Error when securing hadoop with kerberos: Client cannot authenticate via:[TOKEN, KERBEROS]Why does eclipse...
What is the word for reserving something for yourself before others do?
Python: next in for loop
To string or not to string
What does "Puller Prush Person" mean?
Dragon forelimb placement
How do I create uniquely male characters?
can i play a electric guitar through a bass amp?
Languages that we cannot (dis)prove to be Context-Free
Problem of parity - Can we draw a closed path made up of 20 line segments...
Writing rule stating superpower from different root cause is bad writing
Why did the Germans forbid the possession of pet pigeons in Rostov-on-Don in 1941?
Is it possible to do 50 km distance without any previous training?
What does it mean to describe someone as a butt steak?
The use of multiple foreign keys on same column in SQL Server
How to format long polynomial?
How does one intimidate enemies without having the capacity for violence?
Test whether all array elements are factors of a number
How can bays and straits be determined in a procedurally generated map?
What are the differences between the usage of 'it' and 'they'?
Test if tikzmark exists on same page
Fencing style for blades that can attack from a distance
Risk of getting Chronic Wasting Disease (CWD) in the United States?
Theorems that impeded progress
Are the number of citations and number of published articles the most important criteria for a tenure promotion?
Error when securing hadoop with kerberos: Client cannot authenticate via:[TOKEN, KERBEROS]
Why does eclipse report an error when I use it under a hadoop account?cp: cannot stat error - when filename has Asian charactersalsa gives error when run via suSSH Single-Sign On with KerberosNextcloud live doc editing w/ Collabora Online (CODE) cURL error 60: Peer's certificate issuer has been marked as not trusted by the userIssue With FTP Server that uses Kerberos to Authenticate Against ADChange password on client with sssd kerberos and ldapUnable to authenticate on Samba AD DC serverFailed to Start Kylin on hadoop cluster, no error found with check-envJBoss EAP 7.2 on Ubuntu 16.04 Kerberos SSO with W2016 AD/KDC server Cannot find key of appropriate type error
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
I've configured a hadoop cluster which works fine without kerberos. I installed kerberos and am able to use kinit to request a TGT successfully. However after I turned on kerberos auth for hadoop, hadoop is unable to authenticate using kerberos.
Trying to see my hdfs with 'hadoop fs -ls /' for example returns:
Error when securing hadoop with kerberos: Client cannot authenticate
via:[TOKEN, KERBEROS]
/var/log/krb5kdc.log includes the following which seem to indicate an issue with my yarn configuration. I'm unsure if that' related:
Apr 05 10:56:29 master.novalocal krb5kdc48135: TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.100.8: LOOKING_UP_SERVER: authtime 0, yarn/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL for host/host-192.168.100.12.openstacklocal@HDPCLUSTER.LOCAL, Server not found in Kerberos database
Apr 05 10:56:29 master.novalocal krb5kdc48135: TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.100.8: LOOKING_UP_SERVER: authtime 0, yarn/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL for host/host-192.168.100.12.openstacklocal@HDPCLUSTER.LOCAL, Server not found in Kerberos database
Apr 05 10:56:32 master.novalocal krb5kdc48135: AS_REQ (3 etypes {17 16 23}) 192.168.100.8: ISSUE: authtime 1554461792, etypes {rep=17 tkt=17 ses=17}, mapred/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL for krbtgt/HDPCLUSTER.LOCAL@HDPCLUSTER.LOCAL
Apr 05 10:56:33 master.novalocal krb5kdc48135: TGS_REQ (4 etypes {18 17 16 23}) 192.168.100.8: ISSUE: authtime 1554461792, etypes {rep=17 tkt=17 ses=17}, mapred/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL for hdfs/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
Apr 05 10:57:19 master.novalocal krb5kdc48135: TGS_REQ (4 etypes {18 17 16 23}) 192.168.100.8: ISSUE: authtime 1554461777, etypes {rep=17 tkt=17 ses=17}, hdfs/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL for hdfs/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
When I run kdiag, it shows my principal and keytab as null, even though they exist, default mapping is enabled, and I believe the paths to the keytab files are correctly configured in the *-site.xml files. It also shows some security configurations as unset, although I did not see anything about setting these in the tutorials I used so I'm unsure if they're necessary.
