https://community.cloudera.com/t5/Support-Questions/Kerberos-Ticket-issue-when-using-cache-type-DIR/m-p/239892#M201698 <P>Hi All,</P><P>We came across a requirement to maintain kerberos ticket for 2 different realms on a single node, at the same time.</P><P>We found that Kerberos supports collection cache types, as on v1.12. We implemented DIR cache type, upon which we are able to generate and maintain tickets for 2 realms at the same time. Klist -A successfully lists both the tickets.</P><P>However, none of the Hadoop clients (hdfs,beeline) are able to find tickets from the DIR cache directory.</P><P>Below is the [libdefaults] cache name config from krb5.conf,</P><PRE>default_ccache_name = DIR:/tmp/tickets</PRE><P>Along with this, we are also setting KRB5CCNAME, KRB5RCACHEDIR, although it shouldn't matter when we already have the same setting in krb5.conf.</P><P>The hadoop clients throw the below error,</P><PRE>javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]</PRE><P>Upon some investigation found that Java Kerberos implementation specifically looks for FILE: type cache, and hadoop is dependent on it.</P><P>However, I am interested to know if there is any workaround to force them to use collection cache types (DIR/API/KEYRING).</P> Tue, 07 May 2019 22:27:20 GMT swathi_desai6 2019-05-07T22:27:20Z