Cloudera Community
avs2211
user rank
Explorer
My Accepted Solutions
Show All

Re: Groups not visible in Ranger web UI

by Explorer in Support Questions
‎02-05-2024 10:06 PM
‎02-05-2024 10:06 PM
Most likely, there was a synchronization error. Where are users with groups stored - in Active Directory? It is advisable to provide a fragment of the log and settings related to the synchronization of users and groups in ranger-ugsync-site.xml which version of Apache Ranger is used? ... View more

Re: How One-way Trust works - MIT KDC to Active Di...

by Explorer in Support Questions
‎02-02-2024 04:44 AM
1 Kudo
‎02-02-2024 04:44 AM
1 Kudo
the problem was in trust - the password was incorrectly set in the MIT KDC when creating the trust ... View more

Re: How One-way Trust works - MIT KDC to Active Di...

by Explorer in Support Questions
‎01-29-2024 03:26 AM
1 Kudo
‎01-29-2024 03:26 AM
1 Kudo
traffic analysis shows an error KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN requests to dfs from a user in MIT KDC are successfully executed Checking ./hdfs groups returns the correct set of groups but the AD user's requests after kinit return the above error ... View more

How One-way Trust works - MIT KDC to Active Direct...

by Explorer in Support Questions
‎01-27-2024 05:17 AM
‎01-27-2024 05:17 AM
I read the article  But I can't understand a few things 1. I have a Hadoop (3.1.3) MIT KDC cluster on a separate server Active Directory for server users with hadoop is not included in the domain 2. All hadoop NN, DN, JN, etc. services are launched using the keytabs created for them and are working successfully 3. any requests from the user from AD fall with an error 2024-01-27 15:56:07,949 DEBUG security.SaslRpcClient: Sending sasl message state: NEGOTIATE 2024-01-27 15:56:07,950 DEBUG security.SaslRpcClient: Get token info proto:interface org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolPB info:@org.apache.hadoop.security.token.TokenInfo(value=class org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenSelector) 2024-01-27 15:56:07,951 DEBUG security.SaslRpcClient: tokens aren't supported for this protocol or user doesn't have one 2024-01-27 15:56:07,951 DEBUG security.SaslRpcClient: Get kerberos info proto:interface org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolPB info:@org.apache.hadoop.security.KerberosInfo(clientPrincipal=, serverPrincipal=dfs.namenode.kerberos.principal) 2024-01-27 15:56:07,953 DEBUG security.SaslRpcClient: RPC Server's Kerberos principal name for protocol=org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolPB is hdfs/hadoop01dev.local@HADOOP.LOCAL 2024-01-27 15:56:07,953 DEBUG security.SaslRpcClient: Creating SASL GSSAPI(KERBEROS) client to authenticate to service at hadoop01dev.local 2024-01-27 15:56:07,955 DEBUG security.SaslRpcClient: Use KERBEROS authentication for protocol ClientNamenodeProtocolPB 2024-01-27 15:56:07,987 DEBUG security.UserGroupInformation: PrivilegedActionException as:user1@AD.LOCAL (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)] single-party trust between AD and MIT KDC is set up I can't understand what algorithm works in this scheme for users in AD through kinit they get a ticket to AD, but how do they get into hadoop, which works with MIT KDC tickets? It turns out that after authentication via kinit in AD, they should receive a ticket to MIT KDC somehow? or does this ticket get a NameNode for them , for example? Can someone explain how this mechanism works?   ... View more
Labels:
Contact Me
Online
Offline
Last Visited
‎10-30-2024 11:56 PM
Community Statistics
Member Since ‎01-27-2024 05:03 AM
Last Visited ‎10-30-2024 11:56 PM
Posts 4
Kudos received 2