we would like to integrate an existing kerberized cluster using dedicated MIT KDC with a corporate AD for user to group mapping. For correct authorization in Sentry hadoop needs to map the user to group.
The hadoop KDC is not connected/trusted with the org AD, hadoop MIT KDC has different REALM name (like PROD.CLOUDERA.NET) than AD (NICE.COMPANY.COM).
The goal is not PAM - so logging into linux with AD user and password, just the user/group mapping.
Is it possible to configure this setup? What are the options? I have read about Centrify Express but as far as I understood it maps completely everything to AD. So that would mean to migrate all the service principals from MIT KDC to AD - basically new cluster setup. And thats not an option now.