at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:856) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:719)
Krb5LoginModule falls back to asking user for password when it's either not configured to use keytabs, or can't find/read one. Do you have JAAS conf file setup? You'd need to set useKeyTab=true and keyTab=<path> there. -Mikhail On Wed, Feb 11, 2015 at 6:50 PM, Jiten Gore <[email protected]> wrote: > Currently, running from a windows computer from within Eclipse. So > permissions should not be an issue. > > Just set the property: > System.setProperty("javax.security.auth.useSubjectCredsOnly", "false"); > > And got this output: > Java config name: null > Native config name: C:\Windows\krb5.ini > getRealmFromDNS: trying <realm> > getRealmFromDNS: trying <realm> > Java config name: null > Native config name: C:\Windows\krb5.ini >>>> KdcAccessibility: reset >>>> KdcAccessibility: reset >>>> KeyTabInputStream, readName(): <REALM> >>>> KeyTabInputStream, readName(): <username> >>>> KeyTab: load() entry length: 53; type: 23 >>>> KeyTabInputStream, readName(): <REALM> >>>> KeyTabInputStream, readName(): <username> >>>> KeyTab: load() entry length: 69; type: 18 >>>> KeyTabInputStream, readName(): <REALM> >>>> KeyTabInputStream, readName(): <username> >>>> KeyTab: load() entry length: 53; type: 17 > Ordering keys wrt default_tkt_enctypes list > Using builtin default etypes for default_tkt_enctypes > default etypes for default_tkt_enctypes: 17 16 23 1 3. > Exception in thread "main" java.io.IOException: Login failure for > <username>/<hostname>@<REALM> from keytab <path_to_keytab_file> > at > org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1008) > at Kerberos.KerberosAuthentication.App.hbase(App.java:44) > at Kerberos.KerberosAuthentication.App.main(App.java:17) > Caused by: javax.security.auth.login.LoginException: Unable to obtain > password from user > > at > com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:856) > at > com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:719) > at > com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762) > at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) > at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690) > at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687) > at javax.security.auth.login.LoginContext.login(LoginContext.java:595) > at > org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:997) > ... 2 more > LSA: Found Ticket > LSA: Made NewWeakGlobalRef > LSA: Found PrincipalName > LSA: Made NewWeakGlobalRef > LSA: Found DerValue > LSA: Made NewWeakGlobalRef > LSA: Found EncryptionKey > LSA: Made NewWeakGlobalRef > LSA: Found TicketFlags > LSA: Made NewWeakGlobalRef > LSA: Found KerberosTime > LSA: Made NewWeakGlobalRef > LSA: Found String > LSA: Made NewWeakGlobalRef > LSA: Found DerValue constructor > LSA: Found Ticket constructor > LSA: Found PrincipalName constructor > LSA: Found EncryptionKey constructor > LSA: Found TicketFlags constructor > LSA: Found KerberosTime constructor > LSA: Finished OnLoad processing > > > Sent from my iPhone > >> On Feb 11, 2015, at 6:29 PM, Mikhail Antonov <[email protected]> wrote: >> >> Interesting. >> >> Your java program runs under the same user, as shall for kinit? >> Anything in /var/log/krb5kdc.log (with debug logging on)? >> >>> On Wed, Feb 11, 2015 at 6:17 PM, Jiten Gore <[email protected]> wrote: >>> The host names in libdefaults and realms in krb5.conf exactly match the >>> host name used in the principal name. >>> >>> From command line, we are able to get the TGT using the following command: >>> kinit -k -t <keytab> -p <username> >>> >>> Sent from my iPhone >>> >>>> On Feb 11, 2015, at 6:01 PM, Mikhail Antonov <[email protected]> wrote: >>>> >>>> Another thing to check are [libdefaults] and [realms] sections in >>>> krb5.conf, in case there's any typo or wrong case in there. >>>> >>>> You can get the TGT from the kinit command using this keytab, right? >>>> >>>> -Mikhail >>>> >>>>> On Wed, Feb 11, 2015 at 5:58 PM, Mikhail Antonov <[email protected]> >>>>> wrote: >>>>> Just checking.. is that full log? Does the principal name have the >>>>> _HOST portion in it? >>>>> >>>>>> On Wed, Feb 11, 2015 at 5:24 PM, Jiten Gore <[email protected]> wrote: >>>>>> Thanks Mikhail. Yes it has been so installed. >>>>>> >>>>>> We downloaded the JCE unlimited encryption jar files and replaced the >>>>>> existing jre jar files. Is there any thing else that we need to do? >>>>>> >>>>>> Sent from my iPhone >>>>>> >>>>>>> On Feb 11, 2015, at 5:08 PM, Mikhail Antonov <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>> Does your java app has JCE installed with unlimited encryption strength? >>>>>>> >>>>>>> -Mikhail >>>>>>> >>>>>>>> On