Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

impala - kerberosed - jdbc connection from SQL Workbench on Windows

avatar
Rising Star

We have a 15 Node Kerborised Impala Cluster with a HAProxy. We have no issue using HUE to run queries.

 

We are also able to use the ODBC Driver on a Windows Machine, authenticate with Kerberos and connect to the Impala via HA Proxy.

 

However, when we try to connect to the Impala HA Proxy using SQL Workbench via JDBC Driver. We get the following error message:

 

[Simba][ImpalaJDBCDriver](500310) Invalid operation: Unable to obtain Principal Name for authentication ;

 

The connection string is:

jdbc:impala://<PUBLIC IP ADDRESS>:21051;AuthMech=1;KrbRealm=<REALM>;KrbHostFQDN=<fqdn>;KrbServiceName=impala;

 

We tried adding the Principal parameter, but it doesn't help. Any ideas, on how to get Impala JDBC to work from a windows machine using Kerberos?

 

 

 

28 REPLIES 28

avatar
Explorer

Hi,

 

We added the path of CacheCredential in JAAS file and then re-run the R script by setting the the environment variable of JAAS file in R

Now we're running into following error:

Error in .jcall(drv@jdrv, "Ljava/sql/Connection;", "connect", as.character(url)[1], : 
  java.sql.SQLException: [Cloudera][HiveJDBCDriver](500164) Error initialized or created transport for authentication: [Cloudera][HiveJDBCDriver](500169) Unable to connect to server: GSS initiate failed.

 

GSS initiated failed. I've JCE installed

avatar
Explorer

Hi,

 

We're getting the following error in java:

 

null credentials from Ticket Cache

            [Krb5LoginModule] authentication failed

Unable to obtain password from user

 

Exception in thread "main" java.sql.SQLException: [Cloudera][HiveJDBCDriver](500166) Error creating login context using JAAS configuration: Unable to obtain password from user

.

      at com.cloudera.hiveserver2.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source)

      at com.cloudera.hiveserver2.hivecommon.api.ZooKeeperEnabledExtendedHS2Factory.createClient(Unknown Source)

      at com.cloudera.hiveserver2.hivecommon.core.HiveJDBCCommonConnection.establishConnection(Unknown Source)

      at com.cloudera.hiveserver2.jdbc.core.LoginTimeoutConnection.connect(Unknown Source)

      at com.cloudera.hiveserver2.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source)

      at com.cloudera.hiveserver2.jdbc.common.AbstractDriver.connect(Unknown Source)

      at java.sql.DriverManager.getConnection(Unknown Source)

      at java.sql.DriverManager.getConnection(Unknown Source)

Caused by: com.cloudera.hiveserver2.support.exceptions.GeneralException: [Cloudera][HiveJDBCDriver](500166) Error creating login context using JAAS configuration: Unable to obtain password from user

.

      ... 8 more

Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user

 

      at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Unknown Source)

      at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)

      at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)

      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

      at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

      at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

      at java.lang.reflect.Method.invoke(Unknown Source)

      at javax.security.auth.login.LoginContext.invoke(Unknown Source)

      at javax.security.auth.login.LoginContext.access$000(Unknown Source)

      at javax.security.auth.login.LoginContext$4.run(Unknown Source)

      at javax.security.auth.login.LoginContext$4.run(Unknown Source)

      at java.security.AccessController.doPrivileged(Native Method)

      at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)

      at javax.security.auth.login.LoginContext.login(Unknown Source)

      at com.cloudera.hiveserver2.jdbc.kerberos.Kerberos.getSubjectViaJAASConfig(Unknown Source)

      at com.cloudera.hiveserver2.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source)

      at com.cloudera.hiveserver2.hivecommon.api.ZooKeeperEnabledExtendedHS2Factory.createClient(Unknown Source)

      at com.cloudera.hiveserver2.hivecommon.core.HiveJDBCCommonConnection.establishConnection(Unknown Source)

      at com.cloudera.hiveserver2.jdbc.core.LoginTimeoutConnection.connect(Unknown Source)

      at com.cloudera.hiveserver2.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source)

      at com.cloudera.hiveserver2.jdbc.common.AbstractDriver.connect(Unknown Source)

      at java.sql.DriverManager.getConnection(Unknown Source)

      at java.sql.DriverManager.getConnection(Unknown Source)

      at HiveConnection.main(HiveConnection.java:26)

avatar
Explorer

Hi,

 

Seems i installed JCE of 64 bit but required was 32 bit. It solved my issue in java. But i'm still facing issue in running it in R. Can you please help me resolve this issue.

I guess that R is not able to use the JCE policy files

avatar
Explorer

Note we're getting the following error: 

Error in .jcall(drv@jdrv, "Ljava/sql/Connection;", "connect", as.character(url)[1], : 
  java.sql.SQLException: [Cloudera][HiveJDBCDriver](500164) Error initialized or created transport for authentication: [Cloudera][HiveJDBCDriver](500169) Unable to connect to server: GSS initiate failed.

