Reply
Contributor
Posts: 42
Registered: ‎05-12-2016

Re: impala - kerberosed - jdbc connection from SQL Workbench on Windows

Do you have KRB5CCNAME in your system right now or not?
Explorer
Posts: 15
Registered: ‎09-18-2017

Re: impala - kerberosed - jdbc connection from SQL Workbench on Windows

Yes we have the environment variable set:

KRB5CCNAME: C:\KerberosTickets.txt

 

We also tried removing it for the JAAS conf requirement.

We have the env variable set currently

Explorer
Posts: 15
Registered: ‎09-18-2017

Re: impala - kerberosed - jdbc connection from SQL Workbench on Windows

Hi,

 

We added the path of CacheCredential in JAAS file and then re-run the R script by setting the the environment variable of JAAS file in R

Now we're running into following error:

Error in .jcall(drv@jdrv, "Ljava/sql/Connection;", "connect", as.character(url)[1], : 
  java.sql.SQLException: [Cloudera][HiveJDBCDriver](500164) Error initialized or created transport for authentication: [Cloudera][HiveJDBCDriver](500169) Unable to connect to server: GSS initiate failed.

 

GSS initiated failed. I've JCE installed

Explorer
Posts: 15
Registered: ‎09-18-2017

Re: impala - kerberosed - jdbc connection from SQL Workbench on Windows

Hi,

 

We're getting the following error in java:

 

null credentials from Ticket Cache

            [Krb5LoginModule] authentication failed

Unable to obtain password from user

 

Exception in thread "main" java.sql.SQLException: [Cloudera][HiveJDBCDriver](500166) Error creating login context using JAAS configuration: Unable to obtain password from user

.

      at com.cloudera.hiveserver2.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source)

      at com.cloudera.hiveserver2.hivecommon.api.ZooKeeperEnabledExtendedHS2Factory.createClient(Unknown Source)

      at com.cloudera.hiveserver2.hivecommon.core.HiveJDBCCommonConnection.establishConnection(Unknown Source)

      at com.cloudera.hiveserver2.jdbc.core.LoginTimeoutConnection.connect(Unknown Source)

      at com.cloudera.hiveserver2.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source)

      at com.cloudera.hiveserver2.jdbc.common.AbstractDriver.connect(Unknown Source)

      at java.sql.DriverManager.getConnection(Unknown Source)

      at java.sql.DriverManager.getConnection(Unknown Source)

Caused by: com.cloudera.hiveserver2.support.exceptions.GeneralException: [Cloudera][HiveJDBCDriver](500166) Error creating login context using JAAS configuration: Unable to obtain password from user

.

      ... 8 more

Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user

 

      at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Unknown Source)

      at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)

      at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)

      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

      at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

      at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

      at java.lang.reflect.Method.invoke(Unknown Source)

      at javax.security.auth.login.LoginContext.invoke(Unknown Source)

      at javax.security.auth.login.LoginContext.access$000(Unknown Source)

      at javax.security.auth.login.LoginContext$4.run(Unknown Source)

      at javax.security.auth.login.LoginContext$4.run(Unknown Source)

      at java.security.AccessController.doPrivileged(Native Method)

      at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)

      at javax.security.auth.login.LoginContext.login(Unknown Source)

      at com.cloudera.hiveserver2.jdbc.kerberos.Kerberos.getSubjectViaJAASConfig(Unknown Source)

      at com.cloudera.hiveserver2.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source)

      at com.cloudera.hiveserver2.hivecommon.api.ZooKeeperEnabledExtendedHS2Factory.createClient(Unknown Source)

      at com.cloudera.hiveserver2.hivecommon.core.HiveJDBCCommonConnection.establishConnection(Unknown Source)

      at com.cloudera.hiveserver2.jdbc.core.LoginTimeoutConnection.connect(Unknown Source)

      at com.cloudera.hiveserver2.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source)

      at com.cloudera.hiveserver2.jdbc.common.AbstractDriver.connect(Unknown Source)

      at java.sql.DriverManager.getConnection(Unknown Source)

      at java.sql.DriverManager.getConnection(Unknown Source)

      at HiveConnection.main(HiveConnection.java:26)

Explorer
Posts: 15
Registered: ‎09-18-2017

Re: impala - kerberosed - jdbc connection from SQL Workbench on Windows

Hi,

 

Seems i installed JCE of 64 bit but required was 32 bit. It solved my issue in java. But i'm still facing issue in running it in R. Can you please help me resolve this issue.

