Currently, running from a windows computer from within Eclipse. So permissions
should not be an issue.
Just set the property:
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
And got this output:
Java config name: null
Native config name: C:\Windows\krb5.ini
getRealmFromDNS: trying <realm>
getRealmFromDNS: trying <realm>
Java config name: null
Native config name: C:\Windows\krb5.ini
>>> KdcAccessibility: reset
>>> KdcAccessibility: reset
>>> KeyTabInputStream, readName(): <REALM>
>>> KeyTabInputStream, readName(): <username>
>>> KeyTab: load() entry length: 53; type: 23
>>> KeyTabInputStream, readName(): <REALM>
>>> KeyTabInputStream, readName(): <username>
>>> KeyTab: load() entry length: 69; type: 18
>>> KeyTabInputStream, readName(): <REALM>
>>> KeyTabInputStream, readName(): <username>
>>> KeyTab: load() entry length: 53; type: 17
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23 1 3.
Exception in thread "main" java.io.IOException: Login failure for
<username>/<hostname>@<REALM> from keytab <path_to_keytab_file>
at
org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1008)
at Kerberos.KerberosAuthentication.App.hbase(App.java:44)
at Kerberos.KerberosAuthentication.App.main(App.java:17)
Caused by: javax.security.auth.login.LoginException: Unable to obtain password
from user
at
com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:856)
at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:719)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687)
at javax.security.auth.login.LoginContext.login(LoginContext.java:595)
at
org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:997)
... 2 more
LSA: Found Ticket
LSA: Made NewWeakGlobalRef
LSA: Found PrincipalName
LSA: Made NewWeakGlobalRef
LSA: Found DerValue
LSA: Made NewWeakGlobalRef
LSA: Found EncryptionKey
LSA: Made NewWeakGlobalRef
LSA: Found TicketFlags
LSA: Made NewWeakGlobalRef
LSA: Found KerberosTime
LSA: Made NewWeakGlobalRef
LSA: Found String
LSA: Made NewWeakGlobalRef
LSA: Found DerValue constructor
LSA: Found Ticket constructor
LSA: Found PrincipalName constructor
LSA: Found EncryptionKey constructor
LSA: Found TicketFlags constructor
LSA: Found KerberosTime constructor
LSA: Finished OnLoad processing
Sent from my iPhone
> On Feb 11, 2015, at 6:29 PM, Mikhail Antonov <[email protected]> wrote:
>
> Interesting.
>
> Your java program runs under the same user, as shall for kinit?
> Anything in /var/log/krb5kdc.log (with debug logging on)?
>
>> On Wed, Feb 11, 2015 at 6:17 PM, Jiten Gore <[email protected]> wrote:
>> The host names in libdefaults and realms in krb5.conf exactly match the host
>> name used in the principal name.
>>
>> From command line, we are able to get the TGT using the following command:
>> kinit -k -t <keytab> -p <username>
>>
>> Sent from my iPhone
>>
>>> On Feb 11, 2015, at 6:01 PM, Mikhail Antonov <[email protected]> wrote:
>>>
>>> Another thing to check are [libdefaults] and [realms] sections in
>>> krb5.conf, in case there's any typo or wrong case in there.
>>>
>>> You can get the TGT from the kinit command using this keytab, right?
>>>
>>> -Mikhail
>>>
>>>> On Wed, Feb 11, 2015 at 5:58 PM, Mikhail Antonov <[email protected]>
>>>> wrote:
>>>> Just checking.. is that full log? Does the principal name have the
>>>> _HOST portion in it?
>>>>
>>>>> On Wed, Feb 11, 2015 at 5:24 PM, Jiten Gore <[email protected]> wrote:
>>>>> Thanks Mikhail. Yes it has been so installed.
>>>>>
>>>>> We downloaded the JCE unlimited encryption jar files and replaced the
>>>>> existing jre jar files. Is there any thing else that we need to do?
>>>>>
>>>>> Sent from my iPhone
>>>>>
>>>>>> On Feb 11, 2015, at 5:08 PM, Mikhail Antonov <[email protected]>
>>>>>> wrote:
>>>>>>
>>>>>> Does your java app has JCE installed with unlimited encryption strength?
>>>>>>
>>>>>> -Mikhail
>>>>>>
>>>>>>> On Wed, Feb 11, 2015 at 4:52 PM, Jiten Gore <[email protected]> wrote:
>>>>>>> Hi Dima,
>>>>>>>
>>>>>>> Thanks for the prompt response.
