Another thing to check are [libdefaults] and [realms] sections in krb5.conf, in case there's any typo or wrong case in there.
You can get the TGT from the kinit command using this keytab, right? -Mikhail On Wed, Feb 11, 2015 at 5:58 PM, Mikhail Antonov <[email protected]> wrote: > Just checking.. is that full log? Does the principal name have the > _HOST portion in it? > > On Wed, Feb 11, 2015 at 5:24 PM, Jiten Gore <[email protected]> wrote: >> Thanks Mikhail. Yes it has been so installed. >> >> We downloaded the JCE unlimited encryption jar files and replaced the >> existing jre jar files. Is there any thing else that we need to do? >> >> Sent from my iPhone >> >>> On Feb 11, 2015, at 5:08 PM, Mikhail Antonov <[email protected]> wrote: >>> >>> Does your java app has JCE installed with unlimited encryption strength? >>> >>> -Mikhail >>> >>>> On Wed, Feb 11, 2015 at 4:52 PM, Jiten Gore <[email protected]> wrote: >>>> Hi Dima, >>>> >>>> Thanks for the prompt response. >>>> >>>> Here's what we are doing and the error we are seeing: >>>> >>>> Code: >>>> System.setProperty("javax.security.auth.useSubjectCredsOnly", "false"); >>>> final Configuration hBaseConfig = HBaseConfiguration.create(); >>>> hBaseConfig.setInt("timeout", 120000); >>>> hBaseConfig.set("hbase.zookeeper.quorum", "*************"); >>>> hBaseConfig.set("hbase.zookeeper.property.clientPort", "2181"); >>>> hBaseConfig.set("hadoop.security.authentication", "kerberos"); >>>> hBaseConfig.set("hbase.security.authentication", "kerberos"); >>>> hBaseConfig.set("hbase.master.kerberos.principal", "*****************"); >>>> hBaseConfig.set("hbase.regionserver.kerberos.principal", >>>> "*******************"); >>>> hBaseConfig.set("hbase.master.keytab.file", "hbase.keytab"); >>>> hBaseConfig.set("hbase.regionserver.keytab.file", "hbase.keytab"); >>>> UserGroupInformation.setConfiguration(hBaseConfig); >>>> >>>> UserGroupInformation ugi = >>>> UserGroupInformation.loginUserFromKeytabAndReturnUGI("principle_name", >>>> "user.keytab"); >>>> >>>> >>>> >>>> Error: >>>> >>>> Exception in thread "main" java.io.IOException: Login failure for >>>> <PRINCIPAL_NAME> from keytab >>>> at >>>> org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1008) >>>> at Kerberos.KerberosAuthentication.App.hbase(App.java:32) >>>> at Kerberos.KerberosAuthentication.App.main(App.java:15) >>>> Caused by: javax.security.auth.login.LoginException: null (68) >>>> at >>>> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:763) >>>> at >>>> com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584) >>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>> at >>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >>>> at >>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>>> at java.lang.reflect.Method.invoke(Method.java:606) >>>> at >>>> javax.security.auth.login.LoginContext.invoke(LoginContext.java:762) >>>> at >>>> javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) >>>> at >>>> javax.security.auth.login.LoginContext$4.run(LoginContext.java:690) >>>> at >>>> javax.security.auth.login.LoginContext$4.run(LoginContext.java:688) >>>> at java.security.AccessController.doPrivileged(Native Method) >>>> at >>>> javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687) >>>> at >>>> javax.security.auth.login.LoginContext.login(LoginContext.java:595) >>>> at >>>> org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:997) >>>> ... 2 more >>>> Caused by: KrbException: null (68) >>>> at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76) >>>> at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:319) >>>> at >>>> sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:364) >>>> at >>>> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:735) >>>> ... 15 more >>>> Caused by: KrbException: Identifier doesn't match expected value (906) >>>> at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143) >>>> at sun.security.krb5.internal.ASRep.init(ASRep.java:65) >>>> at sun.security.krb5.internal.ASRep.<init>(ASRep.java:60) >>>> at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60) >>>> Sent from my iPhone >>>> >>>>> On Feb 11, 2015, at 10:56 AM, Dima Spivak <[email protected]> wrote: >>>>> >>>>> Hey Jiten, >>>>> >>>>> Have you followed the steps outlined in >>>>> http://hbase.apache.org/book.html#hbase.secure.configuration ? What issues >>>>> are you seeing? >>>>> >>>>> -Dima >>>>> >>>>>> On Wed, Feb 11, 2015 at 12:49 PM, Jiten Gore <[email protected]> wrote: >>>>>> >>>>>> We are having difficulties connecting with our Java application to our >>>>>> Kerberized HBase cluster. We are using a keytab file to authenticate. >>>>>> >>>>>> Has anyone successfully connected this way? If you have and can help, >>>>>> please let me know. I can share details about the issue. >>>>>> >>>>>> Best Regards, >>>>>> Jiten >>>>>> >>>>>> Sent from my iPhone >>> >>> >>> >>> -- >>> Thanks, >>> Michael Antonov >>> > > > > -- > Thanks, > Michael Antonov -- Thanks, Michael Antonov
