Support Questions

Find answers, ask questions, and share your expertise

What is the reason for creating an Active Directory OU User container for principals and Active Directory administrative credentials with delegated control of “Create, delete, and manage user accounts” on the OU User container?

avatar

We want to use our existing Active Directory environment for Kerberos User Authentication. Using the Ambari Kerberos Wizard the following prereequisites needs to be checked to progress ...

  • Active Directory OU User container for principals has been created, For example "OU=Hadoop-Cluster,OU=People,dc=domain,dc=com"
  • Active Directory administrative credentials with delegated control of “Create, delete, and manage user accounts” on the OU User container are implemented

What is the reason for creating an Active Directory OU User container for principals and Active Directory administrative credentials with delegated control of “Create, delete, and manage user accounts” on the OU User container?

1 ACCEPTED SOLUTION

avatar
@Timo Burmeister

A new container does not need to be created specifically for the Ambari-managed Kerberos identities; however, it would be recommended since there potentially may be a lot of accounts created for service and user principals in the Active Directory. In any case, there needs to be a container available in the Active Directory that Ambari can create and manage accounts within.

The credentials used to access the Active Directory must give access to Ambari so that new accounts can be created for each of the cluster-specific service and user principals. That account must able to able to update the password for each of those accounts. It is recommended that a special account is given access to the container for security purposes and ease-of-mind. You may not want to give out a domain administrator's credentials or give Ambari full rein over the Active Directory - not that Ambari will do anything nefarious.

View solution in original post

1 REPLY 1

avatar
@Timo Burmeister

A new container does not need to be created specifically for the Ambari-managed Kerberos identities; however, it would be recommended since there potentially may be a lot of accounts created for service and user principals in the Active Directory. In any case, there needs to be a container available in the Active Directory that Ambari can create and manage accounts within.

The credentials used to access the Active Directory must give access to Ambari so that new accounts can be created for each of the cluster-specific service and user principals. That account must able to able to update the password for each of those accounts. It is recommended that a special account is given access to the container for security purposes and ease-of-mind. You may not want to give out a domain administrator's credentials or give Ambari full rein over the Active Directory - not that Ambari will do anything nefarious.