Wed, Feb 11, 2015 at 4:52 PM, Jiten Gore <[email protected]> wrote: >>>>>>>> Hi Dima, >>>>>>>> >>>>>>>> Thanks for the prompt response. >>>>>>>> >>>>>>>> Here's what we are doing and the error we are seeing: >>>>>>>> >>>>>>>> Code: >>>>>>>> System.setProperty("javax.security.auth.useSubjectCredsOnly", "false"); >>>>>>>> final Configuration hBaseConfig = HBaseConfiguration.create(); >>>>>>>> hBaseConfig.setInt("timeout", 120000); >>>>>>>> hBaseConfig.set("hbase.zookeeper.quorum", "*************"); >>>>>>>> hBaseConfig.set("hbase.zookeeper.property.clientPort", "2181"); >>>>>>>> hBaseConfig.set("hadoop.security.authentication", "kerberos"); >>>>>>>> hBaseConfig.set("hbase.security.authentication", "kerberos"); >>>>>>>> hBaseConfig.set("hbase.master.kerberos.principal", >>>>>>>> "*****************"); >>>>>>>> hBaseConfig.set("hbase.regionserver.kerberos.principal", >>>>>>>> "*******************"); >>>>>>>> hBaseConfig.set("hbase.master.keytab.file", "hbase.keytab"); >>>>>>>> hBaseConfig.set("hbase.regionserver.keytab.file", "hbase.keytab"); >>>>>>>> UserGroupInformation.setConfiguration(hBaseConfig); >>>>>>>> >>>>>>>> UserGroupInformation ugi = >>>>>>>> UserGroupInformation.loginUserFromKeytabAndReturnUGI("principle_name", >>>>>>>> "user.keytab"); >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Error: >>>>>>>> >>>>>>>> Exception in thread "main" java.io.IOException: Login failure for >>>>>>>> <PRINCIPAL_NAME> from keytab >>>>>>>> at >>>>>>>> org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1008) >>>>>>>> at Kerberos.KerberosAuthentication.App.hbase(App.java:32) >>>>>>>> at Kerberos.KerberosAuthentication.App.main(App.java:15) >>>>>>>> Caused by: javax.security.auth.login.LoginException: null (68) >>>>>>>> at >>>>>>>> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:763) >>>>>>>> at >>>>>>>> com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584) >>>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>>>>>> at >>>>>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >>>>>>>> at >>>>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>>>>>>> at java.lang.reflect.Method.invoke(Method.java:606) >>>>>>>> at >>>>>>>> javax.security.auth.login.LoginContext.invoke(LoginContext.java:762) >>>>>>>> at >>>>>>>> javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) >>>>>>>> at >>>>>>>> javax.security.auth.login.LoginContext$4.run(LoginContext.java:690) >>>>>>>> at >>>>>>>> javax.security.auth.login.LoginContext$4.run(LoginContext.java:688) >>>>>>>> at java.security.AccessController.doPrivileged(Native Method) >>>>>>>> at >>>>>>>> javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687) >>>>>>>> at >>>>>>>> javax.security.auth.login.LoginContext.login(LoginContext.java:595) >>>>>>>> at >>>>>>>> org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:997) >>>>>>>> ... 2 more >>>>>>>> Caused by: KrbException: null (68) >>>>>>>> at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76) >>>>>>>> at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:319) >>>>>>>> at >>>>>>>> sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:364) >>>>>>>> at >>>>>>>> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:735) >>>>>>>> ... 15 more >>>>>>>> Caused by: KrbException: Identifier doesn't match expected value (906) >>>>>>>> at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143) >>>>>>>> at sun.security.krb5.internal.ASRep.init(ASRep.java:65) >>>>>>>> at sun.security.krb5.internal.ASRep.<init>(ASRep.java:60) >>>>>>>> at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60) >>>>>>>> Sent from my iPhone >>>>>>>> >>>>>>>>> On Feb 11, 2015, at 10:56 AM, Dima Spivak <[email protected]> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>> Hey Jiten, >>>>>>>>> >>>>>>>>> Have you followed the steps outlined in >>>>>>>>> http://hbase.apache.org/book.html#hbase.secure.configuration ? What >>>>>>>>> issues >>>>>>>>> are you seeing? >>>>>>>>> >>>>>>>>> -Dima >>>>>>>>> >>>>>>>>>> On Wed, Feb 11, 2015 at 12:49 PM, Jiten Gore <[email protected]> wrote: >>>>>>>>>> >>>>>>>>>> We are having difficulties connecting with our Java application to >>>>>>>>>> our >>>>>>>>>> Kerberized HBase cluster. We are using a keytab file to authenticate. >>>>>>>>>> >>>>>>>>>> Has anyone successfully connected this way? If you have and can help, >>>>>>>>>> please let me know. I can share details about the issue. >>>>>>>>>> >>>>>>>>>> Best Regards, >>>>>>>>>> Jiten >>>>>>>>>> >>>>>>>>>> Sent from my iPhone >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Thanks, >>>>>>> Michael Antonov >>>>> >>>>> >>>>> >>>>> -- >>>>> Thanks, >>>>> Michael Antonov >>>> >>>> >>>> >>>> -- >>>> Thanks, >>>> Michael Antonov >> >> >> >> -- >> Thanks, >> Michael Antonov >> -- Thanks, Michael Antonov
