Reply
Highlighted
New Contributor
Posts: 1
Registered: ‎02-22-2016

kerberos Not working in Windows Client (GSSException: Defective token detected (Mechanism level: GSS

[ Edited ]

Hi,

We have implemented kerberos for our Hadoop setup.
Please note that we are using MIT KDC 5 and we are not using AD/LDAP authentication. All the users are Unix users
Everything works fine but we face problem while using browser to open SOLR Admin UI and httpfs UI.

Here are our settings

Browser
1. Prompt for username and password for in Security->Intranet setction
2. Added http://*.intra.testlab.se & https://*.intra.testlab.se in local intranet section
3. "Enable Integrated windows authentication" in Advance settings.

Windows OS
1. Windows 2008
2. We login to windows machine as follows
Username: sadeek123
Password: password provided by AD
Domain: FOXNET.INTRA.TESTLAB.SE
2. Ran following command (One time)
ksetup /addkdc INTRA.TESTLAB.SE unixs49.intra.testlab.se
3. After running this command we could see registry entry as KDC names = unixs49.intra.testlab.se under HKEY_LOCAL_MACHINE->SYSTEM->CURRENTCONTROLSET->LSA->KERBEROS->DOMIANs

Here is our procedure to access SOLR UI.

1.Login to windows machine using AD username and password
2. hit the URL http://unixs50.intra.testlab.se:8983/solr
3. A username, password window pops up. we provide credentials like sadeek@INTRA.TESTLAB.SE & password
4. We get following error on SOLR.
2016-02-18 08:38:18,035 WARN org.apache.hadoop.security.authentication.server.AuthenticationFilter: Authentication exception: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:399)
at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler.authenticate(DelegationTokenAuthenticationHandler.java:347)
at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:517)
at org.apache.solr.servlet.SolrHadoopAuthenticationFilter.doFilter(SolrHadoopAuthenticationFilter.java:399)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.solr.servlet.HostnameFilter.doFilter(HostnameFilter.java:86)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:620)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Thread.java:745)
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:366)
at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:348)
at java.security.AccessController.doPrivileged(Native Method)
5. Same is happening with httpfs.

Additional notes

1. On unix machine we do kinit for sadeek user by doing kinit sadeek@INTRA.TESTLAB.SE and provide password
2. We try to access SOLR UI using curl by issuing following command
curl --negotiate -u : -b ~/cookiejar.txt -c ~/cookiejar.txt http://unixs50.intra.testlab.se:8983/solr
3. We are able to see SOLR admin UI html page successfully.


BR,
SM