Home | About | Sematext search-lucene.com search-hadoop.com
NEW: Monitor These Apps!
elasticsearch, apache solr, apache hbase, hadoop, redis, casssandra, amazon cloudwatch, mysql, memcached, apache kafka, apache zookeeper, apache storm, ubuntu, centOS, red hat, debian, puppet labs, java, senseiDB
 Search Hadoop and all its subprojects:

Switch to Threaded View
Hadoop >> mail # user >> Problem setting up Hadoop security with active directory using one-way cross-realm configuration


Copy link to this message
-
Problem setting up Hadoop security with active directory using one-way cross-realm configuration
*Hi all,*
*
*
*I am trying to setup a one-way cross realm trust between a MIT KDC and an
active directory server and up to now I did not success.*
*I hope someone in this list will be able to help me.*
*
*
*My config is as follows:*
*  - hadoop version: 0.23.1 with security enable (kerberos).*
*  - hadoop realm (mitkdc): HADOOP.REALM*
*  - 1 linux node (mitkdc.hadoop.realm - 192.168.198.254) running : hdfs
namenode, hdfs datanode, mit kdc*
*  - 1 windows node (ad.domain.realm - 192.168.198.253) running: active
directory 2003*
*  - AD realm: DOMAIN.REALM*
*
*
*Everything works well with kerberos enabled if I only use the linux
machine with users having principal in the mitkdc: [EMAIL PROTECTED]M*
*
*
*What I am trying to do is to use the user database in the Active directory
(users with principals like [EMAIL PROTECTED]M)*
*
*
*To do that, I setup a one-way cross realm as explained here:
https://ccp.cloudera.com/display/CDH4DOC/Integrating+Hadoop+Security+with+Active+Directory
*
*
*
*From the linux machine I can authenticate against an active directory user
with the kinit command but when I perform a query using the hadoop command
I have the following error message:*
---------------------
hdfs@mitkdc:~$ kinit [EMAIL PROTECTED]M
Password for [EMAIL PROTECTED]M:

hdfs@mitkdc:~$ klist -e
Ticket cache: FILE:/tmp/krb5cc_10003
Default principal: [EMAIL PROTECTED]M

Valid starting    Expires           Service principal
25/07/2012 11:00  25/07/2012 20:59  krbtgt/[EMAIL PROTECTED]M
renew until 26/07/2012 11:00, Etype (skey, tkt): arcfour-hmac, arcfour-hmac

hdfs@mitkdc:~$ hadoop/bin/hadoop fs -ls /user
12/07/25 11:00:50 ERROR security.UserGroupInformation:
PriviledgedActionException as:[EMAIL PROTECTED]M (auth:KERBEROS)
cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Fail to
create credential. (63) - No service creds)]
12/07/25 11:00:50 INFO security.UserGroupInformation: Initiating logout for
[EMAIL PROTECTED]M
12/07/25 11:00:50 INFO security.UserGroupInformation: Initiating re-login
for [EMAIL PROTECTED]M
12/07/25 11:00:53 ERROR security.UserGroupInformation:
PriviledgedActionException as:[EMAIL PROTECTED]M (auth:KERBEROS)
cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Fail to
create credential. (63) - No service creds)]
12/07/25 11:00:53 WARN security.UserGroupInformation: Not attempting to
re-login since the last re-login was attempted less than 600 seconds before.
12/07/25 11:00:56 ERROR security.UserGroupInformation:
PriviledgedActionException as:[EMAIL PROTECTED]M (auth:KERBEROS)
cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Fail to
create credential. (63) - No service creds)]
12/07/25 11:00:56 WARN security.UserGroupInformation: Not attempting to
re-login since the last re-login was attempted less than 600 seconds before.
12/07/25 11:00:58 ERROR security.UserGroupInformation:
PriviledgedActionException as:[EMAIL PROTECTED]M (auth:KERBEROS)
cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Fail to
create credential. (63) - No service creds)]
12/07/25 11:00:58 WARN security.UserGroupInformation: Not attempting to
re-login since the last re-login was attempted less than 600 seconds before.
12/07/25 11:00:59 ERROR security.UserGroupInformation:
PriviledgedActionException as:[EMAIL PROTECTED]M (auth:KERBEROS)
cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Fail to
create credential. (63) - No service creds)]
12/07/25 11:00:59 WARN security.UserGroupInformation: Not attempting to
re-login since the last re-login was attempted less than 600 seconds before.
12/07/25 11:01:02 ERROR security.UserGroupInformation:
PriviledgedActionException as:[EMAIL PROTECTED]M (auth:KERBEROS)
cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Fail to
create credential. (63) - No service creds)]
12/07/25 11:01:02 WARN ipc.Client: Couldn't setup connection for
[EMAIL PROTECTED]M to hdfs/[EMAIL PROTECTED]M
12/07/25 11:01:02 ERROR security.UserGroupInformation:
PriviledgedActionException as:[EMAIL PROTECTED]M (auth:KERBEROS)
cause:java.io.IOException: Couldn't setup connection for
[EMAIL PROTECTED]Mto hdfs/[EMAIL PROTECTED]M
ls: Failed on local exception: java.io.IOException: Couldn't setup
connection for [EMAIL PROTECTED]M to hdfs/[EMAIL PROTECTED]M;
Host Details : local host is: "mitkdc.hadoop.realm/192.168.198.254";
destination host is: ""mitkdc.hadoop.realm":8020;

*On the mitkdc server log I can see something like the following meaning
that encoded types are not supported: *

Jul 25 09:53:33 mitkdc.hadoop.realm krb5kdc[8630](info): TGS_REQ (5 etypes
{3 1 23 16 17}) 192.168.198.254: PROCESS_TGS: authtime 0,  <unknown client>
for <unknown server>, No matching key in entry having a permitted enctype
Jul 25 09:53:36 mitkdc.hadoop.realm krb5kdc[8630](info): TGS_REQ (5 etypes
{3 1 23 16 17}) 192.168.198.254: PROCESS_TGS: authtime 0,  <unknown client>
for <unknown server>, No matching key in entry having a permitted enctype
Jul 25 09:53:37 mitkdc.hadoop.realm krb5kdc[8630](info): TGS_REQ (5 etypes
{3 1 23 16 17}) 192.168.198.254: PROCESS_TGS: authtime 0,  <unknown client>
for <unknown server>, No matching key in entry having a permitted enctype
Jul 25 09:53:37 mitkdc.hadoop.realm krb5kdc[8630](info): TGS_REQ (5 etypes
{3 1 23 16 17}) 192.168.198.254: PROCESS_TGS: authtime 0,  <unknown client>
for <unknown server>, No matching key in entry having a permitted enctype
Jul 25 09:54:25 mitkdc.hadoop.realm krb5kdc[8630](info): TGS_REQ (5 etypes
{3 1 23 16 17}) 192.168.198.254: PROCESS_TGS: a
NEW: Monitor These Apps!
elasticsearch, apache solr, apache hbase, hadoop, redis, casssandra, amazon cloudwatch, mysql, memcached, apache kafka, apache zookeeper, apache storm, ubuntu, centOS, red hat, debian, puppet labs, java, senseiDB