Also, are you running with java opts -Dsun.security.krb5.debug=true? May help.
On Wed, Feb 11, 2015 at 6:34 PM, Mikhail Antonov <[email protected]> wrote: > I believe I had this problem when the unix permissions on keytab file > were incorrect. > > On Wed, Feb 11, 2015 at 6:31 PM, Jiten Gore <[email protected]> wrote: >> We were using username@realm. Changed it to username/host@realm. >> >> The new error log is below: >> >> Exception in thread "main" java.io.IOException: Login failure for >> <username>/<hostname>@<realm> from keytab <path_to_keytab_file_on_local_fs> >> at >> org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1008) >> at Kerberos.KerberosAuthentication.App.hbase(App.java:43) >> at Kerberos.KerberosAuthentication.App.main(App.java:17) >> Caused by: javax.security.auth.login.LoginException: Unable to obtain >> password from user >> >> at >> com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:856) >> at >> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:719) >> at >> com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584) >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> at >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >> at >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:606) >> at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762) >> at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) >> at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690) >> at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688) >> at java.security.AccessController.doPrivileged(Native Method) >> at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687) >> at javax.security.auth.login.LoginContext.login(LoginContext.java:595) >> at >> org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:997) >> ... 2 more >> >> Sent from my iPhone >> >>> On Feb 11, 2015, at 6:14 PM, Mikhail Antonov <[email protected]> wrote: >>> >>> And when you just run 'kinit -k -t ...' with this keytab and >>> principal, it all works? >>> >>> Did you try to pass it as username/hostname@realm? The part after @ >>> should be realm. >>> >>> -Mikhail >>> >>>> On Wed, Feb 11, 2015 at 6:10 PM, Jiten Gore <[email protected]> wrote: >>>> The principal name is of the form <userName>@<host name> >>>> >>>> And yes, the log is complete. >>>> >>>> Thanks, >>>> Jiten >>>> >>>> Sent from my iPhone >>>> >>>>> On Feb 11, 2015, at 5:58 PM, Mikhail Antonov <[email protected]> wrote: >>>>> >>>>> Just checking.. is that full log? Does the principal name have the >>>>> _HOST portion in it? >>>>> >>>>>> On Wed, Feb 11, 2015 at 5:24 PM, Jiten Gore <[email protected]> wrote: >>>>>> Thanks Mikhail. Yes it has been so installed. >>>>>> >>>>>> We downloaded the JCE unlimited encryption jar files and replaced the >>>>>> existing jre jar files. Is there any thing else that we need to do? >>>>>> >>>>>> Sent from my iPhone >>>>>> >>>>>>> On Feb 11, 2015, at 5:08 PM, Mikhail Antonov <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>> Does your java app has JCE installed with unlimited encryption strength? >>>>>>> >>>>>>> -Mikhail >>>>>>> >>>>>>>> On Wed, Feb 11, 2015 at 4:52 PM, Jiten Gore <[email protected]> wrote: >>>>>>>> Hi Dima, >>>>>>>> >>>>>>>> Thanks for the prompt response. >>>>>>>> >>>>>>>> Here's what we are doing and the error we are seeing: >>>>>>>> >>>>>>>> Code: >>>>>>>> System.setProperty("javax.security.auth.useSubjectCredsOnly", "false"); >>>>>>>> final Configuration hBaseConfig = HBaseConfiguration.create(); >>>>>>>> hBaseConfig.setInt("timeout", 120000); >>>>>>>> hBaseConfig.set("hbase.zookeeper.quorum", "*************"); >>>>>>>> hBaseConfig.set("hbase.zookeeper.property.clientPort", "2181"); >>>>>>>> hBaseConfig.set("hadoop.security.authentication", "kerberos"); >>>>>>>> hBaseConfig.set("hbase.security.authentication", "kerberos"); >>>>>>>> hBaseConfig.set("hbase.master.kerberos.principal", >>>>>>>> "*****************"); >>>>>>>> hBaseConfig.set("hbase.regionserver.kerberos.principal", >>>>>>>> "*******************"); >>>>>>>> hBaseConfig.set("hbase.master.keytab.file", "hbase.keytab"); >>>>>>>> hBaseConfig.set("hbase.regionserver.keytab.file", "hbase.keytab"); >>>>>>>> UserGroupInformation.setConfiguration(hBaseConfig); >>>>>>>> >>>>>>>> UserGroupInformation