Following the security lab and reach the following step
https://github.com/HortonworksUniversity/Security_Labs#refresh-hdfs-user-group-mappings
Run into problem refresh the user-group mapping from AD
[root@qwang-hdp0 ~]# sudo sudo -u hdfs kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs-qi
[root@qwang-hdp0 ~]# sudo sudo -u hdfs hdfs dfsadmin -refreshUserToGroupsMappings
Refresh user to groups mapping successful
Then kinit to hr1 user and check the user-group mapping, it doesn't seems to sync correctly for hdfs, hdfs group command not returning the rigth group, where yarn rmadmin is fine.
[root@qwang-hdp0 ~]# kinit hr1
Password for hr1@EXAMPLE.COM:
[root@qwang-hdp0 ~]# hdfs groups
hr1@EXAMPLE.COM :
[root@qwang-hdp0 ~]# yarn rmadmin -getGroups hr1
16/11/03 01:30:36 INFO client.RMProxy: Connecting to ResourceManager at hdp1.example.com/172.xx.xxx.xxx:8141
hr1 : domain_users hadoop-users hr
[root@qwang-hdp0 ~]# id hr1
uid=1960401170(hr1) gid=1960400513(domain_users) groups=1960400513(domain_users),1960401154(hr),1960401151(hadoop-users)
The hdfs group is not matching to the AD settings. and ldapsearch confirm the AD setting is there
[root@qwang-hdp0 ~]# ldapsearch -h ad01.field.hortonworks.com -p 389 -D "binduser@example.com" -W -b "DC=field,DC=my_org,DC=com" "(sAMAccountName=hr1)"
Enter LDAP Password:
...
memberOf: CN=hr,OU=CorpUsers,DC=field,DC=my_org,DC=com
memberOf: CN=hadoop-users,OU=CorpUsers,DC=field,DC=
my_org,DC=com
...
Could you suggest what is going wrong and what to do to trouble shoot/correct the issue