Hello Experts, Still this issue persists! Any idea guys, what's going wrong?
Regards, DP On 18 December 2015 at 12:12, Darpan Patel <[email protected]> wrote: > I thought that password could be wrong for the AD user but with the same > ad user I am able to issue a TGT. > i.e. for the user in ambari properties : > authentication.ldap.managerDn=CN=Darpan Patel,CN=users,DC=test,DC=com > I am able go get a ticket : kinit [email protected]. > I am not sure what setting is not correct !!! > > About Ambari version : 2.1.2 > > Thanks, > DP > > On 18 December 2015 at 11:31, Robert Levas <[email protected]> wrote: > >> Hey Darpan…. >> >> The error "LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, >> comment: AcceptSecurityContext error, data 52e, v1db1” Indicates that the >> password you are entering for the account is incorrect. See >> http://www-01.ibm.com/support/docview.wss?uid=swg21290631 – under >> “Common Active Directory LDAP bind errors” it reads: >> >> 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, >> data 52e, v893 >> HEX: 0x52e - invalid credentials >> DEC: 1326 - ERROR_LOGON_FAILURE (Logon failure: unknown user name or bad >> password.) >> NOTE: Returns when username is valid but password/credential is invalid. >> Will prevent most other errors from being displayed as noted. >> >> As for your issue with no longer being allow to log in using local user >> accounts, what version of Ambari are you using? >> >> Rob >> >> >> >> From: Darpan Patel <[email protected]> >> Reply-To: "[email protected]" <[email protected]> >> Date: Friday, December 18, 2015 at 5:39 AM >> >> To: "[email protected]" <[email protected]> >> Subject: Re: Need help in Ambari - Active Directory Integration >> >> Hi Folks, >> >> While trying to setup A/D for Ambari, I am not able to login to Ambari >> console also using default admin/admin. Neither able to synch fully. >> >> My Active Directory domain is : TEST.COM and one of the valid users in >> that is Darpan Patel (principal : [email protected]). Here are the list of >> properties from /etc/ambari-server/conf/ambari.properties >> >> With the following properties still I am not able to synch the users. >> >> api.authenticate=true >> authentication.ldap.baseDn=CN=Users,DC=test,DC=com >> authentication.ldap.bindAnonymously=false >> authentication.ldap.dnAttribute=CN=Users,DC=test,DC=com >> authentication.ldap.groupMembershipAttr=uid >> authentication.ldap.groupNamingAttr=cn >> authentication.ldap.groupObjectClass=group >> authentication.ldap.managerDn=CN=Darpan Patel,CN=users,DC=test,DC=com >> >> authentication.ldap.managerPassword=/etc/ambari-server/conf/ldap-password.dat >> authentication.ldap.primaryUrl=IP_OF_AD_MACHINE:389 >> authentication.ldap.referral=ignore >> authentication.ldap.secondaryUrl=IP_OF_AD_MACHINE:389 >> authentication.ldap.useSSL=false >> authentication.ldap.userObjectClass=person >> authentication.ldap.usernameAttribute=sAMAccountName >> >> Here is the list of sequence what I am trying to do : >> >> 1) $ ambari-server setup-ldap >> 2) Enter the above properties >> 3) Restart the ambari server >> 4) $ambari-server sync-ldap --all >> 5) Enter admin id/password (i.e. default Ambari Admin userid : >> admin/admin) also tried with darpan, [email protected] >> 6) In all the cases I see : >> Syncing all.ERROR: Exiting with exit code 1. >> *REASON: Sync event creation failed. Error details: HTTP Error 403: >> [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: >> AcceptSecurityContext error, data 52e, v1db1]; nested exception is >> javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: >> LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, >> v1db1]* >> 7) Log shows : >> >> 18 Dec 2015 10:27:34,899 WARN [qtp-client-26] >> AmbariLdapAuthenticationProvider:71 - Looks like LDAP manager credentials >> (that are used for connecting