[hdfs@master ~]$ hadoop org.apache.hadoop.security.KDiag
== Kerberos Diagnostics scan at Fri Apr 05 11:33:26 UTC 2019 ==
Hostname = host-192.168.100.8.openstacklocal
--keylen = 256
--keytab = null
--principal = null
--verifyshortname = false
Maximum AES encryption key length 2147483647 bits
JVM Kerberos Login Module = com.sun.security.auth.module.Krb5LoginModule
== Core System Properties ==
user.name = "hdfs"
java.version = "1.8.0_201"
java.vendor = "Oracle Corporation"
java.security.krb5.conf = "(unset)"
java.security.krb5.realm = "(unset)"
java.security.krb5.kdc = "(unset)"
sun.security.krb5.debug = "(unset)"
sun.security.spnego.debug = "(unset)"
java.security.auth.login.config = "(unset)"
My krb5.conf file looks like this:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_realm = HDPCLUSTER.LOCAL
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
HDPCLUSTER.LOCAL = {
kdc = $FQDN
admin_server = $FQDN
default_domain = openstacklocal
}
[domain_realm]
.openstacklocal = HDPCLUSTER.LOCAL
openstacklocal = HDPCLUSTER.LOCAL
EOF
I'm not sure if all these things are related, I fear I may still have more than one issue. Any help is much appreciated!
Edit1:
For command 'hadoop fs -ls /' I used the user hdfs, which maps to principal hdfs. My keytab for hdfs looks like this:
slot KVNO Principal
1 1 hdfs/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
2 1 hdfs/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
3 1 hdfs/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
4 1 hdfs/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
5 1 hdfs/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
6 1 hdfs/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
7 1 hdfs/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
8 1 HTTP/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
9 1 HTTP/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
10 1 HTTP/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
11 1 HTTP/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
12 1 HTTP/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
13 1 HTTP/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
14 1 HTTP/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
The hostname field is right, yes:
Hostname = host-192.168.100.8.openstacklocal
kdc = host-192.168.100.8.openstacklocal
admin_server = host-192.168.100.8.openstacklocal
linux kerberos hadoop
asked yesterday
francois_halbachfrancois_halbach
11
New contributor
francois_halbach is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I've configured a hadoop cluster which works fine without kerberos. I installed kerberos and am able to use kinit to request a TGT successfully. However after I turned on kerberos auth for hadoop, hadoop is unable to authenticate using kerberos.
Trying to see my hdfs with 'hadoop fs -ls /' for example returns:
Error when securing hadoop with kerberos: Client cannot authenticate
via:[TOKEN, KERBEROS]
/var/log/krb5kdc.log includes the following which seem to indicate an issue with my yarn configuration. I'm unsure if that' related:
Apr 05 10:56:29 master.novalocal krb5kdc48135: TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.100.8: LOOKING_UP_SERVER: authtime 0, yarn/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL for host/host-192.168.100.12.openstacklocal@HDPCLUSTER.LOCAL, Server not found in Kerberos database
Apr 05 10:56:29 master.novalocal krb5kdc48135: TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.100.8: LOOKING_UP_SERVER: authtime 0, yarn/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL for host/host-192.168.100.12.openstacklocal@HDPCLUSTER.LOCAL, Server not found in Kerberos database
Apr 05 10:56:32 master.novalocal krb5kdc48135: AS_REQ (3 etypes {17 16 23}) 192.168.100.8: ISSUE: authtime 1554461792, etypes {rep=17 tkt=17 ses=17}, mapred/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL for krbtgt/HDPCLUSTER.LOCAL@HDPCLUSTER.LOCAL
Apr 05 10:56:33 master.novalocal krb5kdc48135: TGS_REQ (4 etypes {18 17 16 23}) 192.168.100.8: ISSUE: authtime 1554461792, etypes {rep=17 tkt=17 ses=17}, mapred/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL for hdfs/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
Apr 05 10:57:19 master.novalocal krb5kdc48135: TGS_REQ (4 etypes {18 17 16 23}) 192.168.100.8: ISSUE: authtime 1554461777, etypes {rep=17 tkt=17 ses=17}, hdfs/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL for hdfs/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
When I run kdiag, it shows my principal and keytab as null, even though they exist, default mapping is enabled, and I believe the paths to the keytab files are correctly configured in the *-site.xml files. It also shows some security configurations as unset, although I did not see anything about setting these in the tutorials I used so I'm unsure if they're necessary.
