Integrating Cloudera cluster with Active Directory (Part 2/3)
In Part 1 of this blog, we covered the first 4 steps, here we will describe how to join the LInux VMs to AD.
- Deploy Active Directory with HA in Azure
- Deploy Linux VMs for the Cloudera cluster
- Enable Active Directory DNS on the Linux VMs
- Sync Linux VMs to Active Directory time service
- Join the Linux VMs to Active Directory and enable Single-Sign-On
- Install Cloudera
- Enable Kerberos on Cloudera
- Enable Single-Sign-On for Cloudera web consoles
Step 5: Join the Linux VMs to Active Directory and enable Single-Sign-On
By the end of this step, we will be able to ssh into Linux VMs using the users created in Active Directory.
1. Login to each Linux VM, and run the following commands to join the Linux VMs to AD
net ads join -U<a domain admin user name>
net ads testjoin -P //verify the VM has joined the domain
2. Run the following commands to update sssd
authconfig --enablesssd --enablemkhomedir --enablesssdauth --update
service sssd start
3. RDP into the PDC and BDC, open cmd console as Administrator, and enable Linux identity management in AD by running the following commands, restart the Windows VMs after the commands finish.
//install the administration tools for Identity Management for UNIX
dism.exe /online /enable-feature /featurename:adminui /all
//install Server for Network Information Server (NIS)
dism.exe /online /enable-feature /featurename:nis /all
//install Password Synchronization
dism.exe /online /enable-feature /featurename:psync /all
4. In PDC, open Active Directory Users and Computers, if it's not installed, go to Add Roles and Features -> Remote Server Administration Tools -> Role Administration Tools -> AD DS and AD LDS Tools -> AD DS Tools. Optionally create an organizational unit for the Cloudera environment, add groups, for example, hadoopadmin and hadoopuser, then set their NIS domain the the AD domain:
5. Add users to the organizational unit in the same NIS domain, and assign them to the groups created in the previous step. If a user has a different primary group, make sure to explicitly add the user to the target group in the "Members" tab (not the UNIX tab) of the group.
6. Move the Linux VMs which joined the AD in #1 to the Cloudera organization unit, and set them to same NIS domain
7. Verify we can now ssh into Linux VMs using the AD users
8. Optionally we can add AD groups as sudoers as shown in the following example. We can also disable the initial Linux user that was created with the VM, and from now on only allow AD users to login.
%hadoopadmin ALL=(ALL) NOPASSWD: ALL
Although we have deployed Linux VMs that have disk configuration and host name conventions configured for Cloudera, the rest of the configuration for joining AD and Single-Sign-On up until this point is not Cloudera specific. You can join any Linux VMs to AD using the steps above. The key here is the configuration files we deployed on the Linux VMs.
- /etc/resolv.conf
- /etc/ntp.conf
- /etc/krb5.conf
- /etc/samba/smb.conf
- /etc/sssd/sssd.conf
In Part 3 of this blog, we will cover the remaining Cloudera specific steps to enable Kerberos and Single-Sign-On for web consoles.