Hello @bgooley   Cross-realm trust is OK. I can `kinit` principals from both MIT KDC and AD realms.   Hue-LDAP authenticaion is also OK, however (for now) LDAP users can only perform action not related to HDFS, HIVE and IMPALA.   My target is to have some users (humans) to be authenticated against LDAP (for Hue and all CLI hive-impala-etc actions) and some other users (oozie pipelines) as well as all services to be authenticated against MIT KDC.   Now, I am reading here https://www.cloudera.com/documentation/enterprise/5-15-x/topics/cm_sg_ldap_grp_mappings.html that:   "The local user:group accounts must be mapped to LDAP for group mappings in Hadoop. You must create the users and groups for your Hadoop services in LDAP. To integrate the cluster with an LDAP service, the user:group relationships must be contained in the LDAP directory. The admin must create the user accounts and define groups for user:group relationships on each host."   This is confusing, as it is supposed (https://www.cloudera.com/documentation/enterprise/5-14-x/topics/sg_auth_overview.html#concept_n5q_5h2_bt__local-mit-to-active-dir-architecture) that only user principals should be configured in AD.   My question is whether in this architecture I need to define services user:group relationships etc in LDAP. (for User-group mapping I am trying both LdapGroupsMapping and SSSD - none have worked yet though)   Thank you, Gerasimos   ... View more

@bgooley Does oozie email action needs a firewall to be opened between slave nodes to smtp or just the oozie server to smtp? ... View more

I'm glad that was it because I couldn't figure out many other possible causes of that sort of behavior :-).   ... View more

Faced same issue. Turned out that it's due too enabled AutoTLS, and it's feature of enterprise version only. it's not obvious from setup tutorial. ... View more

what is the solution for this issue?   ... View more

@bgooley Hi, I have an requirement for installing CDH5.11 to be installed in my cluster. So i have followed your above point and installed the latest Clouderamanager and post that the cluster created with CDH5.16.1(as default mentioned in the cloudera docs). And after that I have uninstalled the CD5.16.1 parcel and added the parcel repo for CDH5.11 and installed the same. Now my cluster is active with the CDH5.11. I am only bothered about my CDH5.11. Could you please confirm what i did is correct or do i need to follow any other instruction to install the CDH5.11.   Sorry to add in the old thread.   Thanks in Advance! ... View more

Thanks Ben, will create a new thread. ... View more

I encountered the same error but despite the fact I set group mapping to LDAP in HDFS group mapping with appropriate bind user ,in the log of Sentry I'm getting a warning with ShellBasedUnixGroupsMapping and not LdapGroupsMapping. Need a help with ASAP. ... View more

I had the same situation @HMC. I created again the admin user with    hue createsuperuser --cm-managed Without the "--cm-managed" flag it didn't work ... View more

Problem is due to python version you have in your node.   incompatibility between the Python 3 version and the Python 2 version. The default Solr commands use the python2 version, so here we need to remove the Python global environment variables, not the python3 global environment variables.     Thanks & Regards, J.Ganesh Kumar. ... View more