https://community.cloudera.com/t5/Support-Questions/Failed-to-enable-Kerberos-using-Direct-Active-Directory/m-p/48784#M44039 <P>Found this useful link:</P><P><A href="https://www.cloudera.com/documentation/enterprise/latest/topics/cm_sg_s3_cm_principal.html" target="_blank">https://www.cloudera.com/documentation/enterprise/latest/topics/cm_sg_s3_cm_principal.html</A></P><P>&nbsp;</P><P>If you are using Active Directory:</P><OL><LI>Create an Organizational Unit (OU) in your AD setup where all the principals used by your CDH cluster will reside.</LI><LI>Add a new user account to Active Directory, for example, &lt;username&gt;@YOUR-REALM.COM. The password for this user should be set to never expire.</LI><LI>Use AD's Delegate Control wizard to allow this new user to <STRONG>Create, Delete and Manage User Accounts</STRONG>.</LI></OL> Fri, 23 Dec 2016 20:07:32 GMT zhuw.bigdata 2016-12-23T20:07:32Z https://community.cloudera.com/t5/Support-Questions/Failed-to-enable-Kerberos-using-Direct-Active-Directory/m-p/48332#M44038 <P>Reference:</P><DIV><FONT color="#323333" face="Helvetica Neue"><SPAN><A href="http://www.cloudera.com/documentation/enterprise/latest/topics/sg_auth_overview.html#concept_zkr_5h2_bt" target="_blank"><FONT>http://www.cloudera.com/documentation/enterprise/latest/topics/sg_auth_overview.html#concept_zkr_5h2_bt</FONT></A><BR /></SPAN></FONT></DIV><DIV><A href="http://www.cloudera.com/documentation/enterprise/latest/topics/cm_sg_intro_kerb.html" target="_blank"><FONT>http://www.cloudera.com/documentation/enterprise/latest/topics/cm_sg_intro_kerb.html</FONT></A></DIV><DIV><A href="http://blog.cloudera.com/blog/2014/07/new-in-cloudera-manager-5-1-direct-active-directory-integration-for-kerberos-authentication/" target="_blank">http://blog.cloudera.com/blog/2014/07/new-in-cloudera-manager-5-1-direct-active-directory-integration-for-kerberos-authentication/</A></DIV><DIV>&nbsp;</DIV><DIV>My question is how to configure AD OU admin user. This user has to have permissions to modify LDAP also. I just can't find anything on this. I got permission denied on ldapadd when generating the keytabs. Could someone help me on how to set this user up in both AD domain&nbsp; and AD LDAP?</DIV> Tue, 06 Dec 2016 04:05:37 GMT https://community.cloudera.com/t5/Support-Questions/Failed-to-enable-Kerberos-using-Direct-Active-Directory/m-p/48332#M44038 zhuw.bigdata 2016-12-06T04:05:37Z https://community.cloudera.com/t5/Support-Questions/Failed-to-enable-Kerberos-using-Direct-Active-Directory/m-p/48784#M44039 <P>Found this useful link:</P><P><A href="https://www.cloudera.com/documentation/enterprise/latest/topics/cm_sg_s3_cm_principal.html" target="_blank">https://www.cloudera.com/documentation/enterprise/latest/topics/cm_sg_s3_cm_principal.html</A></P><P>&nbsp;</P><P>If you are using Active Directory:</P><OL><LI>Create an Organizational Unit (OU) in your AD setup where all the principals used by your CDH cluster will reside.</LI><LI>Add a new user account to Active Directory, for example, &lt;username&gt;@YOUR-REALM.COM. The password for this user should be set to never expire.</LI><LI>Use AD's Delegate Control wizard to allow this new user to <STRONG>Create, Delete and Manage User Accounts</STRONG>.</LI></OL> Fri, 23 Dec 2016 20:07:32 GMT https://community.cloudera.com/t5/Support-Questions/Failed-to-enable-Kerberos-using-Direct-Active-Directory/m-p/48784#M44039 zhuw.bigdata 2016-12-23T20:07:32Z