1. After the cluster is upgraded from C50SPC202 to C50SPC205, a message is displayed indicating that the password has expired. After changing the password as prompted and it can be confirmed that the entered password is correct but the error of user name or password is reported. The password cannot be changed.
2. Forcibly change the password on the background. After using Kerberos to log in to the system for the first time and change the password, a message "Kadmin: password change failed while initializing kadmin interface" is displayed, indicating that the Kerberos password fails to be changed and the password cannot be forcibly changed.
1. Check whether the LDAP is started normally. Find the active LDAP node, log in to the active OMS node and run the following command:
cat /home/oms/kerberos/var/krb5kdc/krb5.conf |grep ldap_servers
As shown in the following figure, the first IP address is the floating IP address of the active LDAP node. You can use this IP address to log in to the active LDAP node.
Run the following command to check whether the LDAP is running properly: ps -ef | grep slapd |grep 21780.
2. Run the following command to check whether the LDAP data is abnormal: ldapsearch -H ldaps://126.96.36.199:21780 -x -LLL -D cn=root,dc=hadoop,dc=com -w Ldap@123 -b cn=HADOOP.COM,cn=krbcontainer,dc=hadoop,dc=com.
3. Check the active/standby LDAP data directories and find out that the time of files is different. The path is as follows: /opt/huawei/Bigdata/FusionInsight-ldapserver-2.5.0/ldapserver/local/data/.The time of the LDAP data of the active node is still in June.
time of the LDAP data of the standby node is normal.
4. Restore the active LDAP data according to the following methods:
Copy the data of the standby LDAP to the active LDAP. To ensure the integrity of the data, stop the standby LDAP. (After the LDAP is stopped, it is automatically restarted. You are advised to open a session to enter the copy command. After stopping the standby LDAP, copy the data immediately.).
After the copy is complete, run the kill -9 active ldap command to restart the active LDAP server.
5. Run the ldapsearch command again to check whether the data is normal.
6. The FusionInsight GUI can be logged in to without changing the password. The problem is solved.
The active LDAP server is in the standby state before the upgrade. After the upgrade, the standby LDAP server becomes the active one, and the data is still the one in June. Therefore, data exception occurs.
Replace the data of the active LDAP server with the data of the standby LDAP server and restart the active LDAP service. The problem is solved.
Check the cluster before the upgrade as required.