We were using username@realm. Changed it to username/host@realm. The new error log is below:
Exception in thread "main" java.io.IOException: Login failure for <username>/<hostname>@<realm> from keytab <path_to_keytab_file_on_local_fs> at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1008) at Kerberos.KerberosAuthentication.App.hbase(App.java:43) at Kerberos.KerberosAuthentication.App.main(App.java:17) Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:856) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:719) at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687) at javax.security.auth.login.LoginContext.login(LoginContext.java:595) at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:997) ... 2 more Sent from my iPhone > On Feb 11, 2015, at 6:14 PM, Mikhail Antonov <[email protected]> wrote: > > And when you just run 'kinit -k -t ...' with this keytab and > principal, it all works? > > Did you try to pass it as username/hostname@realm? The part after @ > should be realm. > > -Mikhail > >> On Wed, Feb 11, 2015 at 6:10 PM, Jiten Gore <[email protected]> wrote: >> The principal name is of the form <userName>@<host name> >> >> And yes, the log is complete. >> >> Thanks, >> Jiten >> >> Sent from my iPhone >> >>> On Feb 11, 2015, at 5:58 PM, Mikhail Antonov <[email protected]> wrote: >>> >>> Just checking.. is that full log? Does the principal name have the >>> _HOST portion in it? >>> >>>> On Wed, Feb 11, 2015 at 5:24 PM, Jiten Gore <[email protected]> wrote: >>>> Thanks Mikhail. Yes it has been so installed. >>>> >>>> We downloaded the JCE unlimited encryption jar files and replaced the >>>> existing jre jar files. Is there any thing else that we need to do? >>>> >>>> Sent from my iPhone >>>> >>>>> On Feb 11, 2015, at 5:08 PM, Mikhail Antonov <[email protected]> wrote: >>>>> >>>>> Does your java app has JCE installed with unlimited encryption strength? >>>>> >>>>> -Mikhail >>>>> >>>>>> On Wed, Feb 11, 2015 at 4:52 PM, Jiten Gore <[email protected]> wrote: >>>>>> Hi Dima, >>>>>> >>>>>> Thanks for the prompt response. >>>>>> >>>>>> Here's what we are doing and the error we are seeing: >>>>>> >>>>>> Code: >>>>>> System.setProperty("javax.security.auth.useSubjectCredsOnly", "false"); >>>>>> final Configuration hBaseConfig = HBaseConfiguration.create(); >>>>>> hBaseConfig.setInt("timeout", 120000); >>>>>> hBaseConfig.set("hbase.zookeeper.quorum", "*************"); >>>>>> hBaseConfig.set("hbase.zookeeper.property.clientPort", "2181"); >>>>>> hBaseConfig.set("hadoop.security.authentication", "kerberos"); >>>>>> hBaseConfig.set("hbase.security.authentication", "kerberos"); >>>>>> hBaseConfig.set("hbase.master.kerberos.principal", "*****************"); >>>>>> hBaseConfig.set("hbase.regionserver.kerberos.principal", >>>>>> "*******************"); >>>>>> hBaseConfig.set("hbase.master.keytab.file", "hbase.keytab"); >>>>>> hBaseConfig.set("hbase.regionserver.keytab.file", "hbase.keytab"); >>>>>> UserGroupInformation.setConfiguration(hBaseConfig); >>>>>> >>>>>> UserGroupInformation ugi = >>>>>> UserGroupInformation.loginUserFromKeytabAndReturnUGI("principle_name", >>>>>> "user.keytab"); >>>>>> >>>>>> >>>>>> >>>>>> Error: >>>>>> >>>>>> Exception in thread "main" java.io.IOException: Login failure for >>>>>> <PRINCIPAL_NAME> from keytab >>>>>> at >>>>>> org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1008) >>>>>> at Kerberos.KerberosAuthentication.App.hbase(App.java:32) >>>>>> at Kerberos.KerberosAuthentication.App.main(App.java:15) >>>>>> Caused by: javax.security.auth.login.LoginException: null (68) >>>>>> at >>>>>> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:763) >>>>>> at >>>>>> com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584) >>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>>>> at >>>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >>>>>> at >>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>>>>> at java.lang.reflect.Method.invoke(Method.java:606) >>>>>> at >>>>>> javax.security.auth.login.LoginContext.invoke(LoginContext.java:762) >>>>>> at >>>>>> javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) >>>>>> at >>>>>> javax.security.auth.login.LoginContext$4.run(LoginContext.java:690) >>>>>> at >>>>>> javax.security.auth.login.LoginContext$4.run(LoginContext.java:688) >>>>>> at java.security.AccessController.doPrivileged(Native Method) >>>>>> at >>>>>> javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687) >>>>>> at >>>>>> javax.security.auth.login.LoginContext.login(LoginContext.java:595) >>>>>> at >>>>>> org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:997) >>>>>> ... 2 more >>>>>> Caused by: KrbException: null (68) >>>>>> at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76) >>>>>> at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:319) >>>>>> at >>>>>> sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:364) >>>>>> at >>>>>> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:735) >>>>>> ... 15 more >>>>>> Caused by: KrbException: Identifier doesn't match expected value (906) >>>>>> at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143) >>>>>> at sun.security.krb5.internal.ASRep.init(ASRep.java:65) >>>>>> at sun.security.krb5.internal.ASRep.<init>(ASRep.java:60) >>>>>> at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60) >>>>>> Sent from my iPhone >>>>>> >>>>>>> On Feb 11, 2015, at 10:56 AM, Dima Spivak <[email protected]> wrote: >>>>>>> >>>>>>> Hey Jiten, >>>>>>> >>>>>>> Have you followed the steps outlined in >>>>>>> http://hbase.apache.org/book.html#hbase.secure.configuration ? What >>>>>>> issues >>>>>>> are you seeing? >>>>>>> >>>>>>> -Dima >>>>>>> >>>>>>>> On Wed, Feb 11, 2015 at 12:49 PM, Jiten Gore <[email protected]> wrote: >>>>>>>> >>>>>>>> We are having difficulties connecting with our Java application to our >>>>>>>> Kerberized HBase cluster. We are using a keytab file to authenticate. >>>>>>>> >>>>>>>> Has anyone successfully connected this way? If you have and can help, >>>>>>>> please let me know. I can share details about the issue. >>>>>>>> >>>>>>>> Best Regards, >>>>>>>> Jiten >>>>>>>> >>>>>>>> Sent from my iPhone >>>>> >>>>> >>>>> >>>>> -- >>>>> Thanks, >>>>> Michael Antonov >>> >>> >>> >>> -- >>> Thanks, >>> Michael Antonov > > > > -- > Thanks, > Michael Antonov >
