How do you pass user UIDs and GIDs when using MIT KDC one-way trust to Active Directory?

cjervis · ‎04-03-2018

How are people passing UIDs and GIDs with the cluster integrated with a MIT KDC and one-way domain trust with the corporate Active Directory domain? We would like to also leverage the MIT KDC for our ETL accounts. I was thinking about configuring OpenLDAP to use for the UIDs and GIDs of ETL principles from the MIT KDC but then I have no idea how UIDs would also get passed down from Active Directory LDAP.

Andrej · ‎04-04-2018

Hi, we have a similar setup, separate KDC for hadoop and one-way trust with AD. All cluster nodes are added to AD and we have configured winbind so that we have access to AD users and groups. We had to increase the limits on UID as AD was generating numbers exceeding the default limits.

This way we can use the groups <AD USERNAME> command to get all AD groups that the user is member of. The nice thing is that we can also configure access permissions in HDFS based on these AD groups.

Steve206 · ‎04-05-2018

That's an intersting setup to have the cluster Kerberos enabled with MIT KDC but still joined to corpate Active Directory. We're going down the path not having any server joined to the corpate AD. From Cloudera's docuemtation it almost seems like you manually have to create users and groups for accounts coming from AD.

We're also looking to use ACLs to manage user access to HDFS based off the GIDs.

Thanks,