Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Microsoft Kerberos Hive ODBC Error: "No authority could be contacted for authentication"

avatar
Contributor

I encountered below error in my laptop while using the ODBC to Get Data in Power BI Desktop. 

 

My environment:

Hadoop

  • Cloudera quickstart VM 5.13
  • Kerberized with MIT

Laptop

  • Windows 10 64 Bit:
  • Microsoft Hive ODBC 64 bit 2.1
  • MIT Kerberos Ticket Manager installed

 

/etc/krb5.conf
[libdefaults]
default_realm = CLOUDERA
dns_lookup_kdc = false
dns_lookup_realm = false
ticket_lifetime = 86400
renew_lifetime = 604800
forwardable = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
udp_preference_limit = 1
kdc_timeout = 3000
[realms]
CLOUDERA = {
kdc = quickstart.cloudera
admin_server = quickstart.cloudera
}
[domain_realm]

 

Connect to Kerberized Hive thru Microsoft Hive ODBC:

From Power BI, Get Data -> ODBC -> select my ODBC

I entered username and password in Database tab:

username: cloudera

password: cloudera

 

Error in Power BI while connecting to Hive through the ODBC:

Details: "ODBC: ERROR [HY000] [Microsoft][Hardy] (34) Error from server: SASL(-1): generic failure: Failed to initialize security context: No authority could be contacted for authentication.
.
ERROR [HY000] [Microsoft][Hardy] (34) Error from server: SASL(-1): generic failure: Failed to initialize security context: No authority could be contacted for authentication.

 

I tested the ODBC in 64 Bit ODBC Admin without any errors. In addition, I am able to use the ODBC in DBeaver. 

 

Please shed some light on this error. 

 

Thank you.

10 REPLIES 10

avatar
Super Guru
It sounds like your Windows is not able to communicate with KDC server. Your KDC is set as "quickstart.cloudera", can you ping quickstart.cloudera from your Windows laptop to see if you can response?

avatar
Contributor

Yes, no problems. "quickstart.cloudera" is in the hosts file. 

avatar
Super Guru
I realise that the krb5.conf file is under /etc/krb5.conf, which is on Linux host, not Windows. What's the content of your krb5.conf on your Windows machine?

avatar
Contributor

C:\ProgramData\MIT\Kerberos5\krb5.ini

 

[libdefaults]
default_realm = CLOUDERA
dns_lookup_kdc = false
dns_lookup_realm = false
ticket_lifetime = 86400
renew_lifetime = 604800
forwardable = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
udp_preference_limit = 1
kdc_timeout = 3000
[realms]
CLOUDERA = {
kdc = quickstart.cloudera
admin_server = quickstart.cloudera
}

 

Thank you.

avatar
Super Guru
This looks OK.

However, I have noticed before that sometimes Windows machine can have different types of kerberos client installed and their configuration can be stored on different locations. So another thing to check is scan how many krb5.ini or krb5.conf files you have in your Windows machine and confirm which one is being used.

avatar
Contributor

See below.

 

 Volume in drive C is OS
 Volume Serial Number is 2261-6617

 Directory of C:\ProgramData\Anaconda3\Library\bin

10/26/2018  02:44 PM            75,264 krb5.exe
               1 File(s)         75,264 bytes

 Directory of C:\ProgramData\Anaconda3\Library\include

12/20/2018  04:30 PM    <DIR>          krb5
05/03/2018  07:33 AM               402 krb5.h
               1 File(s)            402 bytes

 Directory of C:\ProgramData\Anaconda3\Library\include\krb5

10/26/2018  02:40 PM           342,049 krb5.h
               1 File(s)        342,049 bytes

 Directory of C:\ProgramData\MIT\Kerberos5

09/13/2018  09:44 PM               394 krb5.ini
               1 File(s)            394 bytes

 Directory of C:\Users\All Users\Anaconda3\Library\bin

10/26/2018  02:44 PM            75,264 krb5.exe
               1 File(s)         75,264 bytes

 Directory of C:\Users\All Users\Anaconda3\Library\include

12/20/2018  04:30 PM    <DIR>          krb5
05/03/2018  07:33 AM               402 krb5.h
               1 File(s)            402 bytes

 Directory of C:\Users\All Users\Anaconda3\Library\include\krb5

10/26/2018  02:40 PM           342,049 krb5.h
               1 File(s)        342,049 bytes

 Directory of C:\Users\All Users\MIT\Kerberos5

09/13/2018  09:44 PM               394 krb5.ini
               1 File(s)            394 bytes

 Directory of C:\Users\chenc5\AppData\Local\conda\conda\pkgs\krb5-1.16.1-hc04afaa_7\Library\bin

10/26/2018  02:44 PM            75,264 krb5.exe
               1 File(s)         75,264 bytes

 Directory of C:\Users\chenc5\AppData\Local\conda\conda\pkgs\krb5-1.16.1-hc04afaa_7\Library\include

12/20/2018  04:21 PM    <DIR>          krb5
05/03/2018  07:33 AM               402 krb5.h
               1 File(s)            402 bytes

 Directory of C:\Users\chenc5\AppData\Local\conda\conda\pkgs\krb5-1.16.1-hc04afaa_7\Library\include\krb5

10/26/2018  02:40 PM           342,049 krb5.h
               1 File(s)        342,049 bytes

     Total Files Listed:
              11 File(s)      1,253,933 bytes
               3 Dir(s)  273,797,316,608 bytes free

 

 

avatar
Super Guru
So we have two krb5.ini files, from the timestamp and file size, I assume that they are the same file?

avatar
Contributor

See below.

 

cat "C:\ProgramData\MIT\Kerberos5\krb5.ini"
[libdefaults]
default_realm = CLOUDERA
dns_lookup_kdc = false
dns_lookup_realm = false
ticket_lifetime = 86400
renew_lifetime = 604800
forwardable = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
udp_preference_limit = 1
kdc_timeout = 3000
[realms]
CLOUDERA = {
kdc = quickstart.cloudera
admin_server = quickstart.cloudera
}

cat "C:\Users\All Users\MIT\Kerberos5\krb5.ini"
[libdefaults]
default_realm = CLOUDERA
dns_lookup_kdc = false
dns_lookup_realm = false
ticket_lifetime = 86400
renew_lifetime = 604800
forwardable = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
udp_preference_limit = 1
kdc_timeout = 3000
[realms]
CLOUDERA = {
kdc = quickstart.cloudera
admin_server = quickstart.cloudera
}

avatar
Super Guru
I was thinking about UDP vs TCP, but looks like you already have udp_preference_limit=1, so TCP always being used.

You mentioned that ""quickstart.cloudera" is in the hosts file. ", can you confirm if you have tested to ping quickstart.cloudera or telnet to port 88 of host quickstart.cloudera?

Have you also check your firewall rules to see if it is blocking port 88 that is used by KDC?