Support Questions

Find answers, ask questions, and share your expertise

How do you add a a new User from Active Directory?

avatar
Expert Contributor

I have successfully installed and configured Kerberos on my cluster to use Active Directory as KDC.

I am assuming this because:

root@murkhana:~# hdfs dfs -ls /
16/05/06 10:55:15 WARN ipc.Client: Exception encountered while connecting to the server :
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]


root@murkhana:~# kinit -k -t /etc/security/keytabs/hdfs.headless.keytab hdfs-murkhana
root@murkhana:~# hdfs dfs -ls /
Found 8 items
drwxrwxrwx   - yarn   hadoop          0 2016-04-22 12:31 /app-logs
drwxr-xr-x   - hdfs   hdfs            0 2016-04-22 12:30 /apps
drwxr-xr-x   - yarn   hadoop          0 2016-04-22 12:27 /ats
drwxr-xr-x   - hdfs   hdfs            0 2016-04-22 12:27 /hdp
drwxr-xr-x   - mapred hdfs            0 2016-04-22 12:27 /mapred
drwxrwxrwx   - mapred hadoop          0 2016-04-22 12:27 /mr-history
drwxrwxrwx   - hdfs   hdfs            0 2016-05-05 18:29 /tmp
drwxr-xr-x   - hdfs   hdfs            0 2016-04-22 12:30 /user

And I can also see all the Service Principal Name's listed in my AD OU.

I would now like to add some existing users to Hadoop from Active Directory. I've seen many posts about doing this via the kadmin interface on the Hadoop node, however I would rather do this all centrally via Active Directory. Is this possible? Thanks.

1 ACCEPTED SOLUTION

avatar
Master Guru

For business users you do not need to do anything in Hadoop. You need to configure Linux ( with SSSD ) to connect to your active directory. Once you can log on to linux with your active discovery account and get a valid kerberos ticket for your realm ( which is the default configuration for AD: when you log on you normally get a kerberos ticket ).

The rest is done by the authtolocal rules which take the kerberos ticket from the realm and then strip out the username from it and identify it as the Hadoop user. So myuser1@MYREALM.COM will be mapped to the hadoop user myuser1. But there should be a default rule in place. So the key point is to configure SSSD on your nodes.

https://community.hortonworks.com/articles/14463/auth-to-local-rules-syntax.html

View solution in original post

4 REPLIES 4

avatar
Expert Contributor

I see you've faced similar challenges @Terry Padgett @Darpan Patel. Cheers.

avatar
Master Guru

For business users you do not need to do anything in Hadoop. You need to configure Linux ( with SSSD ) to connect to your active directory. Once you can log on to linux with your active discovery account and get a valid kerberos ticket for your realm ( which is the default configuration for AD: when you log on you normally get a kerberos ticket ).

The rest is done by the authtolocal rules which take the kerberos ticket from the realm and then strip out the username from it and identify it as the Hadoop user. So myuser1@MYREALM.COM will be mapped to the hadoop user myuser1. But there should be a default rule in place. So the key point is to configure SSSD on your nodes.

https://community.hortonworks.com/articles/14463/auth-to-local-rules-syntax.html

avatar
Expert Contributor

Thanks, that makes sense.

I am using AD as our KDC and have not installed a KDC locally on Hadoop. Do I have to install a local KDC? I ask because I'm trying to configure Hue using this guide: http://hortonworks.com/blog/enabling-kerberos-hdp-active-directory-integration/ However I can't log in to the kadmin interface. I have checked "Do not require kerberos preauthentication" in AD.

root@murkhana:~# kadmin -p kdcadmin
Authenticating as principal kdcadmin with password.
kadmin: Database error! Required KADM5 principal missing while initializing kadmin interface

How can I access the kadmin to create the Hue user? Or can I do this and create keytabs in AD? Thanks.

avatar
Master Guru

No you don't have to install a local KDC, you have to configure SSSD to connect to AD for linux user authentication. As said AD normally provides kerberos tickets automatically. To create a new service user in AD you best talk to your AD team. Once you have created a hue service user ( in the same group as the hdfs etc. users ) you should be able to export the keytab. The guide would be for a standard KDC.

Which is also an option, however if you want a standard KDC then you need to add a one way trust from the AD to your local KDC.