I guess that R is not able to use the JCE policy files

Explorer
Posts: 15
Registered: ‎09-18-2017

Re: impala - kerberosed - jdbc connection from SQL Workbench on Windows

Note we're getting the following error: 

Error in .jcall(drv@jdrv, "Ljava/sql/Connection;", "connect", as.character(url)[1], : 
  java.sql.SQLException: [Cloudera][HiveJDBCDriver](500164) Error initialized or created transport for authentication: [Cloudera][HiveJDBCDriver](500169) Unable to connect to server: GSS initiate failed.

 

Explorer
Posts: 15
Registered: ‎09-18-2017

Re: impala - kerberosed - jdbc connection from SQL Workbench on Windows

Hi,

I've looked into the kerberos logs of the code. Below are my debug result:

 1) In R, where we get GSS initiate failed error:

> library(rJava)
> .jinit(,"-Dsun.security.krb5.debug=true")
> #.jaddClassPath("C:/Program Files/Java/jdk1.8.0_101/jre/lib/security/local_policy.jar")
> #.jaddClassPath("C:/Program Files/Java/jdk1.8.0_101/jre/lib/security/US_export_policy.jar")
> #.jaddClassPath("D:/KerberosConfigrationFile/gss-jaas.conf")
> .jaddClassPath("D:/Project/FAM/Workspace/TestImpala/bin")
> v<-.jnew("TestClassPath")
> impala_conn <-.jcall(v,returnSig = "S","getImpalaConnection")
Test Impala start-----****
>>>KinitOptions cache name is C:\Users\user\krb5cc_user
>>>DEBUG <CCacheInputStream> client principal is user1@COMPANY.COM
>>>DEBUG <CCacheInputStream> server principal is krbtgt/COMPANY.COM@COMPANY.COM
>>>DEBUG <CCacheInputStream> key type: 18
>>>DEBUG <CCacheInputStream> auth time: Thu Sep 28 11:29:07 IST 2017
>>>DEBUG <CCacheInputStream> start time: Thu Sep 28 11:29:07 IST 2017
>>>DEBUG <CCacheInputStream> end time: Thu Sep 28 21:29:07 IST 2017
>>>DEBUG <CCacheInputStream> renew_till time: null
>>> CCacheInputStream: readFlags() INITIAL; PRE_AUTH;
Host address is /xx.xxx.xx.xx
...
>>> KrbCreds found the default ticket granting ticket in credential cache.
Java config name: null
Native config name: C:\WINDOWS\krb5.ini
>>> Obtained TGT from LSA: Credentials:
client=user@COMPANY.COM
server=krbtgt/COMPANY.COM@COMPANY.COM
flags=INITIAL;PRE-AUTHENT
EType (skey)=18
(tkt key)=18
log4j:WARN No appenders could be found for logger (org.apache.thrift.transport.TSaslTransport).
log4j:WARN Please initialize the log4j system properly.
Found ticket for user@COMPANY.COM to go to krbtgt/COMPANY.COM@COMPANY.COM expiring on Thu Sep 28 21:29:07 IST 2017
Entered Krb5Context.initSecContext with state=STATE_NEW
Found ticket for user@COMPANY.COM to go to krbtgt/COMPANY.COM@COMPANY.COM expiring on Thu Sep 28 21:29:07 IST 2017
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: main loop: [0] tempService=krbtgt/company.CO.IN@COMPANY.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KdcAccessibility: reset
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=blopedcgintl001.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1622
>>> KDCCommunication: kdc=blopedcgintl001.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1622
>>>DEBUG: TCPClient reading 109 bytes
>>> KrbKdcReq send: #bytes read=109
>>> KdcAccessibility: remove blopedcgintl001.company.com.:88
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
sTime is Thu Sep 28 15:45:34 IST 2017 1506593734000
suSec is 469828
error code is 7
error Message is Server not found in Kerberos database
sname is krbtgt/company.CO.IN@COMPANY.COM
msgType is 30
>>> Credentials acquireServiceCreds: no tgt; searching thru capath
>>> Credentials acquireServiceCreds: inner loop: [1] tempService=krbtgt/COMPANY.COM@COMPANY.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=blropicgintl002.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1622
