Hello @bgooley   Cross-realm trust is OK. I can `kinit` principals from both MIT KDC and AD realms.   Hue-LDAP authenticaion is also OK, however (for now) LDAP users can only perform action not related to HDFS, HIVE and IMPALA.   My target is to have some users (humans) to be authenticated against LDAP (for Hue and all CLI hive-impala-etc actions) and some other users (oozie pipelines) as well as all services to be authenticated against MIT KDC.   Now, I am reading here https://www.cloudera.com/documentation/enterprise/5-15-x/topics/cm_sg_ldap_grp_mappings.html that:   "The local user:group accounts must be mapped to LDAP for group mappings in Hadoop. You must create the users and groups for your Hadoop services in LDAP. To integrate the cluster with an LDAP service, the user:group relationships must be contained in the LDAP directory. The admin must create the user accounts and define groups for user:group relationships on each host."   This is confusing, as it is supposed (https://www.cloudera.com/documentation/enterprise/5-14-x/topics/sg_auth_overview.html#concept_n5q_5h2_bt__local-mit-to-active-dir-architecture) that only user principals should be configured in AD.   My question is whether in this architecture I need to define services user:group relationships etc in LDAP. (for User-group mapping I am trying both LdapGroupsMapping and SSSD - none have worked yet though)   Thank you, Gerasimos   ... View more

You are right. I had forgot a dual backend configuration in hue_safety_valve.ini. ... View more

... but the "Password" fields are now disabled:       I edited the HTML page and removed "readonly=true", and I managed to create the user. ... View more

Yeap! Removing the URL auto-removed all the accompanied LDAP parameters (so I have to re-write them later to enable LDAP, which I tried to avoid)   Thank you, Gerasimos ... View more

Hello @bgooley   This is the error when syncing an existing group:   views WARNING There was a naming conflict while importing group sentryadmins in pattern sentryadmins  and more specifically, this line of useradmin/views.py   group, created = Group.objects.get_or_create(name=ldap_info['name'])  returns    group=sentryadmins created=False   So, I can tell that the group is not created at Django level when it already exists. Looking closer in the python code, there is a comment:   # This is a Hue group, and shouldn't be overwritten which is right! The group already exists, should not be overwritten, but users should become members of the group during sync, which is not happening.   ... View more