbariLdapDataPopulator.java:549) >>>> >>>> >>>> On 17 December 2015 at 17:19, Darpan Patel <[email protected]> wrote: >>>> >>>>> Hi guys, >>>>> >>>>> I am trying to integrate A/D 2012 Server with Ambari. >>>>> I have doubt that some of the properties are not correct. >>>>> I am tried various permutation combinations but not successful yet. >>>>> Could anyone review and help fixing it ? >>>>> >>>>> *Active directory domain controller* name is : TEST.COM >>>>> >>>>> On the console here are the values I am passing: >>>>> *$ambari-server setup-ldap* >>>>> >>>>> Setting up LDAP properties... >>>>> *Primary URL* {host:port}* :IP_OF_AD_SERVER:389 >>>>> *Use SSL* [true/false] *: false >>>>> *User object class** :person >>>>> *User name attribute** :sAMAccountName >>>>> *Group object class* :*User >>>>> *Group name attribute* : *User >>>>> *Group member attribute* :*member >>>>> *Distinguished name attribute* :*CN=Users,DC=test,DC=com >>>>> *Base DN* :*CN=Users,DC=test,DC=com >>>>> *Referral method [follow/ignore] :*ignore >>>>> *Bind anonymously* [*true/false] :true >>>>> >>>>> ==================== >>>>> Review Settings >>>>> ==================== >>>>> Save settings [y/n] (y)?y >>>>> Saving...done >>>>> Ambari Server 'setup-ldap' completed successfully. >>>>> >>>>> >>>>> Regards, >>>>> DP >>>>> >>>> >>>> >>> >> >
