Hi @TCloud ,   Thank you for including all this information. I see that you have both verify_cert_dir and verify_cert_file configured, but one or the other should be chosen.  It appears you are configured for verify_cert_dir based on your directory listing.   I would recommend:   - commenting out verify_cert_dir by insertinga "#" character at the beginning of the line - restarting the agent by executing "service cloudera-scm-server restart"   If that doesn't work, we can take a closer look at the certificates returned by Cloudera Manager and the certificates in your agent.pem file.     ... View more

@VijayM ,   It appears that you collected the "test-db-connection" command for Navigator which succeeded. Based on the Cloudera command, the Navigator Metadata server role is on a301-8744-7259.ldn.swissbank.com, so make sure that you were looking in /var/run/cloudera-scm-agent/process for the METASERVER process.  If you don't see any, then it is likely the agent will tell us more of the story of what happened.   In general, this is the series of events that happens when you attempt to start a role via Cloudera Manager:   Cloudera Manager sends a message to the agent on port 9000 asking it to heartbeat immediately. The agent sends a heartbeat to Cloudera Manager on port 7182 Cloudera Manager compiles a heartbeat response including any files that need to be used to start and run the process The agent lays out the files in a new process directory The agent signals the supervisord process to start the role with a specified shell script The supervisor executes the startup shell script to start the role   Since it appears you do not have any process directories, there must be a problem before the agent even lays down the process configuration files. If that is the case, the agent log, on the host where the Metadata Server role is configured to run should have some clues.   Please share /var/log/cloudera-scm-agent/cloudera-scm-agent.log and let us know the estimated time you tried to start the Metadata Server. ... View more

@urbanlad20 ,   That stack reminds me of HDFS-12369 but I also thought it should be fixed in CDH 5.12.2. I think it would be good to have HDFS folks look at this; I'll move thread to HDFS. ... View more

Hi @MichalAR ,   Hue does not support group mapping based on SAML attributes at this time. For now, the general workaround is to use LDAP sync if possible to automate user group membership.       ... View more

@BiggieSmalls ,   Oh man... guess I'm getting rusty with Windows concepts. I agree that hadoop does not require the accounts to be interactive (be able to log into windows).  They are only necessary from the KDC (Kerberos) perspective so as long as they can still be used for Kerberos, that should work.   NOTE:  If you add new roles or new hosts, Cloudera will create new objects, so I'm not sure how you would want to anticipate that. ... View more

@BiggieSmalls ,   Interesting... I just replied to this thread, but I couldn't see the most recent comments.  Sorry if my previous comment seemed out of place.   I don't know what is meant by making the accounts "inactive" but I don't think that will work for Cloudera Manager. The credential objects created are needed for Kerberos authentication, so, that means they must be function for Kerberos in general.  I'm guessing that if the account is inactive, that will disable Kerberos authentication, too, thus impacting the cluster.   Find out what your company's criteria is for accounts that can operate as needed by CM. If it would help with the security audit compliance, it is possible to make the accounts "computer" accounts by having Cloudera Manager create the objects while including the "computer" objectclass.  Confirm with your Active Directory audit team to verify that that would help... if so, then the following might help:   For example:   (1)   In Cloudera Manager, navigate to: Adminsitration --> Settings --> Kerberos   Review Active Directory Account Properties that defaults to:   accountExpires=0,objectClass=top,objectClass=person,objectClass=organizationalPerson,objectClass=user   (2)   Active Directory Account Properties let's you add objectclasses.  To do so, you can change the value to:   accountExpires=0,objectClass=top,objectClass=person,objectClass=organizationalPerson,objectClass=user,objectClass=computer   Save   (3) *** NOTE:  If your AD account for CM to manage credentials does not have permission to delete objects in the base DN defined in Active Directory Suffix in your CM Kerberos configuration or Active Directory Delete Accounts on Credential Regeneration  is not enabled in the CM Kerberos configuration, then you will need to delete the objects manually in AD before continuing...   To have the change take effect:   - Shut down Cloudera Management Service and all your CDH services - Regenerate Credentials by:       - Navigating in CM to Administration --> Security --> Kerberos Credentials (subtab)       - Checking the box next to the "Principals" column header (to select all credentials)       - Click Regenerate Selected to regenerate all credentials.   - Verify that the objects were created with the "computer" objectclass (in Active Directory).     ... View more

@BiggieSmalls ,   I think the real question here is why is your audit team talking with you.  Was there a concern regarding the accounts?   Without more information, it appears that these objects may have been created by Cloudera Manager that manages Kerberos Credentials in Active Directory.  Cloudera randomizes the CN value of the credentials object and then prefixes it with what is configured in Active Directory Account Prefix in the Cloudera Manager configuration (Administration --> Settings --> Kerberos).   You can look at the userPrincipalName or servicePrincipalName to see if they contain your cluster's hostnames as a way of seeing if they apply to your current CDH cluster.   NOTE:  If these are objects used by your current installation, removing them would cause your CDH roles to fail in various ways.  Also, changing the passwords on any would require Cloudera Manager regenerate the credentials.  Make sure you are clear about why they are approaching you about these objects.   ... View more