Support Questions

Find answers, ask questions, and share your expertise

Ranger active directory primarygroup sync


Hi all,

I am trying to implement our security integration with sssd and i could not make ranger to import users primary group from active directory. Our sssd configuration syncronizing groups of users correctly like

uid=908602857(ol889372) gid=908600513(domain users) groups=908600513(domain users),908603108(hadoopgroup)

But ranger could not get "domain users" group from active directory since it is the primary group. Any idea how to make it work?


Expert Contributor

I assume you have already done hdfs group mapping. Could you please share your setting on the setting for ranger user sync ?


Hi Frank,

Here is my configuration:


id output of bilgin user from shell:

id bilgin uid=908601104(bilgin) gid=908603108(hadoopgroup) groups=908603108(hadoopgroup),908600513(domain users)


another example:

id ol889372 uid=908602857(ol889372) gid=908600513(domain users) groups=908600513(domain users),908603108(hadoopgroup)


As you can see ranger takes user groups except primary group(hadoopgroup in case of user bilgin and "domain users" in case of ol889372). In the mean time we are using windows 2012 server. Thank you in advance..

Expert Contributor

Is your hadoopgroup nested inside the domain users group?


No. It is not nested.

Expert Contributor
@Anıl Halil

1. Ranger uses "memberof" attribute to pull the groups associated to the user if "Enable Group Sync" is disabled. In this case, the primary group (Domain Users) is not returned by AD and hence that info is not available to ranger (

2. If "Enable Group Sync" is enabled, then ranger first syncs all the users based on the user config and then search groups with based on the group configuration and look for "member" attribute of the group to map the users that are pulled as part of the user search. As long as the users are part of the member attribute of the group, we sync that group. But looks like AD doesn't send all the users as part of the member attribute as part of ldap search.

Just curious, are you planning to configure any ranger policies for "Domain Users"? Is it possible to share more details of your usecase from ranger perspective (mainly how these users and/groups synced in ranger be used?)