[hdfs@master ~]$ hadoop org.apache.hadoop.security.KDiag
== Kerberos Diagnostics scan at Fri Apr 05 11:33:26 UTC 2019 ==
Hostname = host-192.168.100.8.openstacklocal
--keylen = 256
--keytab = null
--principal = null
--verifyshortname = false
Maximum AES encryption key length 2147483647 bits
JVM Kerberos Login Module = com.sun.security.auth.module.Krb5LoginModule
== Core System Properties ==
user.name = "hdfs"
java.version = "1.8.0_201"
java.vendor = "Oracle Corporation"
java.security.krb5.conf = "(unset)"
java.security.krb5.realm = "(unset)"
java.security.krb5.kdc = "(unset)"
sun.security.krb5.debug = "(unset)"
sun.security.spnego.debug = "(unset)"
java.security.auth.login.config = "(unset)"
My krb5.conf file looks like this:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_realm = HDPCLUSTER.LOCAL
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
HDPCLUSTER.LOCAL = {
kdc = $FQDN
admin_server = $FQDN
default_domain = openstacklocal
}
[domain_realm]
.openstacklocal = HDPCLUSTER.LOCAL
openstacklocal = HDPCLUSTER.LOCAL
EOF
I'm not sure if all these things are related, I fear I may still have more than one issue. Any help is much appreciated!
Edit1:
For command 'hadoop fs -ls /' I used the user hdfs, which maps to principal hdfs. My keytab for hdfs looks like this:
slot KVNO Principal
1 1 hdfs/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
2 1 hdfs/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
3 1 hdfs/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
4 1 hdfs/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
5 1 hdfs/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
6 1 hdfs/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
7 1 hdfs/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
8 1 HTTP/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
9 1 HTTP/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
10 1 HTTP/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
11 1 HTTP/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
12 1 HTTP/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
13 1 HTTP/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
14 1 HTTP/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
The hostname field is right, yes:
Hostname = host-192.168.100.8.openstacklocal
kdc = host-192.168.100.8.openstacklocal
admin_server = host-192.168.100.8.openstacklocal
linux kerberos hadoop
asked yesterday
francois_halbachfrancois_halbach
11
New contributor
francois_halbach is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
What principals is it supposed to use? What principals are in your keytabs? Is the "Hostname" field in kdiag correct?
– grawity
yesterday
Thank you, I've supplied the requested info at the bottom of my post.
– francois_halbach
yesterday
add a comment |
I've configured a hadoop cluster which works fine without kerberos. I installed kerberos and am able to use kinit to request a TGT successfully. However after I turned on kerberos auth for hadoop, hadoop is unable to authenticate using kerberos.
Trying to see my hdfs with 'hadoop fs -ls /' for example returns:
Error when securing hadoop with kerberos: Client cannot authenticate
via:[TOKEN, KERBEROS]
/var/log/krb5kdc.log includes the following which seem to indicate an issue with my yarn configuration. I'm unsure if that' related:
Apr 05 10:56:29 master.novalocal krb5kdc48135: TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.100.8: LOOKING_UP_SERVER: authtime 0, yarn/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL for host/host-192.168.100.12.openstacklocal@HDPCLUSTER.LOCAL, Server not found in Kerberos database
Apr 05 10:56:29 master.novalocal krb5kdc48135: TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.100.8: LOOKING_UP_SERVER: authtime 0, yarn/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL for host/host-192.168.100.12.openstacklocal@HDPCLUSTER.LOCAL, Server not found in Kerberos database
Apr 05 10:56:32 master.novalocal krb5kdc48135: AS_REQ (3 etypes {17 16 23}) 192.168.100.8: ISSUE: authtime 1554461792, etypes {rep=17 tkt=17 ses=17}, mapred/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL for krbtgt/HDPCLUSTER.LOCAL@HDPCLUSTER.LOCAL
Apr 05 10:56:33 master.novalocal krb5kdc48135: TGS_REQ (4 etypes {18 17 16 23}) 192.168.100.8: ISSUE: authtime 1554461792, etypes {rep=17 tkt=17 ses=17}, mapred/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL for hdfs/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
Apr 05 10:57:19 master.novalocal krb5kdc48135: TGS_REQ (4 etypes {18 17 16 23}) 192.168.100.8: ISSUE: authtime 1554461777, etypes {rep=17 tkt=17 ses=17}, hdfs/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL for hdfs/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
When I run kdiag, it shows my principal and keytab as null, even though they exist, default mapping is enabled, and I believe the paths to the keytab files are correctly configured in the *-site.xml files. It also shows some security configurations as unset, although I did not see anything about setting these in the tutorials I used so I'm unsure if they're necessary.
