We have 2 domains forests in our environment, ABC and XYZ. We were not able to authenticate normal users from either of the domains. Most of the information is there on the Cloudera Website. You might want to check on the site first, if you see any thing similar.
- CDH5-Security-Guide/cdh5sg_troubleshooting
- CDH5-Security-Guide/cdh5sg_debug_sun_kerberos_enable
- CDH5-Security-Guide/cdh5sg_debug_sun_kerberos_enable
- CDH5-Security-Guide/cdh5sg_ldap_mapping
Since non of them fit our issue, we had to slog it out.
We have 2 domains forests in our environment, ABC and XYZ. We were not able to authenticate normal users from either of the domains.
we get an error when we try to execute hadoop fs -ls /
even after getting a tgt
successfully from Active Directory.
- We have added
Trusted Kerberos Realms
in cloudera manager, and restarted the cluster.ABC.MYDOMAIN.COM
andXYZ.MYDOMAIN.COM
- When we use the
keytab
(auto generated by cloudera Manager) - we are able to executehadoop fs -ls /
Here is how the hdfs
is working.
[root@my-edge-server ~]# su - hdfs
[hdfs@my-edge-server ~]$ kinit -kt hdfs.keytab \
hdfs/my-edge-server.subdomain.in.mydomain.com@XYZ.MYDOMAIN.COM
[hdfs@my-edge-server ~]$ klist -e
Ticket cache: FILE:/tmp/krb5cc_496
Default principal: hdfs/my-edge-server.subdomain.in.mydomain.com@XYZ.MYDOMAIN.COM
Valid starting Expires Service principal
09/11/15 10:44:31 09/11/15 20:44:31 krbtgt/XYZ.MYDOMAIN.COM@XYZ.MYDOMAIN.COM
renew until 09/18/15 10:44:31, Etype (skey, tkt): arcfour-hmac, aes256-cts-hmac-sha1-96
[hdfs@my-edge-server ~]$ hadoop fs -ls /
Found 6 items
drwxr-xr-x - hdfs supergroup 0 2015-05-29 15:32 /benchmarks
drwxr-xr-x - hbase hbase 0 2015-09-11 09:11 /hbase
drwxrwxr-x - solr solr 0 2015-05-29 11:49 /solr
drwxrwxrwx - hdfs supergroup 0 2015-09-10 10:29 /tmp
drwxr-xr-x - hdfs supergroup 0 2015-05-29 16:22 /use
drwxrwxr-x - hdfs supergroup 0 2015-09-10 11:36 /user
[hdfs@my-edge-server ~]$
Here is the Complete ERROR for user in ABC.MYDOMAIN.COM
, we get a similar error from XYZ domain as well.
[root@my-edge-server ~]# kinit ahmed-user@ABC.MYDOMAIN.COM
Password for ahmed-user@ABC.MYDOMAIN.COM:
[root@my-edge-server ~]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ahmed-user@ABC.MYDOMAIN.COM
Valid starting Expires Service principal
09/11/15 10:31:16 09/11/15 20:31:22 krbtgt/ABC.MYDOMAIN.COM@ABC.MYDOMAIN.COM
renew until 09/18/15 10:31:16, Etype (skey, tkt):aes256-cts-hmac-sha1-96,aes256-cts-hmac-sha1-96
Before you execute the below command, set the HADOOP_OPTS
to get more verbose for debugging.
[root@my-edge-server ~]# export HADOOP_OPTS="-Dsun.security.krb5.debug=true"
Then we execute the command.