ugi = >>>>>>>> UserGroupInformation.loginUserFromKeytabAndReturnUGI("principle_name", >>>>>>>> "user.keytab"); >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Error: >>>>>>>> >>>>>>>> Exception in thread "main" java.io.IOException: Login failure for >>>>>>>> <PRINCIPAL_NAME> from keytab >>>>>>>> at >>>>>>>> org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1008) >>>>>>>> at Kerberos.KerberosAuthentication.App.hbase(App.java:32) >>>>>>>> at Kerberos.KerberosAuthentication.App.main(App.java:15) >>>>>>>> Caused by: javax.security.auth.login.LoginException: null (68) >>>>>>>> at >>>>>>>> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:763) >>>>>>>> at >>>>>>>> com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584) >>>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>>>>>> at >>>>>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >>>>>>>> at >>>>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>>>>>>> at java.lang.reflect.Method.invoke(Method.java:606) >>>>>>>> at >>>>>>>> javax.security.auth.login.LoginContext.invoke(LoginContext.java:762) >>>>>>>> at >>>>>>>> javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) >>>>>>>> at >>>>>>>> javax.security.auth.login.LoginContext$4.run(LoginContext.java:690) >>>>>>>> at >>>>>>>> javax.security.auth.login.LoginContext$4.run(LoginContext.java:688) >>>>>>>> at java.security.AccessController.doPrivileged(Native Method) >>>>>>>> at >>>>>>>> javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687) >>>>>>>> at >>>>>>>> javax.security.auth.login.LoginContext.login(LoginContext.java:595) >>>>>>>> at >>>>>>>> org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:997) >>>>>>>> ... 2 more >>>>>>>> Caused by: KrbException: null (68) >>>>>>>> at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76) >>>>>>>> at >>>>>>>> sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:319) >>>>>>>> at >>>>>>>> sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:364) >>>>>>>> at >>>>>>>> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:735) >>>>>>>> ... 15 more >>>>>>>> Caused by: KrbException: Identifier doesn't match expected value (906) >>>>>>>> at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143) >>>>>>>> at sun.security.krb5.internal.ASRep.init(ASRep.java:65) >>>>>>>> at sun.security.krb5.internal.ASRep.<init>(ASRep.java:60) >>>>>>>> at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60) >>>>>>>> Sent from my iPhone >>>>>>>> >>>>>>>>> On Feb 11, 2015, at 10:56 AM, Dima Spivak <[email protected]> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>> Hey Jiten, >>>>>>>>> >>>>>>>>> Have you followed the steps outlined in >>>>>>>>> http://hbase.apache.org/book.html#hbase.secure.configuration ? What >>>>>>>>> issues >>>>>>>>> are you seeing? >>>>>>>>> >>>>>>>>> -Dima >>>>>>>>> >>>>>>>>>> On Wed, Feb 11, 2015 at 12:49 PM, Jiten Gore <[email protected]> wrote: >>>>>>>>>> >>>>>>>>>> We are having difficulties connecting with our Java application to >>>>>>>>>> our >>>>>>>>>> Kerberized HBase cluster. We are using a keytab file to authenticate. >>>>>>>>>> >>>>>>>>>> Has anyone successfully connected this way? If you have and can help, >>>>>>>>>> please let me know. I can share details about the issue. >>>>>>>>>> >>>>>>>>>> Best Regards, >>>>>>>>>> Jiten >>>>>>>>>> >>>>>>>>>> Sent from my iPhone >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Thanks, >>>>>>> Michael Antonov >>>>> >>>>> >>>>> >>>>> -- >>>>> Thanks, >>>>> Michael Antonov >>> >>> >>> >>> -- >>> Thanks, >>> Michael Antonov >>> > > > > -- > Thanks, > Michael Antonov -- Thanks, Michael Antonov
