Hello @bgooley Cross-realm trust is OK. I can `kinit` principals from both MIT KDC and AD realms. Hue-LDAP authenticaion is also OK, however (for now) LDAP users can only perform action not related to HDFS, HIVE and IMPALA. My target is to have some users (humans) to be authenticated against LDAP (for Hue and all CLI hive-impala-etc actions) and some other users (oozie pipelines) as well as all services to be authenticated against MIT KDC. Now, I am reading here https://www.cloudera.com/documentation/enterprise/5-15-x/topics/cm_sg_ldap_grp_mappings.html that: "The local user:group accounts must be mapped to LDAP for group mappings in Hadoop. You must create the users and groups for your Hadoop services in LDAP. To integrate the cluster with an LDAP service, the user:group relationships must be contained in the LDAP directory. The admin must create the user accounts and define groups for user:group relationships on each host." This is confusing, as it is supposed (https://www.cloudera.com/documentation/enterprise/5-14-x/topics/sg_auth_overview.html#concept_n5q_5h2_bt__local-mit-to-active-dir-architecture) that only user principals should be configured in AD. My question is whether in this architecture I need to define services user:group relationships etc in LDAP. (for User-group mapping I am trying both LdapGroupsMapping and SSSD - none have worked yet though) Thank you, Gerasimos
... View more