[root@my-edge-server ~]# hadoop fs -ls /
Java config name: null
Native config name: /etc/krb5.conf
Loaded from native config
KinitOptions cache name is /tmp/krb5cc_0
DEBUG CCacheInputStream client principal is ahmed-user@ABC.MYDOMAIN.COM
DEBUG CCacheInputStream server principal is krbtgt/ABC.MYDOMAIN.COM@ABC.MYDOMAIN.COM
DEBUG CCacheInputStream key type: 18
DEBUG CCacheInputStream auth time: Fri Sep 11 10:31:22 BST 2015
DEBUG CCacheInputStream start time: Fri Sep 11 10:31:16 BST 2015
DEBUG CCacheInputStream end time: Fri Sep 11 20:31:22 BST 2015
DEBUG CCacheInputStream renew_till time: Fri Sep 18 10:31:16 BST 2015
CCacheInputStream: readFlags() FORWARDABLE; RENEWABLE; INITIAL; PRE_AUTH;
unsupported key type found the default TGT: 18
15/09/11 10:31:39 WARN security.UserGroupInformation:
PriviledgedActionException as:root (auth:KERBEROS)
cause:javax.security.sasl.SaslException:
GSS initiate failed [Caused by GSSException: No valid credentials provided
(Mechanism level: Failed to find any Kerberos tgt)]
15/09/11 10:31:39 WARN ipc.Client: Exception encountered while connecting to the server :
javax.security.sasl.SaslException:
GSS initiate failed [Caused by GSSException: No valid credentials provided
(Mechanism level: Failed to find any Kerberos tgt)]
15/09/11 10:31:39 WARN security.UserGroupInformation:
PriviledgedActionException as:root (auth:KERBEROS)
cause:java.io.IOException: javax.security.sasl.SaslException:
GSS initiate failed [Caused by GSSException: No valid credentials provided
(Mechanism level: Failed to find any Kerberos tgt)]
15/09/11 10:31:39 WARN security.UserGroupInformation:
PriviledgedActionException as:root (auth:KERBEROS)
cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException:
No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
15/09/11 10:31:39 WARN ipc.Client: Exception encountered while connecting to the server :
javax.security.sasl.SaslException: GSS initiate failed
[Caused by GSSException: No valid credentials provided
(Mechanism level: Failed to find any Kerberos tgt)]
15/09/11 10:31:39 WARN security.UserGroupInformation:
PriviledgedActionException as:root (auth:KERBEROS)
cause:java.io.IOException: javax.security.sasl.SaslException:
GSS initiate failed [Caused by GSSException: No valid credentials provided
(Mechanism level: Failed to find any Kerberos tgt)]
15/09/11 10:31:39 INFO retry.RetryInvocationHandler:
Exception while invoking getFileInfo of class ClientNamenodeProtocolTranslatorPB
over master-node.subdomain.in.mydomain.com/172.14.14.11:8020 after 1 fail over attempts.
Trying to fail over immediately.
java.io.IOException: Failed on local exception: java.io.IOException:
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException:
No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)];
Host Details : local host is: "my-edge-server.subdomain.in.mydomain.com/172.14.14.8";
destination host is: "master-node.subdomain.in.mydomain.com":8020;
at org.apache.hadoop.net.NetUtils.wrapException(NetUtils.java:772)
at org.apache.hadoop.ipc.Client.call(Client.java:1472)
at org.apache.hadoop.ipc.Client.call(Client.java:1399)
at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:232)
at com.sun.proxy.$Proxy9.getFileInfo(Unknown Source)
at org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolTranslatorPB.getFileInfo
(ClientNamenodeProtocolTranslatorPB.java:752)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(RetryInvocationHandler.java:187)
at org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:102)
at com.sun.proxy.$Proxy10.getFileInfo(Unknown Source)