 

avatar
Explorer

Hi,

I've looked into the kerberos logs of the code. Below are my debug result:

 1) In R, where we get GSS initiate failed error:

> library(rJava)
> .jinit(,"-Dsun.security.krb5.debug=true")
> #.jaddClassPath("C:/Program Files/Java/jdk1.8.0_101/jre/lib/security/local_policy.jar")
> #.jaddClassPath("C:/Program Files/Java/jdk1.8.0_101/jre/lib/security/US_export_policy.jar")
> #.jaddClassPath("D:/KerberosConfigrationFile/gss-jaas.conf")
> .jaddClassPath("D:/Project/FAM/Workspace/TestImpala/bin")
> v<-.jnew("TestClassPath")
> impala_conn <-.jcall(v,returnSig = "S","getImpalaConnection")
Test Impala start-----****
>>>KinitOptions cache name is C:\Users\user\krb5cc_user
>>>DEBUG <CCacheInputStream> client principal is user1@COMPANY.COM
>>>DEBUG <CCacheInputStream> server principal is krbtgt/COMPANY.COM@COMPANY.COM
>>>DEBUG <CCacheInputStream> key type: 18
>>>DEBUG <CCacheInputStream> auth time: Thu Sep 28 11:29:07 IST 2017
>>>DEBUG <CCacheInputStream> start time: Thu Sep 28 11:29:07 IST 2017
>>>DEBUG <CCacheInputStream> end time: Thu Sep 28 21:29:07 IST 2017
>>>DEBUG <CCacheInputStream> renew_till time: null
>>> CCacheInputStream: readFlags() INITIAL; PRE_AUTH;
Host address is /xx.xxx.xx.xx
...
>>> KrbCreds found the default ticket granting ticket in credential cache.
Java config name: null
Native config name: C:\WINDOWS\krb5.ini
>>> Obtained TGT from LSA: Credentials:
client=user@COMPANY.COM
server=krbtgt/COMPANY.COM@COMPANY.COM
flags=INITIAL;PRE-AUTHENT
EType (skey)=18
(tkt key)=18
log4j:WARN No appenders could be found for logger (org.apache.thrift.transport.TSaslTransport).
log4j:WARN Please initialize the log4j system properly.
Found ticket for user@COMPANY.COM to go to krbtgt/COMPANY.COM@COMPANY.COM expiring on Thu Sep 28 21:29:07 IST 2017
Entered Krb5Context.initSecContext with state=STATE_NEW
Found ticket for user@COMPANY.COM to go to krbtgt/COMPANY.COM@COMPANY.COM expiring on Thu Sep 28 21:29:07 IST 2017
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: main loop: [0] tempService=krbtgt/company.CO.IN@COMPANY.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KdcAccessibility: reset
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=blopedcgintl001.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1622
>>> KDCCommunication: kdc=blopedcgintl001.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1622
>>>DEBUG: TCPClient reading 109 bytes
>>> KrbKdcReq send: #bytes read=109
>>> KdcAccessibility: remove blopedcgintl001.company.com.:88
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
sTime is Thu Sep 28 15:45:34 IST 2017 1506593734000
suSec is 469828
error code is 7
error Message is Server not found in Kerberos database
sname is krbtgt/company.CO.IN@COMPANY.COM
msgType is 30
>>> Credentials acquireServiceCreds: no tgt; searching thru capath
>>> Credentials acquireServiceCreds: inner loop: [1] tempService=krbtgt/COMPANY.COM@COMPANY.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=blropicgintl002.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1622
>>> KDCCommunication: kdc=blropicgintl002.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1622
>>>DEBUG: TCPClient reading 1573 bytes
>>> KrbKdcReq send: #bytes read=1573
>>> KdcAccessibility: remove blropicgintl002.company.com.:88
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> Credentials acquireServiceCreds: got tgt
>>> Credentials acquireServiceCreds: continuing with main loop counter reset to 1
>>> Credentials acquireServiceCreds: main loop: [1] tempService=krbtgt/company.CO.IN@COMPANY.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=phxgggcgcorp001.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1597
>>> KDCCommunication: kdc=phxgggcgcorp001.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1597
>>>DEBUG: TCPClient reading 104 bytes
>>> KrbKdcReq send: #bytes read=104
>>> KdcAccessibility: remove phxgggcgcorp001.company.com.:88
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
sTime is Thu Sep 28 15:45:37 IST 2017 1506593737000
suSec is 579366
error code is 7
error Message is Server not found in Kerberos database
sname is krbtgt/company.CO.IN@COMPANY.COM
msgType is 30
>>> Credentials acquireServiceCreds: no tgt; searching thru capath
>>> Credentials acquireServiceCreds: inner loop: [2] tempService=krbtgt/COMPANY.COM@COMPANY.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=tisgtgl01sdcg02.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1592
>>> KDCCommunication: kdc=tisgtgl01sdcg02.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1592
>>>DEBUG: TCPClient reading 99 bytes
>>> KrbKdcReq send: #bytes read=99
>>> KdcAccessibility: remove tisgtgl01sdcg02.company.com.:88
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
sTime is Thu Sep 28 15:45:39 IST 2017 1506593739000
suSec is 369350
error code is 7
error Message is Server not found in Kerberos database
sname is krbtgt/COMPANY.COM@CORP.FIRSTAM.COM
msgType is 30
>>> Credentials acquireServiceCreds: inner loop: [3] tempService=krbtgt/COM@COMPANY.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=snatytcgcorp102.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1583
>>> KDCCommunication: kdc=snatytcgcorp102.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1583