to LDAP server) are invalid. >> org.springframework.security.authentication.InternalAuthenticationServiceException: >> [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: >> AcceptSecurityContext error, data 52e, v1db1]; nested exception is >> javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: >> LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, >> v1db1] >> >> -------------- >> Interesting thing is :* I am no longer to login to Ambari using >> admin/admin user*. On the ambari portal : when I use admin/admin it says >> invalid credentials. So I tried resetting the password to default by >> changing in the ambari.users db (update ambari.users set >> user_password='538916f8943ec225d97a9a86a2c6ec0818c1cd400e09e03b660fdaaec4af29ddbb6f2b1033b81b00' >> where user_name='admin') >> >> To my curiosity when I see the ambari.users table few of the A/D users >> are present in the table. for example : >> >> >> ambari=> select * from ambari.users; >> user_id | principal_id | ldap_user | user_name | create_time >> | active | >> >> >> --------+--------------+-----------+---------------+----------------------------+------ >> 12 | 4 | 1 | pratlu | 2015-12-17 >> 17:49:05.699 |1 | >> 3 | 6 | 1 | darpan | 2015-12-17 >> 17:49:05.699 |1 | >> 13 | 3 | 1 | administrator | 2015-12-17 >> 17:49:05.699 |1 | >> 4 | 5 | 1 | test | 2015-12-17 >> 17:49:05.699 |1 | >> 14 | 11 | 1 | sanjay.sharma | 2015-12-17 >> 17:49:05.699 |1 | >> 8 | 7 | 1 | guest | 2015-12-17 >> 17:49:05.699 |1 | >> 10 | 14 | 1 | hadoop.com$ | 2015-12-17 >> 17:49:05.699 |1 | >> 9 | 10 | 1 | devuser | 2015-12-17 >> 17:49:05.699 |1 | >> 11 | 12 | 1 | dgotl | 2015-12-17 >> 17:49:05.699 |1 | >> 7 | 9 | 1 | krbtgt | 2015-12-17 >> 17:49:05.699 |1 | >> 1 | 1 | 1 | admin | 2015-11-09 >> 23:47:08.368558 |1 | >> >> I also tried logging in to ambari web console using darpan, >> [email protected], admin/admin but it does not work!! >> >> Did any one face similar issue ? Or can anyone suggest work around? >> >> Regards, >> Arpan >> >> On 17 December 2015 at 23:25, Darpan Patel <[email protected]> wrote: >> >>> Thanks Robert for the quick reply. >>> >>> I am copying the DN from Active directory : CN=Darpan >>> Patel,CN=Users,DC=test,DC=com and keeping the same while configuring the >>> Ambari LDAP setting. i.e. Manager DN*: CN=Darpan >>> Patel,CN=Users,DC=test,DC=com >>> >>> But the error is still the same : Syncing all.ERROR: Exiting with exit >>> code 1. >>> REASON: Sync event creation failed. Error details: HTTP Error 403: Bad >>> credentials >>> >>> >>> On 17 December 2015 at 21:51, Robert Levas <[email protected]> >>> wrote: >>> >>>> Darpan… >>>> >>>> The Manger DN request is expecting a distinguished name value, not a >>>> principal name. A distinguished name would look something like >>>> *CN=darpan,CN=Users,DC=test,DC=com*, which may reference the same >>>> account as [email protected] (which would be the userPrincipalName) or >>>> darpan (which would be be sAMAccountName). >>>> >>>> Rob >>>> >>>> >>>> From: Darpan Patel <[email protected]> >>>> Reply-To: "[email protected]" <[email protected]> >>>> Date: Thursday, December 17, 2015 at 4:35 PM >>>> >>>> To: "[email protected]" <[email protected]> >>>> Subject: Re: Need help in Ambari - Active Directory Integration >>>> >>>> Many Thanks Robert. >>>> >>>> I made the corresponding changes and specifying bind anonymously to >>>> false. Thanks the old issue is gone now. But still I am facing strange >>>> issue. I am giving the Manager DN = [email protected] and trying to >>>> synch all the users of AD but on the console I see : >>>> >>>> *Syncing all.ERROR: Exiting with exit code 1.* >>>> *REASON: Sync event creation failed. Error details: HTTP Error 403: Bad >>>> credentials* >>>> >>>> *(It is kind of strange because I just issued the valid TGT using kinit >>>> [email protected] <[email protected]> without any issues!!!!)