at org.apache.hadoop.hdfs.DFSClient.getFileInfo(DFSClient.java:1982)
at org.apache.hadoop.hdfs.DistributedFileSystem$18.doCall(DistributedFileSystem.java:1128)
at org.apache.hadoop.hdfs.DistributedFileSystem$18.doCall(DistributedFileSystem.java:1124)
at org.apache.hadoop.fs.FileSystemLinkResolver.resolve(FileSystemLinkResolver.java:81)
at org.apache.hadoop.hdfs.DistributedFileSystem.getFileStatus(DistributedFileSystem.java:1124)
at org.apache.hadoop.fs.Globber.getFileStatus(Globber.java:57)
at org.apache.hadoop.fs.Globber.glob(Globber.java:265)
at org.apache.hadoop.fs.FileSystem.globStatus(FileSystem.java:1625)
at org.apache.hadoop.fs.shell.PathData.expandAsGlob(PathData.java:326)
at org.apache.hadoop.fs.shell.Command.expandArgument(Command.java:224)
at org.apache.hadoop.fs.shell.Command.expandArguments(Command.java:207)
at org.apache.hadoop.fs.shell.Command.processRawArguments(Command.java:190)
at org.apache.hadoop.fs.shell.Command.run(Command.java:154)
at org.apache.hadoop.fs.FsShell.run(FsShell.java:287)
at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:70)
at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:84)
at org.apache.hadoop.fs.FsShell.main(FsShell.java:340)
Caused by: java.io.IOException: javax.security.sasl.SaslException:
GSS initiate failed [Caused by GSSException: No valid credentials provided
(Mechanism level: Failed to find any Kerberos tgt)]
Solution 1:
[ahmed-user@my-edge-server ~]$ kinit ahmed-user@ABC.MYDOMAIN.COM
Password for ahmed-user@ABC.MYDOMAIN.COM:
[ahmed-user@my-edge-server ~]$ klist -e
Ticket cache: FILE:/tmp/krb5cc_1001
Default principal: ahmed-user@ABC.MYDOMAIN.COM
Valid starting Expires Service principal
09/11/15 11:38:46 09/11/15 21:38:54 krbtgt/ABC.MYDOMAIN.COM@ABC.MYDOMAIN.COM
renew until 09/18/15 11:38:46, Etype (skey, tkt):aes256-cts-hmac-sha1-96,aes256-cts-hmac-sha1-96
But the cluster was expecting skey
to be arcfour-hmac
So using ktuil
, created a keytab with arcfour-hmac
then it started working.
[ahmed-user@my-edge-server ~]$ ktutil
addent -password -p ahmed-user@ABC.MYDOMAIN.COM -k 1 -e RC4-HMAC
enter password for ahmed-user
wkt ahmed-user_new.keytab
quit
[ahmed-user@my-edge-server ~]$
[ahmed-user@my-edge-server ~]$ kinit -kt ahmed-user_new.keytab ahmed-user@ABC.MYDOMAIN.COM
[ahmed-user@my-edge-server ~]$ klist -e
Ticket cache: FILE:/tmp/krb5cc_1001
Default principal: ahmed-user@ABC.MYDOMAIN.COM
Valid starting Expires Service principal
09/11/15 11:45:29 09/11/15 21:45:30 krbtgt/ABC.MYDOMAIN.COM@ABC.MYDOMAIN.COM
renew until 09/18/15 11:45:29, Etype (skey, tkt): arcfour-hmac, aes256-cts-hmac-sha1-96
We had already created a directory for ahmed-user
using the hdfs
superuser.
[ahmed-user@my-edge-server ~]$ hadoop fs -ls /
Found 6 items
drwxr-xr-x - hdfs supergroup 0 2015-05-29 15:32 /benchmarks
drwxr-xr-x - hbase hbase 0 2015-09-11 09:11 /hbase
drwxrwxr-x - solr solr 0 2015-05-29 11:49 /solr
drwxrwxrwx - hdfs supergroup 0 2015-09-10 10:29 /tmp
drwxr-xr-x - hdfs supergroup 0 2015-05-29 16:22 /use
drwxrwxr-x - hdfs supergroup 0 2015-09-10 11:36 /user
[ahmed-user@my-edge-server ~]$ hadoop fs -mkdir /user/ahmed-user/test_directory
[ahmed-user@my-edge-server ~]$ hadoop fs -ls /user/ahmed-user
Found 2 items
drwx------ - ahmed-user ahmed-user 0 2015-09-11 11:17 /user/ahmed-user/.staging
drwxr-xr-x - ahmed-user ahmed-user 0 2015-09-11 11:45 /user/ahmed-user/test_directory
[ahmed-user@my-edge-server ~]$
Solution 2:
Add the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy to java on all the nodes. make sure the version is same.