Home | About | Sematext search-lucene.com search-hadoop.com
 Search Hadoop and all its subprojects:

Switch to Plain View
Hadoop >> mail # user >> Problem setting up Hadoop security with active directory using one-way cross-realm configuration


Copy link to this message
-
Problem setting up Hadoop security with active directory using one-way cross-realm configuration
*Hi all,*
*
*
*I am trying to setup a one-way cross realm trust between a MIT KDC and an
active directory server and up to now I did not success.*
*I hope someone in this list will be able to help me.*
*
*
*My config is as follows:*
*  - hadoop version: 0.23.1 with security enable (kerberos).*
*  - hadoop realm (mitkdc): HADOOP.REALM*
*  - 1 linux node (mitkdc.hadoop.realm - 192.168.198.254) running : hdfs
namenode, hdfs datanode, mit kdc*
*  - 1 windows node (ad.domain.realm - 192.168.198.253) running: active
directory 2003*
*  - AD realm: DOMAIN.REALM*
*
*
*Everything works well with kerberos enabled if I only use the linux
machine with users having principal in the mitkdc: [EMAIL PROTECTED]M*
*
*
*What I am trying to do is to use the user database in the Active directory
(users with principals like [EMAIL PROTECTED]M)*
*
*
*To do that, I setup a one-way cross realm as explained here:
https://ccp.cloudera.com/display/CDH4DOC/Integrating+Hadoop+Security+with+Active+Directory
*
*
*
*From the linux machine I can authenticate against an active directory user
with the kinit command but when I perform a query using the hadoop command
I have the following error message:*
---------------------
hdfs@mitkdc:~$ kinit [EMAIL PROTECTED]M
Password for [EMAIL PROTECTED]M:

hdfs@mitkdc:~$ klist -e
Ticket cache: FILE:/tmp/krb5cc_10003
Default principal: [EMAIL PROTECTED]M

Valid starting    Expires           Service principal
25/07/2012 11:00  25/07/2012 20:59  krbtgt/[EMAIL PROTECTED]M
renew until 26/07/2012 11:00, Etype (skey, tkt): arcfour-hmac, arcfour-hmac

hdfs@mitkdc:~$ hadoop/bin/hadoop fs -ls /user
12/07/25 11:00:50 ERROR security.UserGroupInformation:
PriviledgedActionException as:[EMAIL PROTECTED]M (auth:KERBEROS)
cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Fail to
create credential. (63) - No service creds)]
12/07/25 11:00:50 INFO security.UserGroupInformation: Initiating logout for
[EMAIL PROTECTED]M
12/07/25 11:00:50 INFO security.UserGroupInformation: Initiating re-login
for [EMAIL PROTECTED]M
12/07/25 11:00:53 ERROR security.UserGroupInformation:
PriviledgedActionException as:[EMAIL PROTECTED]M (auth:KERBEROS)
cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Fail to
create credential. (63) - No service creds)]
12/07/25 11:00:53 WARN security.UserGroupInformation: Not attempting to
re-login since the last re-login was attempted less than 600 seconds before.
12/07/25 11:00:56 ERROR security.UserGroupInformation:
PriviledgedActionException as:[EMAIL PROTECTED]M (auth:KERBEROS)
cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Fail to
create credential. (63) - No service creds)]
12/07/25 11:00:56 WARN security.UserGroupInformation: Not attempting to
re-login since the last re-login was attempted less than 600 seconds before.
12/07/25 11:00:58 ERROR security.UserGroupInformation:
PriviledgedActionException as:[EMAIL PROTECTED]M (auth:KERBEROS)
cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Fail to
create credential. (63) - No service creds)]
12/07/25 11:00:58 WARN security.UserGroupInformation: Not attempting to
re-login since the last re-login was attempted less than 600 seconds before.
12/07/25 11:00:59 ERROR security.UserGroupInformation:
PriviledgedActionException as:[EMAIL PROTECTED]M (auth:KERBEROS)
cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Fail to
create credential. (63) - No service creds)]
12/07/25 11:00:59 WARN security.UserGroupInformation: Not attempting to
re-login since the last re-login was attempted less than 600 seconds before.
12/07/25 11:01:02 ERROR security.UserGroupInformation:
PriviledgedActionException as:[EMAIL PROTECTED]M (auth:KERBEROS)
cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Fail to
create credential. (63) - No service creds)]
12/07/25 11:01:02 WARN ipc.Client: Couldn't setup connection for
[EMAIL PROTECTED]M to hdfs/[EMAIL PROTECTED]M
12/07/25 11:01:02 ERROR security.UserGroupInformation:
PriviledgedActionException as:[EMAIL PROTECTED]M (auth:KERBEROS)
cause:java.io.IOException: Couldn't setup connection for
[EMAIL PROTECTED]Mto hdfs/[EMAIL PROTECTED]M
ls: Failed on local exception: java.io.IOException: Couldn't setup
connection for [EMAIL PROTECTED]M to hdfs/[EMAIL PROTECTED]M;
Host Details : local host is: "mitkdc.hadoop.realm/192.168.198.254";
destination host is: ""mitkdc.hadoop.realm":8020;

*On the mitkdc server log I can see something like the following meaning
that encoded types are not supported: *

Jul 25 09:53:33 mitkdc.hadoop.realm krb5kdc[8630](info): TGS_REQ (5 etypes
{3 1 23 16 17}) 192.168.198.254: PROCESS_TGS: authtime 0,  <unknown client>
for <unknown server>, No matching key in entry having a permitted enctype
Jul 25 09:53:36 mitkdc.hadoop.realm krb5kdc[8630](info): TGS_REQ (5 etypes
{3 1 23 16 17}) 192.168.198.254: PROCESS_TGS: authtime 0,  <unknown client>
for <unknown server>, No matching key in entry having a permitted enctype
Jul 25 09:53:37 mitkdc.hadoop.realm krb5kdc[8630](info): TGS_REQ (5 etypes
{3 1 23 16 17}) 192.168.198.254: PROCESS_TGS: authtime 0,  <unknown client>
for <unknown server>, No matching key in entry having a permitted enctype
Jul 25 09:53:37 mitkdc.hadoop.realm krb5kdc[8630](info): TGS_REQ (5 etypes
{3 1 23 16 17}) 192.168.198.254: PROCESS_TGS: authtime 0,  <unknown client>
for <unknown server>, No matching key in entry having a permitted enctype
Jul 25 09:54:25 mitkdc.hadoop.realm krb5kdc[8630](info): TGS_REQ (5 etypes
{3 1 23 16 17}) 192.168.198.254: PROCESS_TGS: a
+
Mapred Learn 2012-07-25, 14:59
+
Ivan Frain 2012-07-25, 15:27
+
Mapred Learn 2012-07-25, 16:11
+
Ivan Frain 2012-07-25, 16:25
+
Guillaume Polaert 2012-10-15, 10:08
+
Guillaume Polaert 2012-10-15, 13:16
+
Mapred Learn 2012-07-25, 19:07