* >>>> >>>> There is only one line the logs: >>>> 17 Dec 2015 21:24:07,682 INFO [qtp-client-23] >>>> FilterBasedLdapUserSearch:89 - SearchBase not set. Searches will be >>>> performed from the root: cn=Users,dc=test,dc=com >>>> >>>> Regards, >>>> DP >>>> >>>> >>>> On 17 December 2015 at 17:55, Robert Levas <[email protected]> >>>> wrote: >>>> >>>>> However, I don’t think that these changes will help with the >>>>> authentication/bind issue. For that, when asked to bind anonymously, you >>>>> should answer *false* and then set the Manager DN value to the DN of >>>>> a user with read access to the specified container in your Active >>>>> Directory. >>>>> >>>>> I hope this helps, >>>>> >>>>> Rob >>>>> >>>>> >>>>> From: Darpan Patel <[email protected]> >>>>> Reply-To: "[email protected]" <[email protected]> >>>>> Date: Thursday, December 17, 2015 at 12:20 PM >>>>> To: "[email protected]" <[email protected]> >>>>> Subject: Re: Need help in Ambari - Active Directory Integration >>>>> >>>>> Forgot to mention that logs show Naming Exception. >>>>> [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In >>>>> order to perform this operation a successful bind must be completed on the >>>>> connection., data 0, v1db1]; remaining name 'CN=Users,DC=test,DC=com' >>>>> >>>>> 17 Dec 2015 16:36:08,801 FATAL [pool-7-thread-1] >>>>> AbstractRequestControlDirContextProcessor:186 - No matching response >>>>> control found for paged results - looking for 'class >>>>> javax.naming.ldap.PagedResultsResponseControl >>>>> 17 Dec 2015 16:36:08,802 ERROR [pool-7-thread-1] >>>>> LdapSyncEventResourceProvider:434 - Caught exception running LDAP sync. >>>>> *org.springframework.ldap.UncategorizedLdapException: Uncategorized >>>>> exception occured during LDAP processing; nested exception is >>>>> javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: >>>>> DSID-0C0906E8, comment: In order to perform this operation a successful >>>>> bind must be completed on the connection., data 0, v1db1]; remaining name >>>>> 'CN=Users,DC=test,DC=com'* >>>>> at >>>>> org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:217) >>>>> at >>>>> org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:319) >>>>> at >>>>> org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:259) >>>>> at >>>>> org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:606) >>>>> at >>>>> org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.getFilteredLdapUsers(AmbariLdapDataPopulator.java:549) >>>>> >>>>> >>>>> On 17 December 2015 at 17:19, Darpan Patel <[email protected]> wrote: >>>>> >>>>>> Hi guys, >>>>>> >>>>>> I am trying to integrate A/D 2012 Server with Ambari. >>>>>> I have doubt that some of the properties are not correct. >>>>>> I am tried various permutation combinations but not successful yet. >>>>>> Could anyone review and help fixing it ? >>>>>> >>>>>> *Active directory domain controller* name is : TEST.COM >>>>>> >>>>>> On the console here are the values I am passing: >>>>>> *$ambari-server setup-ldap* >>>>>> >>>>>> Setting up LDAP properties... >>>>>> *Primary URL* {host:port}* :IP_OF_AD_SERVER:389 >>>>>> *Use SSL* [true/false] *: false >>>>>> *User object class** :person >>>>>> *User name attribute** :sAMAccountName >>>>>> *Group object class* :*User >>>>>> *Group name attribute* : *User >>>>>> *Group member attribute* :*member >>>>>> *Distinguished name attribute* :*CN=Users,DC=test,DC=com >>>>>> *Base DN* :*CN=Users,DC=test,DC=com >>>>>> *Referral method [follow/ignore] :*ignore >>>>>> *Bind anonymously* [*true/false] :true >>>>>> >>>>>> ==================== >>>>>> Review Settings >>>>>> ==================== >>>>>> Save settings [y/n] (y)?y >>>>>> Saving...done >>>>>> Ambari Server 'setup-ldap' completed successfully. >>>>>> >>>>>> >>>>>> Regards, >>>>>> DP >>>>>> >>>>> >>>>> >>>> >>> >> >
