Github user ChrisMcVey commented on the issue:
https://github.com/apache/zeppelin/pull/986
Well through some more testing, I've found that it it will accept logins as
_either_ the userPrincipalName (without the realm) _or_ the sAMAccountName.
This true if the principal suffix is NOT set in shiro.
I.E.
If the object has these two defined in AD:
sAMAccountName=userexample
userPrincipalName=userex/hostname1.domain....@realm.com
AND shiro.ini does not have the principal suffix:
#activeDirectoryRealm.principalSuffix = @REALM.COM
Then I am able to login to the UI with either userexample or
userex/hostname1.domain.com as the username.
If the principal suffix is enabled:
activeDirectoryRealm.principalSuffix = @REALM.COM
Then, I cannot login to the UI with any form of userex/hostname1.domain.com
but I can login with userexample. Logging in with userexample is useless
because userexam...@realm.com will not be found for group mappings by the UPN
search filter.
Adding all this for clarity... Zeppelin ActiveDirectoryGroupRealm does not
explicity authentication the user using sAMAccountName but it does permit it.
It will also accept UPN. In most cases, these match. In some cases, they may
not.
The more I look at this, it is becoming apparent that as an AD provider and
not an LDAP provider, they are assuming that running ktpass for a keytab as we
have done is not a valid user for this provider.
Hopefully, this info is at least helpful if someone else has this same odd
config!
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
