question Re: Problem with refresh HDFS User-Group mappings with AD on Kerberized cluster in Archives of Support Questions (Read Only) https://community.cloudera.com/t5/Archives-of-Support-Questions/Problem-with-refresh-HDFS-User-Group-mappings-with-AD-on/m-p/162625#M45183 <P>It seems that HDFS is not synching your groups. Try restarting the cluster to see if that helps.</P> Tue, 27 Dec 2016 00:21:03 GMT dvillarreal 2016-12-27T00:21:03Z Problem with refresh HDFS User-Group mappings with AD on Kerberized cluster https://community.cloudera.com/t5/Archives-of-Support-Questions/Problem-with-refresh-HDFS-User-Group-mappings-with-AD-on/m-p/162624#M45182 <P>Following the security lab and reach the following step</P><P><A href="https://github.com/HortonworksUniversity/Security_Labs#refresh-hdfs-user-group-mappings" target="_blank">https://github.com/HortonworksUniversity/Security_Labs#refresh-hdfs-user-group-mappings</A></P><P>Run into problem refresh the user-group mapping from AD</P><PRE>[root@qwang-hdp0 ~]# sudo sudo -u hdfs kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs-qi [root@qwang-hdp0 ~]# sudo sudo -u hdfs hdfs dfsadmin -refreshUserToGroupsMappings Refresh user to groups mapping successful </PRE><P>Then kinit to hr1 user and check the user-group mapping, it doesn't seems to sync correctly for hdfs, hdfs group command not returning the rigth group, where yarn rmadmin is fine.</P><PRE>[root@qwang-hdp0 ~]# kinit hr1 Password for hr1@EXAMPLE.COM: [root@qwang-hdp0 ~]# hdfs groups hr1@EXAMPLE.COM : [root@qwang-hdp0 ~]# yarn rmadmin -getGroups hr1 16/11/03 01:30:36 INFO client.RMProxy: Connecting to ResourceManager at hdp1.example.com/172.xx.xxx.xxx:8141 hr1 : domain_users hadoop-users hr [root@qwang-hdp0 ~]# id hr1 uid=1960401170(hr1) gid=1960400513(domain_users) groups=1960400513(domain_users),1960401154(hr),1960401151(hadoop-users) </PRE><P>The hdfs group is not matching to the AD settings. and ldapsearch confirm the AD setting is there</P><PRE>[root@qwang-hdp0 ~]# ldapsearch -h ad01.field.hortonworks.com -p 389 -D "binduser@example.com" -W -b "DC=field,DC=my_org,DC=com" "(sAMAccountName=hr1)" Enter LDAP Password: ... memberOf: CN=hr,OU=CorpUsers,DC=field,DC=my_org,DC=com memberOf: CN=hadoop-users,OU=CorpUsers,DC=field,DC=</PRE><P>my_org,DC=com</P>... <P>Could you suggest what is going wrong and what to do to trouble shoot/correct the issue</P> Thu, 03 Nov 2016 11:09:08 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Problem-with-refresh-HDFS-User-Group-mappings-with-AD-on/m-p/162624#M45182 qiwang 2016-11-03T11:09:08Z Re: Problem with refresh HDFS User-Group mappings with AD on Kerberized cluster https://community.cloudera.com/t5/Archives-of-Support-Questions/Problem-with-refresh-HDFS-User-Group-mappings-with-AD-on/m-p/162625#M45183 <P>It seems that HDFS is not synching your groups. Try restarting the cluster to see if that helps.</P> Tue, 27 Dec 2016 00:21:03 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Problem-with-refresh-HDFS-User-Group-mappings-with-AD-on/m-p/162625#M45183 dvillarreal 2016-12-27T00:21:03Z