[jira] [Created] (IMPALA-14410) Long principal name leads to "invalid MI" with impala-shell on macOS

Mon, 08 Sep 2025 13:04:05 -0700 

Michael Smith created IMPALA-14410:
--------------------------------------

             Summary: Long principal name leads to "invalid MI" with 
impala-shell on macOS
                 Key: IMPALA-14410
                 URL: https://issues.apache.org/jira/browse/IMPALA-14410
             Project: IMPALA
          Issue Type: Bug
          Components: Clients
    Affects Versions: Impala 4.5.0
            Reporter: Michael Smith


Switching the Kerberos principal and key server name from 25 to 28 characters 
resulted in impala-shell on macOS reporting
{code}
Error connecting: TTransportException, Bad SASL result: b'Error in 
sasl_client_step (-1) SASL(-1): generic failure: GSSAPI Error:  A token had an 
invalid MI (unknown mech-code 0 for mech unknown)'
{code}

The source of this error is 
https://github.com/apple-open-source/macos/blob/15.6/Heimdal/lib/gssapi/krb5/display_status.c#L69,
 with possibly an off-by-one error on buffering somewhere? The GSSAPI Error 
prefix comes from 
https://github.com/apple-open-source/macos/blob/15.6/passwordserver_sasl/cyrus_sasl/plugins/gssapi.c.

Load balancers, local keytabs, and certs were all updated correctly. Linux 
machines were able to connect with impala-shell without error. I was able to 
reproduce the issue on my system with macOS 15.6 and Python 3.9.23. Bypassing 
the load balancer didn't help.

Some things we tried
- Double checked that Impala config was properly updated for the new principal.
- Refreshed Impala keytabs.
- Cleared KNS caches.
- Checked DNS resolution.

The workaround we found was to use the HS2-HTTP protocol. Beeswax and HS2 use 
Thrift, which uses the native Kerberos/SASL/Heimdal libraries via 
https://github.com/cloudera/thrift_sasl. HS2-HTTP uses the kerberos and 
pure_sasl Python packages via impyla, so the entire stack is different. My 
theory is that the macOS sasl implementation has a bug we're hitting, and 
pure_sasl avoids it.

I don't have a simple way to stand up a test environment to try out different 
key server configs, so haven't looked into reproducing this bug in isolation.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to