[hdfs@master ~]$ hadoop org.apache.hadoop.security.KDiag
== Kerberos Diagnostics scan at Fri Apr 05 11:33:26 UTC 2019 ==
Hostname = host-192.168.100.8.openstacklocal
--keylen = 256
--keytab = null
--principal = null
--verifyshortname = false
Maximum AES encryption key length 2147483647 bits
JVM Kerberos Login Module = com.sun.security.auth.module.Krb5LoginModule
== Core System Properties ==
user.name = "hdfs"
java.version = "1.8.0_201"
java.vendor = "Oracle Corporation"
java.security.krb5.conf = "(unset)"
java.security.krb5.realm = "(unset)"
java.security.krb5.kdc = "(unset)"
sun.security.krb5.debug = "(unset)"
sun.security.spnego.debug = "(unset)"
java.security.auth.login.config = "(unset)"
My krb5.conf file looks like this:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_realm = HDPCLUSTER.LOCAL
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
HDPCLUSTER.LOCAL = {
kdc = $FQDN
admin_server = $FQDN
default_domain = openstacklocal
}
[domain_realm]
.openstacklocal = HDPCLUSTER.LOCAL
openstacklocal = HDPCLUSTER.LOCAL
EOF
I'm not sure if all these things are related, I fear I may still have more than one issue. Any help is much appreciated!
Edit1:
For command 'hadoop fs -ls /' I used the user hdfs, which maps to principal hdfs. My keytab for hdfs looks like this:
slot KVNO Principal
1 1 hdfs/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
2 1 hdfs/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
3 1 hdfs/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
4 1 hdfs/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
5 1 hdfs/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
6 1 hdfs/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
7 1 hdfs/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
8 1 HTTP/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
9 1 HTTP/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
10 1 HTTP/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
11 1 HTTP/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
12 1 HTTP/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
13 1 HTTP/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
14 1 HTTP/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
The hostname field is right, yes:
Hostname = host-192.168.100.8.openstacklocal
kdc = host-192.168.100.8.openstacklocal
admin_server = host-192.168.100.8.openstacklocal
linux kerberos hadoop
asked yesterday
francois_halbachfrancois_halbach
11
New contributor
francois_halbach is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I've configured a hadoop cluster which works fine without kerberos. I installed kerberos and am able to use kinit to request a TGT successfully. However after I turned on kerberos auth for hadoop, hadoop is unable to authenticate using kerberos.
Trying to see my hdfs with 'hadoop fs -ls /' for example returns:
Error when securing hadoop with kerberos: Client cannot authenticate
via:[TOKEN, KERBEROS]
/var/log/krb5kdc.log includes the following which seem to indicate an issue with my yarn configuration. I'm unsure if that' related:
Apr 05 10:56:29 master.novalocal krb5kdc48135: TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.100.8: LOOKING_UP_SERVER: authtime 0, yarn/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL for host/host-192.168.100.12.openstacklocal@HDPCLUSTER.LOCAL, Server not found in Kerberos database
Apr 05 10:56:29 master.novalocal krb5kdc48135: TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.100.8: LOOKING_UP_SERVER: authtime 0, yarn/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL for host/host-192.168.100.12.openstacklocal@HDPCLUSTER.LOCAL, Server not found in Kerberos database
Apr 05 10:56:32 master.novalocal krb5kdc48135: AS_REQ (3 etypes {17 16 23}) 192.168.100.8: ISSUE: authtime 1554461792, etypes {rep=17 tkt=17 ses=17}, mapred/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL for krbtgt/HDPCLUSTER.LOCAL@HDPCLUSTER.LOCAL
Apr 05 10:56:33 master.novalocal krb5kdc48135: TGS_REQ (4 etypes {18 17 16 23}) 192.168.100.8: ISSUE: authtime 1554461792, etypes {rep=17 tkt=17 ses=17}, mapred/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL for hdfs/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
Apr 05 10:57:19 master.novalocal krb5kdc48135: TGS_REQ (4 etypes {18 17 16 23}) 192.168.100.8: ISSUE: authtime 1554461777, etypes {rep=17 tkt=17 ses=17}, hdfs/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL for hdfs/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
When I run kdiag, it shows my principal and keytab as null, even though they exist, default mapping is enabled, and I believe the paths to the keytab files are correctly configured in the *-site.xml files. It also shows some security configurations as unset, although I did not see anything about setting these in the tutorials I used so I'm unsure if they're necessary.
