https://community.cloudera.com/t5/Support-Questions/How-One-way-Trust-works-MIT-KDC-to-Active-Directory/m-p/382820#M244706 <P><SPAN>traffic analysis shows an error </SPAN></P><P><SPAN>KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN </SPAN></P><P><SPAN>requests to dfs from a user in MIT KDC are successfully executed </SPAN></P><P><SPAN>Checking</SPAN></P><P><SPAN>./</SPAN><SPAN>hdfs groups </SPAN></P><P><SPAN>returns the correct set of groups </SPAN></P><P><SPAN>but the AD user's requests after kinit return the above error</SPAN></P> Mon, 29 Jan 2024 11:26:49 GMT avs2211 2024-01-29T11:26:49Z https://community.cloudera.com/t5/Support-Questions/How-One-way-Trust-works-MIT-KDC-to-Active-Directory/m-p/382788#M244692 <P>I read the <A href="https://community.cloudera.com/t5/Community-Articles/One-Way-Trust-MIT-KDC-to-Active-Directory/ta-p/247638" target="_self">article&nbsp;</A></P><P>But I can't understand a few things</P><P>1. I have<BR />a Hadoop (3.1.3)<BR />MIT KDC cluster on a separate server<BR />Active Directory for<BR />server users with hadoop is not included in the domain</P><P>2. All hadoop NN, DN, JN, etc. services are launched using the keytabs created for them and are working successfully</P><P>3. any requests from the user from AD fall with an error</P><P>2024-01-27 15:56:07,949 DEBUG security.SaslRpcClient: Sending sasl message state: NEGOTIATE</P><P>2024-01-27 15:56:07,950 DEBUG security.SaslRpcClient: Get token info proto:interface org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolPB info:@org.apache.hadoop.security.token.TokenInfo(value=class org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenSelector)<BR />2024-01-27 15:56:07,951 DEBUG security.SaslRpcClient: tokens aren't supported for this protocol or user doesn't have one<BR />2024-01-27 15:56:07,951 DEBUG security.SaslRpcClient: Get kerberos info proto:interface org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolPB info:@org.apache.hadoop.security.KerberosInfo(clientPrincipal=, serverPrincipal=dfs.namenode.kerberos.principal)<BR />2024-01-27 15:56:07,953 DEBUG security.SaslRpcClient: RPC Server's Kerberos principal name for protocol=org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolPB is hdfs/hadoop01dev.local@HADOOP.LOCAL<BR />2024-01-27 15:56:07,953 DEBUG security.SaslRpcClient: Creating SASL GSSAPI(KERBEROS) client to authenticate to service at hadoop01dev.local<BR />2024-01-27 15:56:07,955 DEBUG security.SaslRpcClient: Use KERBEROS authentication for protocol ClientNamenodeProtocolPB<BR />2024-01-27 15:56:07,987 DEBUG security.UserGroupInformation: PrivilegedActionException as:user1@AD.LOCAL (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)]</P><P>single-party trust between AD and MIT KDC is set up<BR />I can't understand what algorithm works in this scheme for users in AD&nbsp;through kinit they get a ticket to AD, but how do they get into hadoop, which works with MIT KDC tickets?<BR />It turns out that after authentication via kinit in AD, they should receive a ticket to MIT KDC somehow? or does this ticket get a NameNode for them , for example?<BR />Can someone explain how this mechanism works?</P><P>&nbsp;</P> Sat, 27 Jan 2024 13:17:24 GMT https://community.cloudera.com/t5/Support-Questions/How-One-way-Trust-works-MIT-KDC-to-Active-Directory/m-p/382788#M244692 avs2211 2024-01-27T13:17:24Z https://community.cloudera.com/t5/Support-Questions/How-One-way-Trust-works-MIT-KDC-to-Active-Directory/m-p/382818#M244704 <P><a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/108949">@avs2211</a>,&nbsp;Welcome to our community! To help you get the best possible answer, I have tagged in our HDFS experts&nbsp;<a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/33734">@Asok</a>&nbsp;<a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/82089">@willx</a>&nbsp;<a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/12885">@mszurap</a>&nbsp;<a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/80393">@rki_</a>&nbsp;&nbsp;who may be able to assist you further.<BR /><BR />Please feel free to provide any additional information or details about your query, and we hope that you will find a satisfactory solution to your question.</P> Mon, 29 Jan 2024 10:40:38 GMT https://community.cloudera.com/t5/Support-Questions/How-One-way-Trust-works-MIT-KDC-to-Active-Directory/m-p/382818#M244704 VidyaSargur 2024-01-29T10:40:38Z https://community.cloudera.com/t5/Support-Questions/How-One-way-Trust-works-MIT-KDC-to-Active-Directory/m-p/382820#M244706 <P><SPAN>traffic analysis shows an error </SPAN></P><P><SPAN>KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN </SPAN></P><P><SPAN>requests to dfs from a user in MIT KDC are successfully executed </SPAN></P><P><SPAN>Checking</SPAN></P><P><SPAN>./</SPAN><SPAN>hdfs groups </SPAN></P><P><SPAN>returns the correct set of groups </SPAN></P><P><SPAN>but the AD user's requests after kinit return the above error</SPAN></P> Mon, 29 Jan 2024 11:26:49 GMT https://community.cloudera.com/t5/Support-Questions/How-One-way-Trust-works-MIT-KDC-to-Active-Directory/m-p/382820#M244706 avs2211 2024-01-29T11:26:49Z https://community.cloudera.com/t5/Support-Questions/How-One-way-Trust-works-MIT-KDC-to-Active-Directory/m-p/383049#M244806 <P>the problem was in trust - the password was incorrectly set in the MIT KDC when creating the trust</P> Fri, 02 Feb 2024 12:44:37 GMT https://community.cloudera.com/t5/Support-Questions/How-One-way-Trust-works-MIT-KDC-to-Active-Directory/m-p/383049#M244806 avs2211 2024-02-02T12:44:37Z https://community.cloudera.com/t5/Support-Questions/How-One-way-Trust-works-MIT-KDC-to-Active-Directory/m-p/386672#M246111 <P>The password is correct but the same problem occurs</P> Wed, 17 Apr 2024 03:08:37 GMT https://community.cloudera.com/t5/Support-Questions/How-One-way-Trust-works-MIT-KDC-to-Active-Directory/m-p/386672#M246111 lslzz 2024-04-17T03:08:37Z