Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Implementing SSSD on a kerberized CDH 5.14 cluster

Solved Go to solution
Highlighted

Implementing SSSD on a kerberized CDH 5.14 cluster

Hello Community,

I have a CDH 5.14 cluster hosted on EC2 machines which is kerberized with Active Directory and have Sentry for authorization of databases. 

I want to use SSSD to secure my Linux hosts (RHEL 7.x) with Active Directory. 

I have been going through this post but there are few queries which are bothering me to proceed forwards:

1. There are service-users (Hive, YARN, etc.) in AD that are already created during Kerberization of my cluster. So, if I go ahead and implement SSSD, then will these pre-existing service-users be able to communicate?

2. If something goes wrong will I be able to rollback? If yes, how?

 

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Implementing SSSD on a kerberized CDH 5.14 cluster

Explorer

1. I'm not sure I understand what you mean by communicate. When SSSD is first started, it will sync all of the users and groups in AD to the local node, so any existing users will be able to log in, and have the correct groups ready for them (assuming configuration is set up properly).

2. Rolling back SSSD is possible but troublesome. It would consist of stopping the service and uninstalling it from the node. I'm not sure if the users and groups would still be on the node, but you would need to uninstall that as well. There may be some other pieces left around, but none that I would expect to cause any differences, unless you were to try to install SSSD again.

1 REPLY 1

Re: Implementing SSSD on a kerberized CDH 5.14 cluster

Explorer

1. I'm not sure I understand what you mean by communicate. When SSSD is first started, it will sync all of the users and groups in AD to the local node, so any existing users will be able to log in, and have the correct groups ready for them (assuming configuration is set up properly).

2. Rolling back SSSD is possible but troublesome. It would consist of stopping the service and uninstalling it from the node. I'm not sure if the users and groups would still be on the node, but you would need to uninstall that as well. There may be some other pieces left around, but none that I would expect to cause any differences, unless you were to try to install SSSD again.

Don't have an account?
Coming from Hortonworks? Activate your account here