The host names in libdefaults and realms in krb5.conf exactly match the host name used in the principal name.
From command line, we are able to get the TGT using the following command: kinit -k -t <keytab> -p <username> Sent from my iPhone > On Feb 11, 2015, at 6:01 PM, Mikhail Antonov <[email protected]> wrote: > > Another thing to check are [libdefaults] and [realms] sections in > krb5.conf, in case there's any typo or wrong case in there. > > You can get the TGT from the kinit command using this keytab, right? > > -Mikhail > >> On Wed, Feb 11, 2015 at 5:58 PM, Mikhail Antonov <[email protected]> >> wrote: >> Just checking.. is that full log? Does the principal name have the >> _HOST portion in it? >> >>> On Wed, Feb 11, 2015 at 5:24 PM, Jiten Gore <[email protected]> wrote: >>> Thanks Mikhail. Yes it has been so installed. >>> >>> We downloaded the JCE unlimited encryption jar files and replaced the >>> existing jre jar files. Is there any thing else that we need to do? >>> >>> Sent from my iPhone >>> >>>> On Feb 11, 2015, at 5:08 PM, Mikhail Antonov <[email protected]> wrote: >>>> >>>> Does your java app has JCE installed with unlimited encryption strength? >>>> >>>> -Mikhail >>>> >>>>> On Wed, Feb 11, 2015 at 4:52 PM, Jiten Gore <[email protected]> wrote: >>>>> Hi Dima, >>>>> >>>>> Thanks for the prompt response. >>>>> >>>>> Here's what we are doing and the error we are seeing: >>>>> >>>>> Code: >>>>> System.setProperty("javax.security.auth.useSubjectCredsOnly", "false"); >>>>> final Configuration hBaseConfig = HBaseConfiguration.create(); >>>>> hBaseConfig.setInt("timeout", 120000); >>>>> hBaseConfig.set("hbase.zookeeper.quorum", "*************"); >>>>> hBaseConfig.set("hbase.zookeeper.property.clientPort", "2181"); >>>>> hBaseConfig.set("hadoop.security.authentication", "kerberos"); >>>>> hBaseConfig.set("hbase.security.authentication", "kerberos"); >>>>> hBaseConfig.set("hbase.master.kerberos.principal", "*****************"); >>>>> hBaseConfig.set("hbase.regionserver.kerberos.principal", >>>>> "*******************"); >>>>> hBaseConfig.set("hbase.master.keytab.file", "hbase.keytab"); >>>>> hBaseConfig.set("hbase.regionserver.keytab.file", "hbase.keytab"); >>>>> UserGroupInformation.setConfiguration(hBaseConfig); >>>>> >>>>> UserGroupInformation ugi = >>>>> UserGroupInformation.loginUserFromKeytabAndReturnUGI("principle_name", >>>>> "user.keytab"); >>>>> >>>>> >>>>> >>>>> Error: >>>>> >>>>> Exception in thread "main" java.io.IOException: Login failure for >>>>> <PRINCIPAL_NAME> from keytab >>>>> at >>>>> org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1008) >>>>> at Kerberos.KerberosAuthentication.App.hbase(App.java:32) >>>>> at Kerberos.KerberosAuthentication.App.main(App.java:15) >>>>> Caused by: javax.security.auth.login.LoginException: null (68) >>>>> at >>>>> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:763) >>>>> at >>>>> com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584) >>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>>> at >>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >>>>> at >>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>>>> at java.lang.reflect.Method.invoke(Method.java:606) >>>>> at >>>>> javax.security.auth.login.LoginContext.invoke(LoginContext.java:762) >>>>> at >>>>> javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) >>>>> at >>>>> javax.security.auth.login.LoginContext$4.run(LoginContext.java:690) >>>>> at >>>>> javax.security.auth.login.LoginContext$4.run(LoginContext.java:688) >>>>> at java.security.AccessController.doPrivileged(Native Method) >>>>> at >>>>> javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687) >>>>> at >>>>> javax.security.auth.login.LoginContext.login(LoginContext.java:595) >>>>> at >>>>> org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:997) >>>>> ... 2 more >>>>> Caused by: KrbException: null (68) >>>>> at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76) >>>>> at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:319) >>>>> at >>>>> sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:364) >>>>> at >>>>> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:735) >>>>> ... 15 more >>>>> Caused by: KrbException: Identifier doesn't match expected value (906) >>>>> at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143) >>>>> at sun.security.krb5.internal.ASRep.init(ASRep.java:65) >>>>> at sun.security.krb5.internal.ASRep.<init>(ASRep.java:60) >>>>> at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60) >>>>> Sent from my iPhone >>>>> >>>>>> On Feb 11, 2015, at 10:56 AM, Dima Spivak <[email protected]> wrote: >>>>>> >>>>>> Hey Jiten, >>>>>> >>>>>> Have you followed the steps outlined in >>>>>> http://hbase.apache.org/book.html#hbase.secure.configuration ? What >>>>>> issues >>>>>> are you seeing? >>>>>> >>>>>> -Dima >>>>>> >>>>>>> On Wed, Feb 11, 2015 at 12:49 PM, Jiten Gore <[email protected]> wrote: >>>>>>> >>>>>>> We are having difficulties connecting with our Java application to our >>>>>>> Kerberized HBase cluster. We are using a keytab file to authenticate. >>>>>>> >>>>>>> Has anyone successfully connected this way? If you have and can help, >>>>>>> please let me know. I can share details about the issue. >>>>>>> >>>>>>> Best Regards, >>>>>>> Jiten >>>>>>> >>>>>>> Sent from my iPhone >>>> >>>> >>>> >>>> -- >>>> Thanks, >>>> Michael Antonov >> >> >> >> -- >> Thanks, >> Michael Antonov > > > > -- > Thanks, > Michael Antonov >
