https://community.cloudera.com/t5/Archives-of-Support-Questions/What-are-the-best-practises-for-Unix-user-mapping/m-p/161196#M41185 <P>Thanks <A rel="user" href="https://community.cloudera.com/users/174/hkropp.html" nodeid="174">@hkropp</A>. I'm looking at the suggested options.</P><P>What about plain LDAP login configuration on the nodes, could it be a simple solution too?</P> Tue, 20 Sep 2016 16:47:08 GMT tristan1 2016-09-20T16:47:08Z https://community.cloudera.com/t5/Archives-of-Support-Questions/What-are-the-best-practises-for-Unix-user-mapping/m-p/161194#M41183 <P>Hello,</P><P>We have a working HDP 2.4 Kerberos enabled working, with Hue and from command line too.</P><P>Following to the documentation, we have created Unix user mappings between the nodes and Active Directory. Users can login to a utility machine and kinit to login.</P><P><A href="https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.2/bk_Security_Guide/content/create_mappings_betw_principals_and_unix_usernames.html" target="_blank">https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.2/bk_Security_Guide/content/create_mappings_betw_principals_and_unix_usernames.html</A></P><P>It's working just fine.</P><P>My question is about the management of those users: everytime we want to grand access to a new user, we need to go ahead and create those users on all nodes, which is not very practical.</P><P>What are the best practises for that?</P><UL><LI>script user accounts creation?</LI><LI>Enrol all node machines as domain machines so that AD users can login?</LI><LI>Configure the unix machine to accept login using LDAP against AD?</LI><LI>Others?</LI></UL><P>Thanks a lot in advance for ideals and experiences.</P><P>Tristan</P> Tue, 20 Sep 2016 13:58:41 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/What-are-the-best-practises-for-Unix-user-mapping/m-p/161194#M41183 tristan1 2016-09-20T13:58:41Z https://community.cloudera.com/t5/Archives-of-Support-Questions/What-are-the-best-practises-for-Unix-user-mapping/m-p/161195#M41184 <P>A list of recommended tools are:</P><OL> <LI>SSSD <A href="https://fedorahosted.org/sssd/" target="_blank">https://fedorahosted.org/sssd/</A> / <A href="https://help.ubuntu.com/lts/serverguide/sssd-ad.html" target="_blank">https://help.ubuntu.com/lts/serverguide/sssd-ad.html</A></LI><LI>FreeIPA (introduces additional AD and need to establish Trust between the two) <A href="https://www.freeipa.org/page/Main_Page" target="_blank">https://www.freeipa.org/page/Main_Page</A></LI><LI>Winutils</LI><LI>Centrify (commercial) <A href="https://www.centrify.com/" target="_blank">https://www.centrify.com/</A></LI><LI>VAS / Quest (commercial) <A href="https://software.dell.com/products/authentication-services/" target="_blank">https://software.dell.com/products/authentication-services/</A></LI><LI>....</LI></OL><P>Please check the material of this workshop for reference: </P><P><A href="https://community.hortonworks.com/articles/1143/cheatsheet-on-configuring-authentication-authoriza.html" target="_blank">https://community.hortonworks.com/articles/1143/cheatsheet-on-configuring-authentication-authoriza.html</A> <A href="https://community.hortonworks.com/repos/4465/workshops-on-how-to-setup-security-on-hadoop-using.html" target="_blank">https://community.hortonworks.com/repos/4465/workshops-on-how-to-setup-security-on-hadoop-using.html</A></P> Tue, 20 Sep 2016 16:11:45 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/What-are-the-best-practises-for-Unix-user-mapping/m-p/161195#M41184 hkropp 2016-09-20T16:11:45Z https://community.cloudera.com/t5/Archives-of-Support-Questions/What-are-the-best-practises-for-Unix-user-mapping/m-p/161196#M41185 <P>Thanks <A rel="user" href="https://community.cloudera.com/users/174/hkropp.html" nodeid="174">@hkropp</A>. I'm looking at the suggested options.</P><P>What about plain LDAP login configuration on the nodes, could it be a simple solution too?</P> Tue, 20 Sep 2016 16:47:08 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/What-are-the-best-practises-for-Unix-user-mapping/m-p/161196#M41185 tristan1 2016-09-20T16:47:08Z https://community.cloudera.com/t5/Archives-of-Support-Questions/What-are-the-best-practises-for-Unix-user-mapping/m-p/161197#M41186 <P>Yes with pam_ldap integration: <A href="http://www.tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/pamnss.html" target="_blank">http://www.tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/pamnss.html</A></P> Tue, 20 Sep 2016 16:49:21 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/What-are-the-best-practises-for-Unix-user-mapping/m-p/161197#M41186 hkropp 2016-09-20T16:49:21Z https://community.cloudera.com/t5/Archives-of-Support-Questions/What-are-the-best-practises-for-Unix-user-mapping/m-p/161198#M41187 <P>Well, you would have the login, but not the kerberos init. You would still have two realms with user credentials the KRB5 realm and the LDAP realm depending on your setup.</P><P>Actually the KRB5 realm can be included inside LDAP or put differently Kerberos can be configured to use LDAP as it's user DB, that would give you the possibility to combine both. This essential is what FreeIPA is.</P> Tue, 20 Sep 2016 16:52:20 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/What-are-the-best-practises-for-Unix-user-mapping/m-p/161198#M41187 hkropp 2016-09-20T16:52:20Z