Re: Questions on Kerberos usage with YARN and JDBC

[Mike Wright]

Kerberos seems to be working otherwise ... for example, we're using it
successfully to control access to HDFS and it's linked to AD ... we're
using Ranger if that helps. I'm not a systems admin guy so this is really
not my area of expertise.


___

*Mike Wright*
Principal Architect, Software Engineering
S Capital IQ and SNL

434-951-7816 *p*
434-244-4466 *f*
540-470-0119 *m*

mwri...@snl.com



On Fri, Dec 11, 2015 at 4:36 PM, Todd Simmer  wrote:

> hey Mike,
>
> Are these part of an Active Directory Domain? If so are they pointed at
> the AD domain controllers that hosts the Kerberos server? Windows AD create
> SRV records in DNS to help windows clients find the Kerberos server for
> their domain. If you look you can see if you have a kdc record in Windows
> DNS and what it's pointing at. Can you do a
>
> kinit *username *
>
> on that host? It should tell you if it can find the KDC.
>
> Let me know if that's helpful at all.
>
> Todd
>
> On Fri, Dec 11, 2015 at 1:50 PM, Mike Wright  wrote:
>
>> As part of our implementation, we are utilizing a full "Kerberized"
>> cluster built on the Hortonworks suite. We're using Job Server as the front
>> end to initiate short-run jobs directly from our client-facing product
>> suite.
>>
>> 1) We believe we have configured the job server to start with the
>> appropriate credentials, specifying a principal and keytab. We switch to
>> YARN-CLIENT mode and can see Job Server attempt to connect to the resource
>> manager, and the result is that whatever the principal name is, it "cannot
>> impersonate root."  We have been unable to solve this.
>>
>> 2) We are primarily a Windows shop, hence our cluelessness here. That
>> said, we're using the JDBC driver version 4.2 and want to use JavaKerberos
>> authentication to connect to SQL Server. The queries performed by the job
>> are done in the driver, and hence would be running on the Job Server, which
>> we confirmed is running as the principal we have designated. However, when
>> attempting to connect with this option enabled I receive a "Unable to
>> obtain Principal Name for authentication" exception.
>>
>> Reading this:
>>
>> https://msdn.microsoft.com/en-us/library/ms378428.aspx
>>
>> We have Kerberos working on the machine and thus have krb5.conf setup
>> correctly. However the section, "
>> ​​
>> Enabling the Domain Configuration File and the Login Module Configuration
>> File" seems to indicate we've missed a step somewhere.
>>
>> Forgive my ignorance here ... I've been on Windows for 20 years and this
>> is all new to.
>>
>> Thanks for any guidance you can provide.
>>
>
>

Re: Questions on Kerberos usage with YARN and JDBC

[Todd Simmer]

hey Mike,

Are these part of an Active Directory Domain? If so are they pointed at the
AD domain controllers that hosts the Kerberos server? Windows AD create SRV
records in DNS to help windows clients find the Kerberos server for their
domain. If you look you can see if you have a kdc record in Windows DNS and
what it's pointing at. Can you do a

kinit *username *

on that host? It should tell you if it can find the KDC.

Let me know if that's helpful at all.

Todd

On Fri, Dec 11, 2015 at 1:50 PM, Mike Wright  wrote:

> As part of our implementation, we are utilizing a full "Kerberized"
> cluster built on the Hortonworks suite. We're using Job Server as the front
> end to initiate short-run jobs directly from our client-facing product
> suite.
>
> 1) We believe we have configured the job server to start with the
> appropriate credentials, specifying a principal and keytab. We switch to
> YARN-CLIENT mode and can see Job Server attempt to connect to the resource
> manager, and the result is that whatever the principal name is, it "cannot
> impersonate root."  We have been unable to solve this.
>
> 2) We are primarily a Windows shop, hence our cluelessness here. That
> said, we're using the JDBC driver version 4.2 and want to use JavaKerberos
> authentication to connect to SQL Server. The queries performed by the job
> are done in the driver, and hence would be running on the Job Server, which
> we confirmed is running as the principal we have designated. However, when
> attempting to connect with this option enabled I receive a "Unable to
> obtain Principal Name for authentication" exception.
>
> Reading this:
>
> https://msdn.microsoft.com/en-us/library/ms378428.aspx
>
> We have Kerberos working on the machine and thus have krb5.conf setup
> correctly. However the section, "
> ​​
> Enabling the Domain Configuration File and the Login Module Configuration
> File" seems to indicate we've missed a step somewhere.
>
> Forgive my ignorance here ... I've been on Windows for 20 years and this
> is all new to.
>
> Thanks for any guidance you can provide.
>

Questions on Kerberos usage with YARN and JDBC

[Mike Wright]

As part of our implementation, we are utilizing a full "Kerberized" cluster
built on the Hortonworks suite. We're using Job Server as the front end to
initiate short-run jobs directly from our client-facing product suite.

1) We believe we have configured the job server to start with the
appropriate credentials, specifying a principal and keytab. We switch to
YARN-CLIENT mode and can see Job Server attempt to connect to the resource
manager, and the result is that whatever the principal name is, it "cannot
impersonate root."  We have been unable to solve this.

2) We are primarily a Windows shop, hence our cluelessness here. That said,
we're using the JDBC driver version 4.2 and want to use JavaKerberos
authentication to connect to SQL Server. The queries performed by the job
are done in the driver, and hence would be running on the Job Server, which
we confirmed is running as the principal we have designated. However, when
attempting to connect with this option enabled I receive a "Unable to
obtain Principal Name for authentication" exception.

Reading this:

https://msdn.microsoft.com/en-us/library/ms378428.aspx

We have Kerberos working on the machine and thus have krb5.conf setup
correctly. However the section, "
​​
Enabling the Domain Configuration File and the Login Module Configuration
File" seems to indicate we've missed a step somewhere.

Forgive my ignorance here ... I've been on Windows for 20 years and this is
all new to.

Thanks for any guidance you can provide.