Interesting. Your java program runs under the same user, as shall for kinit? Anything in /var/log/krb5kdc.log (with debug logging on)?
On Wed, Feb 11, 2015 at 6:17 PM, Jiten Gore <[email protected]> wrote: > The host names in libdefaults and realms in krb5.conf exactly match the host > name used in the principal name. > > From command line, we are able to get the TGT using the following command: > kinit -k -t <keytab> -p <username> > > Sent from my iPhone > >> On Feb 11, 2015, at 6:01 PM, Mikhail Antonov <[email protected]> wrote: >> >> Another thing to check are [libdefaults] and [realms] sections in >> krb5.conf, in case there's any typo or wrong case in there. >> >> You can get the TGT from the kinit command using this keytab, right? >> >> -Mikhail >> >>> On Wed, Feb 11, 2015 at 5:58 PM, Mikhail Antonov <[email protected]> >>> wrote: >>> Just checking.. is that full log? Does the principal name have the >>> _HOST portion in it? >>> >>>> On Wed, Feb 11, 2015 at 5:24 PM, Jiten Gore <[email protected]> wrote: >>>> Thanks Mikhail. Yes it has been so installed. >>>> >>>> We downloaded the JCE unlimited encryption jar files and replaced the >>>> existing jre jar files. Is there any thing else that we need to do? >>>> >>>> Sent from my iPhone >>>> >>>>> On Feb 11, 2015, at 5:08 PM, Mikhail Antonov <[email protected]> wrote: >>>>> >>>>> Does your java app has JCE installed with unlimited encryption strength? >>>>> >>>>> -Mikhail >>>>> >>>>>> On Wed, Feb 11, 2015 at 4:52 PM, Jiten Gore <[email protected]> wrote: >>>>>> Hi Dima, >>>>>> >>>>>> Thanks for the prompt response. >>>>>> >>>>>> Here's what we are doing and the error we are seeing: >>>>>> >>>>>> Code: >>>>>> System.setProperty("javax.security.auth.useSubjectCredsOnly", "false"); >>>>>> final Configuration hBaseConfig = HBaseConfiguration.create(); >>>>>> hBaseConfig.setInt("timeout", 120000); >>>>>> hBaseConfig.set("hbase.zookeeper.quorum", "*************"); >>>>>> hBaseConfig.set("hbase.zookeeper.property.clientPort", "2181"); >>>>>> hBaseConfig.set("hadoop.security.authentication", "kerberos"); >>>>>> hBaseConfig.set("hbase.security.authentication", "kerberos"); >>>>>> hBaseConfig.set("hbase.master.kerberos.principal", "*****************"); >>>>>> hBaseConfig.set("hbase.regionserver.kerberos.principal", >>>>>> "*******************"); >>>>>> hBaseConfig.set("hbase.master.keytab.file", "hbase.keytab"); >>>>>> hBaseConfig.set("hbase.regionserver.keytab.file", "hbase.keytab"); >>>>>> UserGroupInformation.setConfiguration(hBaseConfig); >>>>>> >>>>>> UserGroupInformation ugi = >>>>>> UserGroupInformation.loginUserFromKeytabAndReturnUGI("principle_name", >>>>>> "user.keytab"); >>>>>> >>>>>> >>>>>> >>>>>> Error: >>>>>> >>>>>> Exception in thread "main" java.io.IOException: Login failure for >>>>>> <PRINCIPAL_NAME> from keytab >>>>>> at >>>>>> org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1008) >>>>>> at Kerberos.KerberosAuthentication.App.hbase(App.java:32) >>>>>> at Kerberos.KerberosAuthentication.App.main(App.java:15) >>>>>> Caused by: javax.security.auth.login.LoginException: null (68) >>>>>> at >>>>>> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:763) >>>>>> at >>>>>> com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584) >>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>>>> at >>>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >>>>>> at >>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>>>>> at java.lang.reflect.Method.invoke(Method.java:606) >>>>>> at >>>>>> javax.security.auth.login.LoginContext.invoke(LoginContext.java:762) >>>>>> at >>>>>> javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) >>>>>> at >>>>>> javax.security.auth.login.LoginContext$4.run(LoginContext.java:690) >>>>>> at >>>>>> javax.security.auth.login.LoginContext$4.run(LoginContext.java:688) >>>>>> at java.security.AccessController.doPrivileged(Native Method) >>>>>> at >>>>>> javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687) >>>>>> at >>>>>> javax.security.auth.login.LoginContext.login(LoginContext.java:595) >>>>>> at >>>>>> org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:997) >>>>>> ... 2 more >>>>>> Caused by: KrbException: null (68) >>>>>> at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76) >>>>>> at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:319) >>>>>> at >>>>>> sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:364) >>>>>> at >>>>>> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:735) >>>>>> ... 15 more >>>>>> Caused by: KrbException: Identifier doesn't match expected value (906) >>>>>> at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143) >>>>>> at sun.security.krb5.internal.ASRep.init(ASRep.java:65) >>>>>> at sun.security.krb5.internal.ASRep.<init>(ASRep.java:60) >>>>>> at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60) >>>>>> Sent from my iPhone >>>>>> >>>>>>> On Feb 11, 2015, at 10:56 AM, Dima Spivak <[email protected]> wrote: >>>>>>> >>>>>>> Hey Jiten, >>>>>>> >>>>>>> Have you followed the steps outlined in >>>>>>> http://hbase.apache.org/book.html#hbase.secure.configuration ? What >>>>>>> issues >>>>>>> are you seeing? >>>>>>> >>>>>>> -Dima >>>>>>> >>>>>>>> On Wed, Feb 11, 2015 at 12:49 PM, Jiten Gore <[email protected]> wrote: >>>>>>>> >>>>>>>> We are having difficulties connecting with our Java application to our >>>>>>>> Kerberized HBase cluster. We are using a keytab file to authenticate. >>>>>>>> >>>>>>>> Has anyone successfully connected this way? If you have and can help, >>>>>>>> please let me know. I can share details about the issue. >>>>>>>> >>>>>>>> Best Regards, >>>>>>>> Jiten >>>>>>>> >>>>>>>> Sent from my iPhone >>>>> >>>>> >>>>> >>>>> -- >>>>> Thanks, >>>>> Michael Antonov >>> >>> >>> >>> -- >>> Thanks, >>> Michael Antonov >> >> >> >> -- >> Thanks, >> Michael Antonov >> -- Thanks, Michael Antonov
