The important part of the error is "Cannot get kdc for realm
CORP.EBAY.COM<http://CORP.EBAY.COM>". Check if the gateway's /etc/krb5.conf
has an entry for CORP.EBAY.COM<http://CORP.EBAY.COM> in the [realms] section.
Or if you actually have appropriate dns service records for kerberos, you can
use "dns_lookup_kdc = true".
Daryn
On Apr 25, 2013, at 12:36 AM, Jeff Zhang wrote:
Hi all,
I could connect to hadoop cluster by ssh tunnel before when there's no kerberos
authentication. Now our cluster need to upgrade to kerberos authentication. I
try to connect to it by ssh tunnel again. But failed.
Could anyone guide me to do that ? Is there any tutorial for this ?
Here's what I did.
1. create a forwardable ticket in my client machine.
2. edit ~/.ssh/config file
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
3. execute command "ssh -N -D 3600 gateway_host " to create a ssh connection
to my gateway host
4. config my core-site.xml file for ssh tunnel connection
<property>
<name>hadoophack.tunnel.port</name>
<value>3600</value>
</property>
<property>
<description>If users connect through a SOCKS proxy, we don't
want their SocketFactory settings interfering with the socket
factory associated with the actual daemons.</description>
<name>hadoop.rpc.socket.factory.class.default</name>
<value>org.apache.hadoop.net.SocksSocketFactory</value>
<final>true</final>
</property>
And there's the error message when I run "hadoop fs -ls /"
13/04/24 22:31:13 ERROR security.UserGroupInformation:
PriviledgedActionException
as:[email protected]<mailto:as%[email protected]>
cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Cannot get kdc
for realm CORP.EBAY.COM<http://CORP.EBAY.COM/>)]
13/04/24 22:31:13 INFO security.UserGroupInformation: Initiating logout for
[email protected]<mailto:[email protected]>
13/04/24 22:31:13 INFO security.UserGroupInformation: Initiating re-login for
[email protected]<mailto:[email protected]>
13/04/24 22:31:17 ERROR security.UserGroupInformation:
PriviledgedActionException
as:[email protected]<mailto:as%[email protected]>
cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Cannot get kdc
for realm CORP.EBAY.COM<http://CORP.EBAY.COM/>)]
13/04/24 22:31:17 WARN security.UserGroupInformation: Not attempting to
re-login since the last re-login was attempted less than 600 seconds before.
13/04/24 22:31:21 ERROR security.UserGroupInformation:
PriviledgedActionException
as:[email protected]<mailto:as%[email protected]>
cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Cannot get kdc
for realm CORP.EBAY.COM<http://CORP.EBAY.COM/>)]
--
Best Regards
Jeff Zhang
