MikeSzymczak
New Contributor
My Accepted Solutions
Show All

Re: After enabling kerberos services fails to star...

by New Contributor in Support Questions
‎09-21-2017 04:53 PM
‎09-21-2017 04:53 PM
Hi Ajit- If you need any additional resources, Centrify has a detailed integration guide that walks you through Kerberization and many other facets of the joint solution. Please feel free to reach out if you need any resources from our side. -- Mike ... View more

Re: Integrate AD for User to Group mapping

by New Contributor in Support Questions
‎07-13-2017 11:01 AM
‎07-13-2017 11:01 AM
As the previous post mentions, creating additional islands of identity and then trying to integrate becomes difficult and costly. The easiest/best solution is to join the cluster nodes to Active Directory directly and maintain all users and groups there. Your service principal accounts for cluster kerberization can also be stored in a sandbox OU and be entirely maintained by Cloudera Manager. There's no need to maintain a separate MIT realm, LDAP directory or even local accounts. Centrify Server Suite Standard/Enterprise Editions provide numerous advantages over other AD bridging tools that will be relevant to your deployment including integrated command authorization for least privilege, infinite Kerberos renewal, LDAP Proxy, session auditing, SAML authentication, two-factor authentication, privileged credential management and much more. ... View more

Re: What do these Add Service account options do?

by New Contributor in Support Questions
‎05-24-2017 03:22 PM
‎05-24-2017 03:22 PM
@james.jones Ambari will natively create local accounts initially to run each service in the cluster. If your intention is to move away from all local accounts, then your best bet will be to Kerberize the cluster rather than zone-enabling the cluster service accounts for an unsecured cluster. Once the cluster is Kerberized, the local accounts are abandoned for SPN accounts created in Active Directory and locally distributed keytabs. The SPN accounts do not have to be zone-enable. In fact, they should not. Although the local /etc/password accounts will remain after securing, they serve no function. I usually leave them there in case I ever need to disable Kerberos and resecure the cluster. ... View more

Re: What do these Add Service account options do?

by New Contributor in Support Questions
‎05-19-2017 09:33 PM
1 Kudo
‎05-19-2017 09:33 PM
1 Kudo
Hi @james.jones If you're a Centrify customer, you'll likely manage all of your interactive AD users and groups within a zone structure. In an unsecured cluster, all of the services on each node are started using a local /etc/passwd file account. The options you mentioned are related to how Ambari will generate those. This is common practice and there is no need to zone-enable those accounts. Best practice though, is to immediately abandon those local accounts and switch to a secured cluster. This will replace the local accounts with service principal accounts stored in AD, and kerberos authentication for all services. However, even in that configuration, SPN accounts will not have to be zone-enabled to be used by the cluster services. Hope that helps! Please reach out if you have any additional questions or want to know more about Centrify integration with Hadoop. ... View more

Re: Centrify Integration With HDP

by New Contributor in Community Articles
‎02-23-2016 05:26 PM
‎02-23-2016 05:26 PM
@Neeraj Sabharwal I just created an updated integration guide using the latest HDP version 2.3.4/Ambari 2.2 and Centrify Server Suite 2016. (all worked great) We will be publishing my updates publicly in the next week or two but I have extensive notes on many of the configurations and common problems @rgarcia detailed here. If anyone needs assistance or has any questions regarding Centrify components, I will now be here to help. ... View more
Contact Me
Online
Offline
Last Visited
‎07-13-2017 02:22 PM
Public Statistics
Date Registered ‎07-13-2017 10:49 AM
Last Visited ‎07-13-2017 02:22 PM
Total Messages Posted 6
Total Kudos Received 2