Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

How do you add a a new User from Active Directory?

avatar
author-rank daleb
Expert Contributor

Created on ‎05-06-2016 10:05 AM - edited ‎09-16-2022 03:17 AM

I have successfully installed and configured Kerberos on my cluster to use Active Directory as KDC.

I am assuming this because:

root@murkhana:~# hdfs dfs -ls /
16/05/06 10:55:15 WARN ipc.Client: Exception encountered while connecting to the server :
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]


root@murkhana:~# kinit -k -t /etc/security/keytabs/hdfs.headless.keytab hdfs-murkhana
root@murkhana:~# hdfs dfs -ls /
Found 8 items
drwxrwxrwx   - yarn   hadoop          0 2016-04-22 12:31 /app-logs
drwxr-xr-x   - hdfs   hdfs            0 2016-04-22 12:30 /apps
drwxr-xr-x   - yarn   hadoop          0 2016-04-22 12:27 /ats
drwxr-xr-x   - hdfs   hdfs            0 2016-04-22 12:27 /hdp
drwxr-xr-x   - mapred hdfs            0 2016-04-22 12:27 /mapred
drwxrwxrwx   - mapred hadoop          0 2016-04-22 12:27 /mr-history
drwxrwxrwx   - hdfs   hdfs            0 2016-05-05 18:29 /tmp
drwxr-xr-x   - hdfs   hdfs            0 2016-04-22 12:30 /user

And I can also see all the Service Principal Name's listed in my AD OU.

I would now like to add some existing users to Hadoop from Active Directory. I've seen many posts about doing this via the kadmin interface on the Hadoop node, however I would rather do this all centrally via Active Directory. Is this possible? Thanks.

3,598 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank bleonhardi
Master Guru

Created ‎05-06-2016 12:32 PM

For business users you do not need to do anything in Hadoop. You need to configure Linux ( with SSSD ) to connect to your active directory. Once you can log on to linux with your active discovery account and get a valid kerberos ticket for your realm ( which is the default configuration for AD: when you log on you normally get a kerberos ticket ).

The rest is done by the authtolocal rules which take the kerberos ticket from the realm and then strip out the username from it and identify it as the Hadoop user. So myuser1@MYREALM.COM will be mapped to the hadoop user myuser1. But there should be a default rule in place. So the key point is to configure SSSD on your nodes.

https://community.hortonworks.com/articles/14463/auth-to-local-rules-syntax.html

View solution in original post

2,139 Views
0 Kudos
4 REPLIES 4

avatar
author-rank daleb
Expert Contributor

Created ‎05-06-2016 10:06 AM

I see you've faced similar challenges @Terry Padgett @Darpan Patel. Cheers.

2,139 Views
0 Kudos

avatar
author-rank bleonhardi
Master Guru

Created ‎05-06-2016 12:32 PM

For business users you do not need to do anything in Hadoop. You need to configure Linux ( with SSSD ) to connect to your active directory. Once you can log on to linux with your active discovery account and get a valid kerberos ticket for your realm ( which is the default configuration for AD: when you log on you normally get a kerberos ticket ).

The rest is done by the authtolocal rules which take the kerberos ticket from the realm and then strip out the username from it and identify it as the Hadoop user. So myuser1@MYREALM.COM will be mapped to the hadoop user myuser1. But there should be a default rule in place. So the key point is to configure SSSD on your nodes.

https://community.hortonworks.com/articles/14463/auth-to-local-rules-syntax.html

2,140 Views
0 Kudos

avatar
author-rank daleb
Expert Contributor

Created ‎05-06-2016 02:10 PM

Thanks, that makes sense.

I am using AD as our KDC and have not installed a KDC locally on Hadoop. Do I have to install a local KDC? I ask because I'm trying to configure Hue using this guide: http://hortonworks.com/blog/enabling-kerberos-hdp-active-directory-integration/ However I can't log in to the kadmin interface. I have checked "Do not require kerberos preauthentication" in AD.

root@murkhana:~# kadmin -p kdcadmin
Authenticating as principal kdcadmin with password.
kadmin: Database error! Required KADM5 principal missing while initializing kadmin interface

How can I access the kadmin to create the Hue user? Or can I do this and create keytabs in AD? Thanks.

2,139 Views
0 Kudos

avatar
author-rank bleonhardi
Master Guru

Created ‎05-06-2016 04:57 PM

No you don't have to install a local KDC, you have to configure SSSD to connect to AD for linux user authentication. As said AD normally provides kerberos tickets automatically. To create a new service user in AD you best talk to your AD team. Once you have created a hue service user ( in the same group as the hdfs etc. users ) you should be able to export the keytab. The guide would be for a standard KDC.

Which is also an option, however if you want a standard KDC then you need to add a one way trust from the AD to your local KDC.

2,139 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements