Hello Michael Ho, Philip Zeyliger, Todd Lipcon, I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/9696 to look at the new patch set (#4). Change subject: IMPALA-6691: KRPC w/ kerberos fails on SLES11 ...................................................................... IMPALA-6691: KRPC w/ kerberos fails on SLES11 The Kerberos version used in SLES 11 seems to have quite a few undocumented bugs. They have krb5-1.6 (krb5-client-1.6.3-133.49.112.1.x86_64). With KRPC we see a new error "GSSAPI Error: A required input parameter could not be read", which we've never seen before. I looked into the krb5 codebase and between krb5-1.6 and krb5-1.7, the code causing the above error (GSSAPI Error: A required input parameter could not be read) has changed subtly without any explanation as to why. That error string corresponds to GSS_S_CALL_INACCESSIBLE_READ. In 1.6, it returns an error if the 'input_token_buffer' string is empty. krb5-1.6: https://github.com/krb5/krb5/blob/krb5-1.6/src/lib/gssapi/mechglue/g_accept_sec_context.c#L149-L150 In 1.7, it returns an error only if the 'input_token_buffer' string is NULL. krb5-1.7: https://github.com/krb5/krb5/blob/krb5-1.7/src/lib/gssapi/mechglue/g_accept_sec_context.c#L149-L150 With KRPC, we test if Kerberos works by passing an empty string to SASL: https://github.com/apache/impala/blob/master/be/src/kudu/rpc/server_negotiation.cc#L289 In 1.6, this is counted as an error, but in 1.7, this is completely fine. I'm not sure why since they haven't documented it. We can attempt to get KRPC working for SLES11 by removing the PreflightGSSAPI() check for any kerberos version < 1.6. A function that is unavailable on krb-1.6 is krb5_get_init_creds_opt_set_fast_ccache_name(), and it is available from krb-1.7 onwards. The PreflightCheckGSSAPI() is compiled in only if this function exists. (However there may be more issues on SLES11 that we're not yet aware of) Change-Id: Ic4cc7f0702f605fca02a2ff5d3d2735e6e080668 --- M be/CMakeLists.txt M be/src/common/config.h.in M be/src/kudu/rpc/messenger.cc 3 files changed, 18 insertions(+), 0 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/96/9696/4 -- To view, visit http://gerrit.cloudera.org:8080/9696 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: Ic4cc7f0702f605fca02a2ff5d3d2735e6e080668 Gerrit-Change-Number: 9696 Gerrit-PatchSet: 4 Gerrit-Owner: Sailesh Mukil <sail...@cloudera.com> Gerrit-Reviewer: Michael Ho <k...@cloudera.com> Gerrit-Reviewer: Philip Zeyliger <phi...@cloudera.com> Gerrit-Reviewer: Sailesh Mukil <sail...@cloudera.com> Gerrit-Reviewer: Todd Lipcon <t...@apache.org>