>>> KDCCommunication: kdc=blropicgintl002.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1622
>>>DEBUG: TCPClient reading 1573 bytes
>>> KrbKdcReq send: #bytes read=1573
>>> KdcAccessibility: remove blropicgintl002.company.com.:88
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> Credentials acquireServiceCreds: got tgt
>>> Credentials acquireServiceCreds: continuing with main loop counter reset to 1
>>> Credentials acquireServiceCreds: main loop: [1] tempService=krbtgt/company.CO.IN@COMPANY.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=phxgggcgcorp001.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1597
>>> KDCCommunication: kdc=phxgggcgcorp001.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1597
>>>DEBUG: TCPClient reading 104 bytes
>>> KrbKdcReq send: #bytes read=104
>>> KdcAccessibility: remove phxgggcgcorp001.company.com.:88
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
sTime is Thu Sep 28 15:45:37 IST 2017 1506593737000
suSec is 579366
error code is 7
error Message is Server not found in Kerberos database
sname is krbtgt/company.CO.IN@COMPANY.COM
msgType is 30
>>> Credentials acquireServiceCreds: no tgt; searching thru capath
>>> Credentials acquireServiceCreds: inner loop: [2] tempService=krbtgt/COMPANY.COM@COMPANY.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=tisgtgl01sdcg02.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1592
>>> KDCCommunication: kdc=tisgtgl01sdcg02.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1592
>>>DEBUG: TCPClient reading 99 bytes
>>> KrbKdcReq send: #bytes read=99
>>> KdcAccessibility: remove tisgtgl01sdcg02.company.com.:88
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
sTime is Thu Sep 28 15:45:39 IST 2017 1506593739000
suSec is 369350
error code is 7
error Message is Server not found in Kerberos database
sname is krbtgt/COMPANY.COM@CORP.FIRSTAM.COM
msgType is 30
>>> Credentials acquireServiceCreds: inner loop: [3] tempService=krbtgt/COM@COMPANY.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=snatytcgcorp102.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1583
>>> KDCCommunication: kdc=snatytcgcorp102.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1583
>>>DEBUG: TCPClient reading 91 bytes
>>> KrbKdcReq send: #bytes read=91
>>> KdcAccessibility: remove snatytcgcorp102.company.com.:88
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
sTime is Thu Sep 28 15:45:41 IST 2017 1506593741000
suSec is 179778
error code is 7
error Message is Server not found in Kerberos database
sname is krbtgt/COM@CORP.COMPANY.COM
msgType is 30
>>> Credentials acquireServiceCreds: inner loop: [4] tempService=krbtgt/IN@CORP.COMPANY.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=jfkvpdfrforp001.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1583
>>> KDCCommunication: kdc=jfkvpdfrforp001.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1583
>>>DEBUG: TCPClient reading 90 bytes
>>> KrbKdcReq send: #bytes read=90
>>> KdcAccessibility: remove jfkvpdfrforp001.company.com.:88
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
error code is 7
error Message is Server not found in Kerberos database
sname is krbtgt/IN@CORP.COMPANY.COM
msgType is 30
>>> Credentials acquireServiceCreds: inner loop: [5] tempService=krbtgt/CO.IN@COMPANY.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=tinfrfc01sdcg01.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1586
>>> KDCCommunication: kdc=tinfrfc01sdcg01.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1586
>>>DEBUG: TCPClient reading 93 bytes
>>> KrbKdcReq send: #bytes read=93
>>> KdcAccessibility: remove tinfrfc01sdcg01.company.com.:88
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
sTime is Thu Sep 28 15:45:44 IST 2017 1506593744000