>>>>>>>
>>>>>>> Here's what we are doing and the error we are seeing:
>>>>>>>
>>>>>>> Code:
>>>>>>> System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
>>>>>>> final Configuration hBaseConfig = HBaseConfiguration.create();
>>>>>>> hBaseConfig.setInt("timeout", 120000);
>>>>>>> hBaseConfig.set("hbase.zookeeper.quorum", "*************");
>>>>>>> hBaseConfig.set("hbase.zookeeper.property.clientPort", "2181");
>>>>>>> hBaseConfig.set("hadoop.security.authentication", "kerberos");
>>>>>>> hBaseConfig.set("hbase.security.authentication", "kerberos");
>>>>>>> hBaseConfig.set("hbase.master.kerberos.principal", "*****************");
>>>>>>> hBaseConfig.set("hbase.regionserver.kerberos.principal",
>>>>>>> "*******************");
>>>>>>> hBaseConfig.set("hbase.master.keytab.file", "hbase.keytab");
>>>>>>> hBaseConfig.set("hbase.regionserver.keytab.file", "hbase.keytab");
>>>>>>> UserGroupInformation.setConfiguration(hBaseConfig);
>>>>>>>
>>>>>>> UserGroupInformation ugi =
>>>>>>> UserGroupInformation.loginUserFromKeytabAndReturnUGI("principle_name",
>>>>>>> "user.keytab");
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Error:
>>>>>>>
>>>>>>> Exception in thread "main" java.io.IOException: Login failure for
>>>>>>> <PRINCIPAL_NAME> from keytab
>>>>>>> at
>>>>>>> org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1008)
>>>>>>> at Kerberos.KerberosAuthentication.App.hbase(App.java:32)
>>>>>>> at Kerberos.KerberosAuthentication.App.main(App.java:15)
>>>>>>> Caused by: javax.security.auth.login.LoginException: null (68)
>>>>>>> at
>>>>>>> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:763)
>>>>>>> at
>>>>>>> com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584)
>>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>>>>> at
>>>>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>>>>>>> at
>>>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>>>>>> at java.lang.reflect.Method.invoke(Method.java:606)
>>>>>>> at
>>>>>>> javax.security.auth.login.LoginContext.invoke(LoginContext.java:762)
>>>>>>> at
>>>>>>> javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
>>>>>>> at
>>>>>>> javax.security.auth.login.LoginContext$4.run(LoginContext.java:690)
>>>>>>> at
>>>>>>> javax.security.auth.login.LoginContext$4.run(LoginContext.java:688)
>>>>>>> at java.security.AccessController.doPrivileged(Native Method)
>>>>>>> at
>>>>>>> javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687)
>>>>>>> at
>>>>>>> javax.security.auth.login.LoginContext.login(LoginContext.java:595)
>>>>>>> at
>>>>>>> org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:997)
>>>>>>> ... 2 more
>>>>>>> Caused by: KrbException: null (68)
>>>>>>> at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
>>>>>>> at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:319)
>>>>>>> at
>>>>>>> sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:364)
>>>>>>> at
>>>>>>> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:735)
>>>>>>> ... 15 more
>>>>>>> Caused by: KrbException: Identifier doesn't match expected value (906)
>>>>>>> at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143)
>>>>>>> at sun.security.krb5.internal.ASRep.init(ASRep.java:65)
>>>>>>> at sun.security.krb5.internal.ASRep.<init>(ASRep.java:60)
>>>>>>> at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
>>>>>>> Sent from my iPhone
>>>>>>>
>>>>>>>> On Feb 11, 2015, at 10:56 AM, Dima Spivak <[email protected]> wrote:
>>>>>>>>
>>>>>>>> Hey Jiten,
>>>>>>>>
>>>>>>>> Have you followed the steps outlined in
>>>>>>>> http://hbase.apache.org/book.html#hbase.secure.configuration ? What
>>>>>>>> issues
>>>>>>>> are you seeing?
>>>>>>>>
>>>>>>>> -Dima
>>>>>>>>
>>>>>>>>> On Wed, Feb 11, 2015 at 12:49 PM, Jiten Gore <[email protected]> wrote:
>>>>>>>>>
>>>>>>>>> We are having difficulties connecting with our Java application to our
>>>>>>>>> Kerberized HBase cluster. We are using a keytab file to authenticate.
>>>>>>>>>
>>>>>>>>> Has anyone successfully connected this way? If you have and can help,
>>>>>>>>> please let me know. I can share details about the issue.
>>>>>>>>>
>>>>>>>>> Best Regards,
>>>>>>>>> Jiten
>>>>>>>>>
>>>>>>>>> Sent from my iPhone
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Thanks,
>>>>>> Michael Antonov
>>>>
>>>>
>>>>
>>>> --
>>>> Thanks,
>>>> Michael Antonov
>>>
>>>
>>>
>>> --
>>> Thanks,
>>> Michael Antonov
>
>
>
> --
> Thanks,
> Michael Antonov
>
