Hi,Hello MIT team, I'm Anil working for IBM and implemented Kebreros
for a customer. Kerberos – AD is implemented on Hadoop environment.
Phoenix is enabled to open JDBC / ODBC connection to Hadoop HBase. Hadoop is
setup on RHEL 7.2Windows client machines connecting to Hadoop Phoenix using
Hortonworks Phoenix ODBC driver (64 bit). As connection should be established
to Kerberos Phoenix, the Windows ODBC client machine also must be setup with
Kerberos.Windows odbc client machine has been setup with MIT Kerberos as per
the documentation link
https://community.hortonworks.com/articles/28537/user-authentication-from-windows-workstation-to-hd.htmlCopied
the krb5.conf file to windows machine as krb5.ini. Using MIT Kerberos key
tool, get new Kerberos ticket say for user ‘kpiuser’ as shown
below;On establishing connection from ODBC client, phoenix connection fails
with log message “GSSException: Defective token detected (Mechanism
level: GSS!
Header did not find the right tag)”.Refer to
Error-in-phoenix-log.txtThis implies, the Kerberos ticket format is different
or corrupted.The phoenix ODBC client logs shows connection errors.Refer to
HortonworksPhoenixODBCDriver_connection_1.log and phoenix_driver.logOn windows
client machine, doing kinit for a user does not show the cached ticket when run
klist command.Refer to klist-on-windows-odbc-client.txtThanks,Anil
2018-07-10 19:28:16,272 WARN
org.apache.phoenix.shaded.org.eclipse.jetty.security.SpnegoLoginService:
GSSException: Defective token detected (Mechanism level: GSSHeader did not find
the right tag)
at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
at
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
at
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at
org.apache.phoenix.shaded.org.eclipse.jetty.security.SpnegoLoginService.login(SpnegoLoginService.java:137)
at
org.apache.phoenix.shaded.org.eclipse.jetty.security.authentication.LoginAuthenticator.login(LoginAuthenticator.java:61)
at
org.apache.phoenix.shaded.org.eclipse.jetty.security.authentication.SpnegoAuthenticator.validateRequest(SpnegoAuthenticator.java:99)
at
org.apache.phoenix.shaded.org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:512)
at
org.apache.phoenix.shaded.org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:52)
at
org.apache.phoenix.shaded.org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at
org.apache.phoenix.shaded.org.eclipse.jetty.server.Server.handle(Server.java:499)
at
org.apache.phoenix.shaded.org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
at
org.apache.phoenix.shaded.org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
at
org.apache.phoenix.shaded.org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
at
org.apache.phoenix.shaded.org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
at
org.apache.phoenix.shaded.org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
at java.lang.Thread.run(Thread.java:745)
2018-07-10 19:28:16,276 WARN
org.apache.phoenix.shaded.org.eclipse.jetty.security.SpnegoLoginService:
GSSException: Defective token detected (Mechanism level: GSSHeader did not find
the right tag)
at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
at
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
at
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at
org.apache.phoenix.shaded.org.eclipse.jetty.security.SpnegoLoginService.login(SpnegoLoginService.java:137)
at
org.apache.phoenix.shaded.org.eclipse.jetty.security.authentication.LoginAuthenticator.login(LoginAuthenticator.java:61)
at
org.apache.phoenix.shaded.org.eclipse.jetty.security.authentication.SpnegoAuthenticator.validateRequest(SpnegoAuthenticator.java:99)
at
org.apache.phoenix.shaded.org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:512)
at
org.apache.phoenix.shaded.org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:52)
at
org.apache.phoenix.shaded.org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at
org.apache.phoenix.shaded.org.eclipse.jetty.server.Server.handle(Server.java:499)
at
org.apache.phoenix.shaded.org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
at
org.apache.phoenix.shaded.org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
at
org.apache.phoenix.shaded.org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
at
org.apache.phoenix.shaded.org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
at
org.apache.phoenix.shaded.org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
at java.lang.Thread.run(Thread.java:745)
2018-07-10 19:28:16,280 WARN
org.apache.phoenix.shaded.org.eclipse.jetty.security.SpnegoLoginService:
GSSException: Defective token detected (Mechanism level: GSSHeader did not find
the right tag)
at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)C:\Users\test2>klist
Current LogonId is 0:0x2b844
Cached Tickets: (3)
#0> Client: test2 @ AAS.COM
Server: krbtgt/AAS.COM @ AAS.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent nam
e_canonicalize
Start Time: 7/26/2018 10:46:39 (local)
End Time: 7/26/2018 11:46:39 (local)
Renew Time: 8/1/2018 16:47:01 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called: AASDCMGMT01.aas.com
#1> Client: test2 @ AAS.COM
Server: ldap/AASDCMGMT01.aas.com @ AAS.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_deleg
ate name_canonicalize
Start Time: 7/25/2018 16:47:01 (local)
End Time: 7/25/2018 17:47:01 (local)
Renew Time: 8/1/2018 16:47:01 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: AASDCMGMT01.aas.com
#2> Client: test2 @ AAS.COM
Server: LDAP/AASDCMGMT01.aas.com/aas.com @ AAS.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_deleg
ate name_canonicalize
Start Time: 7/25/2018 16:47:01 (local)
End Time: 7/25/2018 17:47:01 (local)
Renew Time: 8/1/2018 16:47:01 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: AASDCMGMT01.aas.com
C:\Users\test2>kinit [email protected]
Password for [email protected]:
C:\Users\test2>klist
Current LogonId is 0:0x2b844
Cached Tickets: (3)
#0> Client: test2 @ AAS.COM
Server: krbtgt/AAS.COM @ AAS.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent nam
e_canonicalize
Start Time: 7/26/2018 11:31:38 (local)
End Time: 7/26/2018 12:31:38 (local)
Renew Time: 8/1/2018 16:47:01 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called: AASDCMGMT01.aas.com
#1> Client: test2 @ AAS.COM
Server: ldap/AASDCMGMT01.aas.com @ AAS.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_deleg
ate name_canonicalize
Start Time: 7/25/2018 16:47:01 (local)
End Time: 7/25/2018 17:47:01 (local)
Renew Time: 8/1/2018 16:47:01 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: AASDCMGMT01.aas.com
#2> Client: test2 @ AAS.COM
Server: LDAP/AASDCMGMT01.aas.com/aas.com @ AAS.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_deleg
ate name_canonicalize
Start Time: 7/25/2018 16:47:01 (local)
End Time: 7/25/2018 17:47:01 (local)
Renew Time: 8/1/2018 16:47:01 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: AASDCMGMT01.aas.com
C:\Users\test2>________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