suSec is 422560
error code is 7
error Message is Server not found in Kerberos database
sname is krbtgt/CO.IN@CORP.COMPANY.COM
msgType is 30
>>> Credentials acquireServiceCreds: no tgt; cannot get creds
KrbException: Fail to create credential. (63) - No service creds
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:156)
at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:458)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:693)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:192)
at org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:94)
at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:253)
at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
at com.cloudera.hivecommon.api.HiveServerPrivilegedAction.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:360)
at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source)
at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createClient(Unknown Source)
at com.cloudera.hivecommon.core.HiveJDBCCommonConnection.establishConnection(Unknown Source)
at com.cloudera.impala.core.ImpalaJDBCConnection.establishConnection(Unknown Source)
at com.cloudera.jdbc.core.LoginTimeoutConnection.connect(Unknown Source)
at com.cloudera.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source)
at com.cloudera.jdbc.common.AbstractDriver.connect(Unknown Source)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:270)
at TestClassPath.getImpalaConnection(TestClassPath.java:20)
java.sql.SQLException: [Simba][ImpalaJDBCDriver](500164) Error initialized or created transport for authentication: [Simba][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed.
at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source)
at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createClient(Unknown Source)
at com.cloudera.hivecommon.core.HiveJDBCCommonConnection.establishConnection(Unknown Source)
at com.cloudera.impala.core.ImpalaJDBCConnection.establishConnection(Unknown Source)
at com.cloudera.jdbc.core.LoginTimeoutConnection.connect(Unknown Source)
at com.cloudera.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source)
at com.cloudera.jdbc.common.AbstractDriver.connect(Unknown Source)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:270)
Caused by: com.cloudera.support.exceptions.GeneralException: [Simba][ImpalaJDBCDriver](500164) Error initialized or created transport for authentication: [Simba][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed.
... 9 more
Caused by: java.lang.RuntimeException: [Simba][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed
at com.cloudera.hivecommon.api.HiveServerPrivilegedAction.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:360)
at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source)
at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createClient(Unknown Source)
at com.cloudera.hivecommon.core.HiveJDBCCommonConnection.establishConnection(Unknown Source)
at com.cloudera.impala.core.ImpalaJDBCConnection.establishConnection(Unknown Source)
at com.cloudera.jdbc.core.LoginTimeoutConnection.connect(Unknown Source)
at com.cloudera.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source)
at com.cloudera.jdbc.common.AbstractDriver.connect(Unknown Source)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:270)
at TestClassPath.getImpalaConnection(TestClassPath.java:20)
Caused by: org.apache.thrift.transport.TTransportException: GSS initiate failed
at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:221)
at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:297)
at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
... 13 more
Test Impala End
> impala_conn
[1] "Test Impala"

