Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

What is the reason for creating an Active Directory OU User container for principals and Active Directory administrative credentials with delegated control of “Create, delete, and manage user accounts” on the OU User container?

avatar
author-rank timo_burmeister
Explorer

Created on ‎01-24-2017 03:04 PM - edited ‎09-16-2022 03:56 AM

We want to use our existing Active Directory environment for Kerberos User Authentication. Using the Ambari Kerberos Wizard the following prereequisites needs to be checked to progress ...

  • Active Directory OU User container for principals has been created, For example "OU=Hadoop-Cluster,OU=People,dc=domain,dc=com"
  • Active Directory administrative credentials with delegated control of “Create, delete, and manage user accounts” on the OU User container are implemented

What is the reason for creating an Active Directory OU User container for principals and Active Directory administrative credentials with delegated control of “Create, delete, and manage user accounts” on the OU User container?

1,285 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank rlevas
Guru

Created ‎01-24-2017 03:17 PM

@Timo Burmeister

A new container does not need to be created specifically for the Ambari-managed Kerberos identities; however, it would be recommended since there potentially may be a lot of accounts created for service and user principals in the Active Directory. In any case, there needs to be a container available in the Active Directory that Ambari can create and manage accounts within.

The credentials used to access the Active Directory must give access to Ambari so that new accounts can be created for each of the cluster-specific service and user principals. That account must able to able to update the password for each of those accounts. It is recommended that a special account is given access to the container for security purposes and ease-of-mind. You may not want to give out a domain administrator's credentials or give Ambari full rein over the Active Directory - not that Ambari will do anything nefarious.

View solution in original post

735 Views
1 REPLY 1

avatar
author-rank rlevas
Guru

Created ‎01-24-2017 03:17 PM

@Timo Burmeister

A new container does not need to be created specifically for the Ambari-managed Kerberos identities; however, it would be recommended since there potentially may be a lot of accounts created for service and user principals in the Active Directory. In any case, there needs to be a container available in the Active Directory that Ambari can create and manage accounts within.

The credentials used to access the Active Directory must give access to Ambari so that new accounts can be created for each of the cluster-specific service and user principals. That account must able to able to update the password for each of those accounts. It is recommended that a special account is given access to the container for security purposes and ease-of-mind. You may not want to give out a domain administrator's credentials or give Ambari full rein over the Active Directory - not that Ambari will do anything nefarious.

736 Views
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements