I believe I had this problem when the unix permissions on keytab file were incorrect.
On Wed, Feb 11, 2015 at 6:31 PM, Jiten Gore <[email protected]> wrote: > We were using username@realm. Changed it to username/host@realm. > > The new error log is below: > > Exception in thread "main" java.io.IOException: Login failure for > <username>/<hostname>@<realm> from keytab <path_to_keytab_file_on_local_fs> > at > org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1008) > at Kerberos.KerberosAuthentication.App.hbase(App.java:43) > at Kerberos.KerberosAuthentication.App.main(App.java:17) > Caused by: javax.security.auth.login.LoginException: Unable to obtain > password from user > > at > com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:856) > at > com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:719) > at > com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762) > at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) > at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690) > at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687) > at javax.security.auth.login.LoginContext.login(LoginContext.java:595) > at > org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:997) > ... 2 more > > Sent from my iPhone > >> On Feb 11, 2015, at 6:14 PM, Mikhail Antonov <[email protected]> wrote: >> >> And when you just run 'kinit -k -t ...' with this keytab and >> principal, it all works? >> >> Did you try to pass it as username/hostname@realm? The part after @ >> should be realm. >> >> -Mikhail >> >>> On Wed, Feb 11, 2015 at 6:10 PM, Jiten Gore <[email protected]> wrote: >>> The principal name is of the form <userName>@<host name> >>> >>> And yes, the log is complete. >>> >>> Thanks, >>> Jiten >>> >>> Sent from my iPhone >>> >>>> On Feb 11, 2015, at 5:58 PM, Mikhail Antonov <[email protected]> wrote: >>>> >>>> Just checking.. is that full log? Does the principal name have the >>>> _HOST portion in it? >>>> >>>>> On Wed, Feb 11, 2015 at 5:24 PM, Jiten Gore <[email protected]> wrote: >>>>> Thanks Mikhail. Yes it has been so installed. >>>>> >>>>> We downloaded the JCE unlimited encryption jar files and replaced the >>>>> existing jre jar files. Is there any thing else that we need to do? >>>>> >>>>> Sent from my iPhone >>>>> >>>>>> On Feb 11, 2015, at 5:08 PM, Mikhail Antonov <[email protected]> >>>>>> wrote: >>>>>> >>>>>> Does your java app has JCE installed with unlimited encryption strength? >>>>>> >>>>>> -Mikhail >>>>>> >>>>>>> On Wed, Feb 11, 2015 at 4:52 PM, Jiten Gore <[email protected]> wrote: >>>>>>> Hi Dima, >>>>>>> >>>>>>> Thanks for the prompt response. >>>>>>> >>>>>>> Here's what we are doing and the error we are seeing: >>>>>>> >>>>>>> Code: >>>>>>> System.setProperty("javax.security.auth.useSubjectCredsOnly", "false"); >>>>>>> final Configuration hBaseConfig = HBaseConfiguration.create(); >>>>>>> hBaseConfig.setInt("timeout", 120000); >>>>>>> hBaseConfig.set("hbase.zookeeper.quorum", "*************"); >>>>>>> hBaseConfig.set("hbase.zookeeper.property.clientPort", "2181"); >>>>>>> hBaseConfig.set("hadoop.security.authentication", "kerberos"); >>>>>>> hBaseConfig.set("hbase.security.authentication", "kerberos"); >>>>>>> hBaseConfig.set("hbase.master.kerberos.principal", "*****************"); >>>>>>> hBaseConfig.set("hbase.regionserver.kerberos.principal", >>>>>>> "*******************"); >>>>>>> hBaseConfig.set("hbase.master.keytab.file", "hbase.keytab"); >>>>>>> hBaseConfig.set("hbase.regionserver.keytab.file", "hbase.keytab"); >>>>>>> UserGroupInformation.setConfiguration(hBaseConfig); >>>>>>> >>>>>>> UserGroupInformation ugi = >>>>>>> UserGroupInformation.loginUserFromKeytabAndReturnUGI("principle_name", >>>>>>> "user.keytab"); >>>>>>> >>>>>>> >>>>>>> >>>>>>> Error: >>>>>>> >>>>>>> Exception in thread "main" java.io.IOException: Login failure for >>>>>>> <PRINCIPAL_NAME> from keytab >>>>>>> at >>>>>>> org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1008) >>>>>>> at Kerberos.KerberosAuthentication.App.hbase(App.java:32) >>>>>>> at Kerberos.KerberosAuthentication.App.main(App.java:15) >>>>>>> Caused by: javax.security.auth.login.LoginException: null (68) >>>>>>> at >>>>>>> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:763) >>>>>>> at >>>>>>> com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584) >>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>>>>> at >>>>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >>>>>>> at >>>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>>>>>> at java.lang.reflect.Method.invoke(Method.java:606) >>>>>>> at >>>>>>> javax.security.auth.login.LoginContext.invoke(LoginContext.java:762) >>>>>>> at >>>>>>> javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) >>>>>>> at >>>>>>> javax.security.auth.login.LoginContext$4.run(LoginContext.java:690) >>>>>>> at >>>>>>> javax.security.auth.login.LoginContext$4.run(LoginContext.java:688) >>>>>>> at java.security.AccessController.doPrivileged(Native Method) >>>>>>> at >>>>>>> javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687) >>>>>>> at >>>>>>> javax.security.auth.login.LoginContext.login(LoginContext.java:595) >>>>>>> at >>>>>>> org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:997) >>>>>>> ... 2 more >>>>>>> Caused by: KrbException: null (68) >>>>>>> at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76) >>>>>>> at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:319) >>>>>>> at >>>>>>> sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:364) >>>>>>> at >>>>>>> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:735) >>>>>>> ... 15 more >>>>>>> Caused by: KrbException: Identifier doesn't match expected value (906) >>>>>>> at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143) >>>>>>> at sun.security.krb5.internal.ASRep.init(ASRep.java:65) >>>>>>> at sun.security.krb5.internal.ASRep.<init>(ASRep.java:60) >>>>>>> at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60) >>>>>>> Sent from my iPhone >>>>>>> >>>>>>>> On Feb 11, 2015, at 10:56 AM, Dima Spivak <[email protected]> wrote: >>>>>>>> >>>>>>>> Hey Jiten, >>>>>>>> >>>>>>>> Have you followed the steps outlined in >>>>>>>> http://hbase.apache.org/book.html#hbase.secure.configuration ? What >>>>>>>> issues >>>>>>>> are you seeing? >>>>>>>> >>>>>>>> -Dima >>>>>>>> >>>>>>>>> On Wed, Feb 11, 2015 at 12:49 PM, Jiten Gore <[email protected]> wrote: >>>>>>>>> >>>>>>>>> We are having difficulties connecting with our Java application to our >>>>>>>>> Kerberized HBase cluster. We are using a keytab file to authenticate. >>>>>>>>> >>>>>>>>> Has anyone successfully connected this way? If you have and can help, >>>>>>>>> please let me know. I can share details about the issue. >>>>>>>>> >>>>>>>>> Best Regards, >>>>>>>>> Jiten >>>>>>>>> >>>>>>>>> Sent from my iPhone >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Thanks, >>>>>> Michael Antonov >>>> >>>> >>>> >>>> -- >>>> Thanks, >>>> Michael Antonov >> >> >> >> -- >> Thanks, >> Michael Antonov >> -- Thanks, Michael Antonov