 

2) In Java, when the krb5.ini file was not in place, we got error:

Test Impala start-----****
>>>KinitOptions cache name is C:\Users\user1\krb5cc_user
>>>DEBUG <CCacheInputStream> client principal is user1@COMPANY.COM
>>>DEBUG <CCacheInputStream> server principal is krbtgt/COMPANY.COM
>>>DEBUG <CCacheInputStream> key type: 18
>>>DEBUG <CCacheInputStream> auth time: Thu Sep 28 11:29:07 IST 2017
>>>DEBUG <CCacheInputStream> start time: Thu Sep 28 11:29:07 IST 2017
>>>DEBUG <CCacheInputStream> end time: Thu Sep 28 21:29:07 IST 2017
>>>DEBUG <CCacheInputStream> renew_till time: null
>>> CCacheInputStream: readFlags() INITIAL; PRE_AUTH;
Host address is /xx.xxx.xx.xx
...
>>> KrbCreds found the default ticket granting ticket in credential cache.
Java config name: null
Native config name: C:\WINDOWS\krb5.ini
>>> Obtained TGT from LSA: Credentials:
client=user1@COMPANY.COM
server=krbtgt/COMPANY.COM
flags=INITIAL;PRE-AUTHENT
EType (skey)=18
(tkt key)=18
log4j:WARN No appenders could be found for logger (org.apache.thrift.transport.TSaslTransport).
log4j:WARN Please initialize the log4j system properly.
Found ticket for user1@COMPANY.COM to go to krbtgt/COMPANY.COM expiring on Thu Sep 28 21:29:07 IST 2017
Entered Krb5Context.initSecContext with state=STATE_NEW
Found ticket for user1@COMPANY.COM to go to krbtgt/COMPANY.COM expiring on Thu Sep 28 21:29:07 IST 2017
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: main loop: [0] tempService=krbtgt/company1.co.in@COMPANY.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KdcAccessibility: reset
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=blrppdcgintl002.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1622
>>> KDCCommunication: kdc=blrppdcgintl002.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1622
>>>DEBUG: TCPClient reading 109 bytes
>>> KrbKdcReq send: #bytes read=109
>>> KdcAccessibility: remove blrppdcgintl002.company.com.:88
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
sTime is Thu Sep 28 16:11:03 IST 2017 1506595263000
suSec is 629484
error code is 7
error Message is Server not found in Kerberos database
sname is krbtgt/company1.co.in@COMPANY.COM
msgType is 30
>>> Credentials acquireServiceCreds: no tgt; searching thru capath
>>> Credentials acquireServiceCreds: inner loop: [1] tempService=krbtgt/CORP.COM@COMPANY.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=blrppdcgintl002.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1622
>>> KDCCommunication: kdc=blrppdcgintl002.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1622
>>>DEBUG: TCPClient reading 1573 bytes
>>> KrbKdcReq send: #bytes read=1573
>>> KdcAccessibility: remove blrppdcgintl002.company.com.:88
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> Credentials acquireServiceCreds: got tgt
>>> Credentials acquireServiceCreds: continuing with main loop counter reset to 1
>>> Credentials acquireServiceCreds: main loop: [1] tempService=krbtgt/company1.co.in@COMPANY.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=tincfdc01sdcg01.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1597
>>> KDCCommunication: kdc=tincfdc01sdcg01.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1597
>>>DEBUG: TCPClient reading 104 bytes
>>> KrbKdcReq send: #bytes read=104
>>> KdcAccessibility: remove tincfdc01sdcg01.company.com.:88
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
sTime is Thu Sep 28 16:11:06 IST 2017 1506595266000
suSec is 385440
error code is 7
error Message is Server not found in Kerberos database
sname is krbtgt/company1.co.in@COMPANY.COM
msgType is 30
>>> Credentials acquireServiceCreds: no tgt; searching thru capath
>>> Credentials acquireServiceCreds: inner loop: [2] tempService=krbtgt/COMPANY@CORP.COMPANY.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=snapascgcorp102.comapny.com. TCP:88, timeout=30000, number of retries =3, #bytes=1592
>>> KDCCommunication: kdc=snapascgcorp102.comapny.com. TCP:88, timeout=30000,Attempt =1, #bytes=1592
>>>DEBUG: TCPClient reading 99 bytes
>>> KrbKdcReq send: #bytes read=99
>>> KdcAccessibility: remove snapascgcorp102.comapny.com.:88
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
sTime is Thu Sep 28 16:11:08 IST 2017 1506595268000
suSec is 888723
error code is 7
error Message is Server not found in Kerberos database
sname is krbtgt/COMPANY@CORP.COMPANY.COM
msgType is 30
>>> Credentials acquireServiceCreds: inner loop: [3] tempService=krbtgt/COM@COMPANY.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=fahwerl01vdcg02.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1584
>>> KDCCommunication: kdc=fahwerl01vdcg02.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1584
>>>DEBUG: TCPClient reading 91 bytes
>>> KrbKdcReq send: #bytes read=91
>>> KdcAccessibility: remove fahwerl01vdcg02.company.com.:88
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
sTime is Thu Sep 28 16:11:09 IST 2017 1506595269000
suSec is 350172
error code is 7
error Message is Server not found in Kerberos database
sname is krbtgt/COM@CORP.FIRSTAM.COM
msgType is 30
>>> Credentials acquireServiceCreds: inner loop: [4] tempService=krbtgt/IN@COMPANY.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=snprrdcgcorp101.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1583
>>> KDCCommunication: kdc=snprrdcgcorp101.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1583
>>>DEBUG: TCPClient reading 90 bytes
>>> KrbKdcReq send: #bytes read=90
>>> KdcAccessibility: remove snprrdcgcorp101.company.com.:88
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
sTime is Thu Sep 28 16:11:11 IST 2017 1506595271000
suSec is 821544
error code is 7
error Message is Server not found in Kerberos database
sname is krbtgt/IN@COMPANY.COM
msgType is 30
>>> Credentials acquireServiceCreds: inner loop: [5] tempService=krbtgt/CO.IN@COMPANY.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=snareecgcorp003.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1586
>>> KDCCommunication: kdc=snareecgcorp003.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1586
>>>DEBUG: TCPClient reading 93 bytes
>>> KrbKdcReq send: #bytes read=93
>>> KdcAccessibility: remove snareecgcorp003.company.com.:88
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
sTime is Thu Sep 28 16:11:12 IST 2017 1506595272000
suSec is 316872
error code is 7
error Message is Server not found in Kerberos database
sname is krbtgt/CO.IN@COMPANY.COM
msgType is 30
>>> Credentials acquireServiceCreds: no tgt; cannot get creds
KrbException: Fail to create credential. (63) - No service creds
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
at org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:94)
at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:253)
at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
at com.cloudera.hivecommon.api.HiveServerPrivilegedAction.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source)
at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createClient(Unknown Source)
at com.cloudera.hivecommon.core.HiveJDBCCommonConnection.establishConnection(Unknown Source)
at com.cloudera.impala.core.ImpalaJDBCConnection.establishConnection(Unknown Source)
at com.cloudera.jdbc.core.LoginTimeoutConnection.connect(Unknown Source)
at com.cloudera.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source)
at com.cloudera.jdbc.common.AbstractDriver.connect(Unknown Source)
at java.sql.DriverManager.getConnection(Unknown Source)
at java.sql.DriverManager.getConnection(Unknown Source)
at TestClassPath.getImpalaConnection(TestClassPath.java:21)
at TestClassPath.main(TestClassPath.java:41)
java.sql.SQLException: [Simba][ImpalaJDBCDriver](500164) Error initialized or created transport for authentication: [Simba][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed.
at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source)
at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createClient(Unknown Source)
at com.cloudera.hivecommon.core.HiveJDBCCommonConnection.establishConnection(Unknown Source)
at com.cloudera.impala.core.ImpalaJDBCConnection.establishConnection(Unknown Source)
at com.cloudera.jdbc.core.LoginTimeoutConnection.connect(Unknown Source)
at com.cloudera.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source)
at com.cloudera.jdbc.common.AbstractDriver.connect(Unknown Source)
at java.sql.DriverManager.getConnection(Unknown Source)
at java.sql.DriverManager.getConnection(Unknown Source)
at TestClassPath.getImpalaConnection(TestClassPath.java:21)
Caused by: com.cloudera.support.exceptions.GeneralException: [Simba][ImpalaJDBCDriver](500164) Error initialized or created transport for authentication: [Simba][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed.
... 10 more
Caused by: java.lang.RuntimeException: [Simba][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed
at com.cloudera.hivecommon.api.HiveServerPrivilegedAction.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source)
at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createClient(Unknown Source)
at com.cloudera.hivecommon.core.HiveJDBCCommonConnection.establishConnection(Unknown Source)
at com.cloudera.impala.core.ImpalaJDBCConnection.establishConnection(Unknown Source)
at com.cloudera.jdbc.core.LoginTimeoutConnection.connect(Unknown Source)
at com.cloudera.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source)
at com.cloudera.jdbc.common.AbstractDriver.connect(Unknown Source)
at java.sql.DriverManager.getConnection(Unknown Source)
at java.sql.DriverManager.getConnection(Unknown Source)
at TestClassPath.getImpalaConnection(TestClassPath.java:21)
at TestClassPath.main(TestClassPath.java:41)
Caused by: org.apache.thrift.transport.TTransportException: GSS initiate failed
at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:221)
at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:297)
at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
... 14 more
Test Impala End