[hdfs@master ~]$ hadoop org.apache.hadoop.security.KDiag
== Kerberos Diagnostics scan at Fri Apr 05 11:33:26 UTC 2019 ==
Hostname = host-192.168.100.8.openstacklocal
--keylen = 256
--keytab = null
--principal = null
--verifyshortname = false
Maximum AES encryption key length 2147483647 bits
JVM Kerberos Login Module = com.sun.security.auth.module.Krb5LoginModule
== Core System Properties ==
user.name = "hdfs"
java.version = "1.8.0_201"
java.vendor = "Oracle Corporation"
java.security.krb5.conf = "(unset)"
java.security.krb5.realm = "(unset)"
java.security.krb5.kdc = "(unset)"
sun.security.krb5.debug = "(unset)"
sun.security.spnego.debug = "(unset)"
java.security.auth.login.config = "(unset)"
My krb5.conf file looks like this:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_realm = HDPCLUSTER.LOCAL
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
HDPCLUSTER.LOCAL = {
kdc = $FQDN
admin_server = $FQDN
default_domain = openstacklocal
}
[domain_realm]
.openstacklocal = HDPCLUSTER.LOCAL
openstacklocal = HDPCLUSTER.LOCAL
EOF
I'm not sure if all these things are related, I fear I may still have more than one issue. Any help is much appreciated!
Edit1:
For command 'hadoop fs -ls /' I used the user hdfs, which maps to principal hdfs. My keytab for hdfs looks like this:
slot KVNO Principal
1 1 hdfs/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
2 1 hdfs/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
3 1 hdfs/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
4 1 hdfs/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
5 1 hdfs/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
6 1 hdfs/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
7 1 hdfs/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
8 1 HTTP/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
9 1 HTTP/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
10 1 HTTP/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
11 1 HTTP/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
12 1 HTTP/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
13 1 HTTP/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
14 1 HTTP/host-192.168.100.8.openstacklocal@HDPCLUSTER.LOCAL
The hostname field is right, yes:
Hostname = host-192.168.100.8.openstacklocal
kdc = host-192.168.100.8.openstacklocal
admin_server = host-192.168.100.8.openstacklocal
linux kerberos hadoop
linux kerberos hadoop
asked yesterday
francois_halbachfrancois_halbach
11
New contributor
francois_halbach is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked yesterday
francois_halbachfrancois_halbach
11
New contributor
francois_halbach is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited yesterday
francois_halbach
asked yesterday
francois_halbachfrancois_halbach
11
New contributor
francois_halbach is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked yesterday
francois_halbachfrancois_halbach
11
asked yesterday
francois_halbachfrancois_halbach
11
11
New contributor
francois_halbach is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
francois_halbach is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
francois_halbach is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
What principals is it supposed to use? What principals are in your keytabs? Is the "Hostname" field in kdiag correct?
– grawity
yesterday
Thank you, I've supplied the requested info at the bottom of my post.
– francois_halbach
yesterday
add a comment |
What principals is it supposed to use? What principals are in your keytabs? Is the "Hostname" field in kdiag correct?
– grawity
yesterday
Thank you, I've supplied the requested info at the bottom of my post.
– francois_halbach
yesterday
What principals is it supposed to use? What principals are in your keytabs? Is the "Hostname" field in kdiag correct?
– grawity
yesterday
What principals is it supposed to use? What principals are in your keytabs? Is the "Hostname" field in kdiag correct?
– grawity
yesterday
Thank you, I've supplied the requested info at the bottom of my post.
– francois_halbach
yesterday
Thank you, I've supplied the requested info at the bottom of my post.
– francois_halbach
yesterday
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
francois_halbach is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1421848%2ferror-when-securing-hadoop-with-kerberos-client-cannot-authenticate-viatoken%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
francois_halbach is a new contributor. Be nice, and check out our Code of Conduct.
francois_halbach is a new contributor. Be nice, and check out our Code of Conduct.
francois_halbach is a new contributor. Be nice, and check out our Code of Conduct.
francois_halbach is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1421848%2ferror-when-securing-hadoop-with-kerberos-client-cannot-authenticate-viatoken%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
What principals is it supposed to use? What principals are in your keytabs? Is the "Hostname" field in kdiag correct?
– grawity
yesterday
Thank you, I've supplied the requested info at the bottom of my post.
– francois_halbach
yesterday