How are people passing UIDs and GIDs with the cluster integrated with a MIT KDC and one-way domain trust with the corporate Active Directory domain? We would like to also leverage the MIT KDC for our ETL accounts. I was thinking about configuring OpenLDAP to use for the UIDs and GIDs of ETL principles from the MIT KDC but then I have no idea how UIDs would also get passed down from Active Directory LDAP.
Created 04-04-2018 12:49 AM
Hi, we have a similar setup, separate KDC for hadoop and one-way trust with AD. All cluster nodes are added to AD and we have configured winbind so that we have access to AD users and groups. We had to increase the limits on UID as AD was generating numbers exceeding the default limits.
This way we can use the groups <AD USERNAME> command to get all AD groups that the user is member of. The nice thing is that we can also configure access permissions in HDFS based on these AD groups.
Created 04-05-2018 07:58 PM
That's an intersting setup to have the cluster Kerberos enabled with MIT KDC but still joined to corpate Active Directory. We're going down the path not having any server joined to the corpate AD. From Cloudera's docuemtation it almost seems like you manually have to create users and groups for accounts coming from AD.
We're also looking to use ACLs to manage user access to HDFS based off the GIDs.
Thanks,