Home | About | Sematext search-lucene.com search-hadoop.com
NEW: Monitor These Apps!
elasticsearch, apache solr, apache hbase, hadoop, redis, casssandra, amazon cloudwatch, mysql, memcached, apache kafka, apache zookeeper, apache storm, ubuntu, centOS, red hat, debian, puppet labs, java, senseiDB
 Search Hadoop and all its subprojects:

Switch to Plain View
HDFS >> mail # user >> Re: How to connect to hadoop through ssh tunnel and kerberos authentication


Copy link to this message
-
Re: How to connect to hadoop through ssh tunnel and kerberos authentication
The important part of the error is "Cannot get kdc for realm CORP.EBAY.COM<http://CORP.EBAY.COM>".  Check if the gateway's /etc/krb5.conf has an entry for CORP.EBAY.COM<http://CORP.EBAY.COM> in the [realms] section.  Or if you actually have appropriate dns service records for kerberos, you can use "dns_lookup_kdc = true".

Daryn

On Apr 25, 2013, at 12:36 AM, Jeff Zhang wrote:

Hi all,

I could connect to hadoop cluster by ssh tunnel before when there's no kerberos authentication. Now our cluster need to upgrade to kerberos authentication. I try to connect to it by ssh tunnel again. But failed.

Could anyone guide me to do that ? Is there any tutorial for this ?

Here's what I did.

  1.  create a forwardable ticket in my client machine.
  2.  edit ~/.ssh/config file

GSSAPIAuthentication yes

GSSAPIDelegateCredentials yes

  3.  execute command "ssh -N -D 3600 gateway_host " to create a ssh connection to my gateway host

  4.  config my core-site.xml file for ssh tunnel connection

<property>
        <name>hadoophack.tunnel.port</name>
        <value>3600</value>
</property>

<property>
    <description>If users connect through a SOCKS proxy, we don't
      want their SocketFactory settings interfering with the socket
      factory associated with the actual daemons.</description>
    <name>hadoop.rpc.socket.factory.class.default</name>
    <value>org.apache.hadoop.net.SocksSocketFactory</value>
    <final>true</final>
</property>
And there's the error message when I run "hadoop fs -ls /"

13/04/24 22:31:13 ERROR security.UserGroupInformation: PriviledgedActionException as:[EMAIL PROTECTED]<mailto:as%[EMAIL PROTECTED]> cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Cannot get kdc for realm CORP.EBAY.COM<http://CORP.EBAY.COM/>)]
13/04/24 22:31:13 INFO security.UserGroupInformation: Initiating logout for [EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>
13/04/24 22:31:13 INFO security.UserGroupInformation: Initiating re-login for [EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>
13/04/24 22:31:17 ERROR security.UserGroupInformation: PriviledgedActionException as:[EMAIL PROTECTED]<mailto:as%[EMAIL PROTECTED]> cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Cannot get kdc for realm CORP.EBAY.COM<http://CORP.EBAY.COM/>)]
13/04/24 22:31:17 WARN security.UserGroupInformation: Not attempting to re-login since the last re-login was attempted less than 600 seconds before.
13/04/24 22:31:21 ERROR security.UserGroupInformation: PriviledgedActionException as:[EMAIL PROTECTED]<mailto:as%[EMAIL PROTECTED]> cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Cannot get kdc for realm CORP.EBAY.COM<http://CORP.EBAY.COM/>)]

--
Best Regards

Jeff Zhang

NEW: Monitor These Apps!
elasticsearch, apache solr, apache hbase, hadoop, redis, casssandra, amazon cloudwatch, mysql, memcached, apache kafka, apache zookeeper, apache storm, ubuntu, centOS, red hat, debian, puppet labs, java, senseiDB