And when you just run 'kinit -k -t ...' with this keytab and principal, it all works?
Did you try to pass it as username/hostname@realm? The part after @ should be realm. -Mikhail On Wed, Feb 11, 2015 at 6:10 PM, Jiten Gore <[email protected]> wrote: > The principal name is of the form <userName>@<host name> > > And yes, the log is complete. > > Thanks, > Jiten > > Sent from my iPhone > >> On Feb 11, 2015, at 5:58 PM, Mikhail Antonov <[email protected]> wrote: >> >> Just checking.. is that full log? Does the principal name have the >> _HOST portion in it? >> >>> On Wed, Feb 11, 2015 at 5:24 PM, Jiten Gore <[email protected]> wrote: >>> Thanks Mikhail. Yes it has been so installed. >>> >>> We downloaded the JCE unlimited encryption jar files and replaced the >>> existing jre jar files. Is there any thing else that we need to do? >>> >>> Sent from my iPhone >>> >>>> On Feb 11, 2015, at 5:08 PM, Mikhail Antonov <[email protected]> wrote: >>>> >>>> Does your java app has JCE installed with unlimited encryption strength? >>>> >>>> -Mikhail >>>> >>>>> On Wed, Feb 11, 2015 at 4:52 PM, Jiten Gore <[email protected]> wrote: >>>>> Hi Dima, >>>>> >>>>> Thanks for the prompt response. >>>>> >>>>> Here's what we are doing and the error we are seeing: >>>>> >>>>> Code: >>>>> System.setProperty("javax.security.auth.useSubjectCredsOnly", "false"); >>>>> final Configuration hBaseConfig = HBaseConfiguration.create(); >>>>> hBaseConfig.setInt("timeout", 120000); >>>>> hBaseConfig.set("hbase.zookeeper.quorum", "*************"); >>>>> hBaseConfig.set("hbase.zookeeper.property.clientPort", "2181"); >>>>> hBaseConfig.set("hadoop.security.authentication", "kerberos"); >>>>> hBaseConfig.set("hbase.security.authentication", "kerberos"); >>>>> hBaseConfig.set("hbase.master.kerberos.principal", "*****************"); >>>>> hBaseConfig.set("hbase.regionserver.kerberos.principal", >>>>> "*******************"); >>>>> hBaseConfig.set("hbase.master.keytab.file", "hbase.keytab"); >>>>> hBaseConfig.set("hbase.regionserver.keytab.file", "hbase.keytab"); >>>>> UserGroupInformation.setConfiguration(hBaseConfig); >>>>> >>>>> UserGroupInformation ugi = >>>>> UserGroupInformation.loginUserFromKeytabAndReturnUGI("principle_name", >>>>> "user.keytab"); >>>>> >>>>> >>>>> >>>>> Error: >>>>> >>>>> Exception in thread "main" java.io.IOException: Login failure for >>>>> <PRINCIPAL_NAME> from keytab >>>>> at >>>>> org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1008) >>>>> at Kerberos.KerberosAuthentication.App.hbase(App.java:32) >>>>> at Kerberos.KerberosAuthentication.App.main(App.java:15) >>>>> Caused by: javax.security.auth.login.LoginException: null (68) >>>>> at >>>>> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:763) >>>>> at >>>>> com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584) >>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>>> at >>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >>>>> at >>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>>>> at java.lang.reflect.Method.invoke(Method.java:606) >>>>> at >>>>> javax.security.auth.login.LoginContext.invoke(LoginContext.java:762) >>>>> at >>>>> javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) >>>>> at >>>>> javax.security.auth.login.LoginContext$4.run(LoginContext.java:690) >>>>> at >>>>> javax.security.auth.login.LoginContext$4.run(LoginContext.java:688) >>>>> at java.security.AccessController.doPrivileged(Native Method) >>>>> at >>>>> javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687) >>>>> at >>>>> javax.security.auth.login.LoginContext.login(LoginContext.java:595) >>>>> at >>>>> org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:997) >>>>> ... 2 more >>>>> Caused by: KrbException: null (68) >>>>> at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76) >>>>> at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:319) >>>>> at >>>>> sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:364) >>>>> at >>>>> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:735) >>>>> ... 15 more >>>>> Caused by: KrbException: Identifier doesn't match expected value (906) >>>>> at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143) >>>>> at sun.security.krb5.internal.ASRep.init(ASRep.java:65) >>>>> at sun.security.krb5.internal.ASRep.<init>(ASRep.java:60) >>>>> at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60) >>>>> Sent from my iPhone >>>>> >>>>>> On Feb 11, 2015, at 10:56 AM, Dima Spivak <[email protected]> wrote: >>>>>> >>>>>> Hey Jiten, >>>>>> >>>>>> Have you followed the steps outlined in >>>>>> http://hbase.apache.org/book.html#hbase.secure.configuration ? What >>>>>> issues >>>>>> are you seeing? >>>>>> >>>>>> -Dima >>>>>> >>>>>>> On Wed, Feb 11, 2015 at 12:49 PM, Jiten Gore <[email protected]> wrote: >>>>>>> >>>>>>> We are having difficulties connecting with our Java application to our >>>>>>> Kerberized HBase cluster. We are using a keytab file to authenticate. >>>>>>> >>>>>>> Has anyone successfully connected this way? If you have and can help, >>>>>>> please let me know. I can share details about the issue. >>>>>>> >>>>>>> Best Regards, >>>>>>> Jiten >>>>>>> >>>>>>> Sent from my iPhone >>>> >>>> >>>> >>>> -- >>>> Thanks, >>>> Michael Antonov >> >> >> >> -- >> Thanks, >> Michael Antonov >> -- Thanks, Michael Antonov