  

3) In Java, the working code.

Test Impala start-----****
>>>KinitOptions cache name is C:\Users\user1\krb5cc_user
>>>DEBUG <CCacheInputStream> client principal is user1@COMPANY.COM
>>>DEBUG <CCacheInputStream> server principal is krbtgt/COMPANY.COM
>>>DEBUG <CCacheInputStream> key type: 18
>>>DEBUG <CCacheInputStream> auth time: Thu Sep 28 11:29:07 IST 2017
>>>DEBUG <CCacheInputStream> start time: Thu Sep 28 11:29:07 IST 2017
>>>DEBUG <CCacheInputStream> end time: Thu Sep 28 21:29:07 IST 2017
>>>DEBUG <CCacheInputStream> renew_till time: null
>>> CCacheInputStream: readFlags() INITIAL; PRE_AUTH;
Host address is /xx.xxx.xx.xx
...
>>> KrbCreds found the default ticket granting ticket in credential cache.
Java config name: null
Native config name: C:\WINDOWS\krb5.ini
Loaded from native config
>>> Obtained TGT from LSA: Credentials:
client=user@COMPANY.COM
server=krbtgt/COMPANY@COMPANY.COM
flags=INITIAL;PRE-AUTHENT
EType (skey)=18
(tkt key)=18
Found ticket for user@COMPANY.COM to go to krbtgt/COMPANY.COM@COMPANY.COM expiring on Thu Sep 28 21:29:07 IST 2017
Entered Krb5Context.initSecContext with state=STATE_NEW
Found ticket for user@COMPANY.COM to go to krbtgt/COMPANY.COM@COMPANY.COM expiring on Thu Sep 28 21:29:07 IST 2017
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: main loop: [0] tempService=krbtgt/COMPANY.COM@COMPANY.COM
default etypes for default_tgs_enctypes: 18 17 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KdcAccessibility: reset
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=inttyna09vdcg01.company.com.. TCP:88, timeout=30000, number of retries =3, #bytes=1619
>>> KDCCommunication: kdc=inttyna09vdcg01.company.com.. TCP:88, timeout=30000,Attempt =1, #bytes=1619
>>>DEBUG: TCPClient reading 1573 bytes
>>> KrbKdcReq send: #bytes read=1573
>>> KdcAccessibility: remove inttyna09vdcg01.company.com.:88
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> Credentials acquireServiceCreds: got tgt
>>> Credentials acquireServiceCreds: got right tgt
>>> Credentials acquireServiceCreds: obtaining service creds for impala/hostname@CORP.COMPANY.COM
default etypes for default_tgs_enctypes: 18 17 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=snappfrgcorp101.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1610
>>> KDCCommunication: kdc=snappfrgcorp101.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1610
>>>DEBUG: TCPClient reading 1630 bytes
>>> KrbKdcReq send: #bytes read=1630
>>> KdcAccessibility: remove snappfrgcorp101.company.com.:88
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> Credentials acquireServiceCreds: returning creds:
>>> DEBUG: ----Credentials----
client: user@COMPANY.COM
server: impala/hostname@CORP.COMPANY.COM
ticket: sname: impala/hostname@CORP.COMPANY.COM
startTime: 1506595126000
endTime: 1506614347000
----Credentials end----
>>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Krb5Context setting mySeqNumber to: 293786502
Created InitSecContextToken:
0000: 01 00 6E 82 05 FE 30 82 05 FA A0 03 02 01 05 A1 ..n...0.........
0010: 03 02 01 0E A2 07 03 05 00 20 00 00 00 A3 82 05 ......... ......

Krb5Context.wrap: data=[01 01 00 00 ]
Krb5Context.wrap: token=[60 30 06 09 2a 86 48 86 f7 12 01 02 02 02 01 11 00 ff ff ff ff 71 1a 06 60 97 6b e4 e7 35 7d 2a d4 a7 53 4a d5 5e ce 9f 9b 87 7c 18 a3 01 01 00 00 01 ]

Connecting with jdbc:impala://connectionstring:21050/db;AuthMech=1;KrbRealm=_HOST@COMPANY.COM;KrbHostFQDN=host;KrbServiceName=impala;KrbAuthType=2

document
epr_lineage
infa_hstg_lookup_name_785113698026062326
infa_hstg_lookup_property_785113698026062326
infa_hstg_lookup_reference_785113698026062326
infa_hstg_read_document_4045257916572541191
infa_hstg_read_document_5426399195748447698
infa_hstg_read_document_785113698026062326

 ....

 

Please see the logs above and help me resolve the issue.

I've changed the company and domain names

Note: I'm trying to run the code from windows env and the complete set up of all applications are in centos. I've R and RStudio in Windows in the same network

Highlighted
Explorer
Posts: 15
Registered: ‎09-18-2017

Re: impala - kerberosed - jdbc connection from SQL Workbench on Windows

Hi,

 

I installed CDSW workbench in Centos machinme and also installed R there. The code worked there without any error. The encryption method of the ticket was not the problem there. 

 

But in Windows machine, the  code worked for Java but not R. Probably R is not able to decrypt the the content of the ticket which Java is able to do. Have anyone came across similar problem? What Ecnryption code/process does R use and how is it different for Java in Windows?

 

Thanks

Contributor
Posts: 42
Registered: ‎05-12-2016

Re: impala - kerberosed - jdbc connection from SQL Workbench on Windows

Can you try to kinit at the beginning of your script, in R e.g.
system("kinit username@REALM.COM -k -t username.keytab")

Have you generated keytab on your own or got it from admin?
Announcements