Regenerate Credentials Fails: ldap_delete: Invalid DN syntax (34)

0 votes
14 views
asked Aug 30, 2017 in Hadoop by admin (4,410 points)
SummaryTrying to Regenerate Credentials in Cloudera Manager can result in a failure if the principal's Distinguished Name (DN) in Active Directory or LDAP exceeds 80 characters, after 80 characters the DN line will wrap.
Applies To

All versions of Cloudera Manager prior to CM 5.11.0

Symptoms

Trying to Regenerate Kerberos credentials in CM will fail,

+ ldapdelete -H ldaps://ldap.rbt.dev.example.com:636 CN=DLDEV03FiCwsItFeX,OU=HadoopPOC,OU=ServiceAccounts,OU=HO,OU=SF,DC=rbt,DC
SASL/GSSAPI authentication started
SASL username: L1DLDEV03@RBT.DEV.EXAMPLE.COM
SASL SSF: 0
ldap_delete: Invalid DN syntax (34)
additional info: 0000208F: NameErr: DSID-031001F7, problem 2006 (BAD_NAME), data 8350, best match of:
'CN=DLDEV03FiCwsItFeX,OU=HadoopPOC,OU=ServiceAccounts,OU=HO,OU=SF,



 

Cause

The output in CM shows the issue,

i)  We first search for the UPN to ensure such an account doesn't already exist.

++ ldapsearch -LLL -H ldaps://ldap.dev.example.com:636 -b OU=HadoopPOC,OU=ServiceAccounts,OU=HO,OU=SF,DC=rbt,DC=DEV,DC=EXAMPLE,DC=COM userPrincipalName=hdfs/devhost008.dev.example.com@RBT.DEV.EXAMPLE.COM


ii) The account is found in AD.

+ PRINC_SEARCH='dn: CN=DLDEV03FiCwsItFeX,OU=HadoopPOC,OU=ServiceAccounts,OU=HO,OU=SF,DC=rbt,DC
 =dev,DC=example,DC=com


NOTICE: The 'DN' line is wrapped, this is the default for ldapsearch.

iii) Because the account already exists we must delete it first, we run ldapdelete to do this, 

+ ldapdelete -H ldaps://p2tdc214.rbt.dev.example.com:636 CN=DLDEV03FiCwsItFeX,OU=HadoopPOC,OU=ServiceAccounts,OU=HO,OU=SF,DC=rbt,DC
SASL/GSSAPI authentication started
SASL username: L1DLDEV03@RBT.DEV.EXAMPLE.COM
SASL SSF: 0
ldap_delete: Invalid DN syntax (34)
        additional info: 0000208F: NameErr: DSID-031001F7, problem 2006 (BAD_NAME), data 8350, best match of:
        'CN=DLDEV03FiCwsItFeX,OU=HadoopPOC,OU=ServiceAccounts,OU=HO,OU=SF,DC=rbt,DC'

+ '[' 34 -ne 0 ']'
+ echo 'Deletion of the Active Directory account hdfs/devhost008.dev.example.com@RBT.DEV.EXAMPLE.COM failed.'
+ exit 1


Again notice the DN, it's truncated due to the line wrap

Instructions

This is a known issue, fixed in CM 5.11.0

 OPSAPS-38937 Kerberos: unable to regenerate principal due to truncated DN

Applied the following workaround.

Update /usr/share/cmf/bin/gen_credentials_ad.sh (make a backup first) and change the following

from:

PRINC_SEARCH=`ldapsearch -LLL -H "$AD_SERVER" -b "$DOMAIN" $SIMPLE_PWD_STR "userPrincipalName=$PRINC"`


to:

PRINC_SEARCH=`ldapsearch -o ldif-wrap=no -LLL -H "$AD_SERVER" -b "$DOMAIN" $SIMPLE_PWD_STR "userPrincipalName=$PRINC"`


We are adding the option '-o ldif-wrap=no' to ldapsearch so the DN returned is not truncated.

Please log in or register to answer this question.

...