>>>DEBUG: TCPClient reading 91 bytes
>>> KrbKdcReq send: #bytes read=91
>>> KdcAccessibility: remove snatytcgcorp102.company.com.:88
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
sTime is Thu Sep 28 15:45:41 IST 2017 1506593741000
suSec is 179778
error code is 7
error Message is Server not found in Kerberos database
sname is krbtgt/COM@CORP.COMPANY.COM
msgType is 30
>>> Credentials acquireServiceCreds: inner loop: [4] tempService=krbtgt/IN@CORP.COMPANY.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=jfkvpdfrforp001.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1583
>>> KDCCommunication: kdc=jfkvpdfrforp001.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1583
>>>DEBUG: TCPClient reading 90 bytes
>>> KrbKdcReq send: #bytes read=90
>>> KdcAccessibility: remove jfkvpdfrforp001.company.com.:88
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
error code is 7
error Message is Server not found in Kerberos database
sname is krbtgt/IN@CORP.COMPANY.COM
msgType is 30
>>> Credentials acquireServiceCreds: inner loop: [5] tempService=krbtgt/CO.IN@COMPANY.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=tinfrfc01sdcg01.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1586
>>> KDCCommunication: kdc=tinfrfc01sdcg01.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1586
>>>DEBUG: TCPClient reading 93 bytes
>>> KrbKdcReq send: #bytes read=93
>>> KdcAccessibility: remove tinfrfc01sdcg01.company.com.:88
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
sTime is Thu Sep 28 15:45:44 IST 2017 1506593744000
suSec is 422560
error code is 7
error Message is Server not found in Kerberos database
sname is krbtgt/CO.IN@CORP.COMPANY.COM
msgType is 30
>>> Credentials acquireServiceCreds: no tgt; cannot get creds
KrbException: Fail to create credential. (63) - No service creds
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:156)
at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:458)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:693)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:192)
at org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:94)
at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:253)
at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
at com.cloudera.hivecommon.api.HiveServerPrivilegedAction.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:360)
at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source)
at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createClient(Unknown Source)
at com.cloudera.hivecommon.core.HiveJDBCCommonConnection.establishConnection(Unknown Source)
at com.cloudera.impala.core.ImpalaJDBCConnection.establishConnection(Unknown Source)
at com.cloudera.jdbc.core.LoginTimeoutConnection.connect(Unknown Source)
at com.cloudera.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source)
at com.cloudera.jdbc.common.AbstractDriver.connect(Unknown Source)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:270)
at TestClassPath.getImpalaConnection(TestClassPath.java:20)
java.sql.SQLException: [Simba][ImpalaJDBCDriver](500164) Error initialized or created transport for authentication: [Simba][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed.
at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source)
at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createClient(Unknown Source)
at com.cloudera.hivecommon.core.HiveJDBCCommonConnection.establishConnection(Unknown Source)
at com.cloudera.impala.core.ImpalaJDBCConnection.establishConnection(Unknown Source)
at com.cloudera.jdbc.core.LoginTimeoutConnection.connect(Unknown Source)
at com.cloudera.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source)
at com.cloudera.jdbc.common.AbstractDriver.connect(Unknown Source)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:270)
Caused by: com.cloudera.support.exceptions.GeneralException: [Simba][ImpalaJDBCDriver](500164) Error initialized or created transport for authentication: [Simba][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed.
... 9 more
Caused by: java.lang.RuntimeException: [Simba][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed
at com.cloudera.hivecommon.api.HiveServerPrivilegedAction.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:360)
at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source)
at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createClient(Unknown Source)
at com.cloudera.hivecommon.core.HiveJDBCCommonConnection.establishConnection(Unknown Source)
at com.cloudera.impala.core.ImpalaJDBCConnection.establishConnection(Unknown Source)
at com.cloudera.jdbc.core.LoginTimeoutConnection.connect(Unknown Source)
at com.cloudera.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source)
at com.cloudera.jdbc.common.AbstractDriver.connect(Unknown Source)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:270)
at TestClassPath.getImpalaConnection(TestClassPath.java:20)
Caused by: org.apache.thrift.transport.TTransportException: GSS initiate failed
at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:221)
at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:297)
at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
... 13 more
Test Impala End
> impala_conn
[1] "Test Impala"

 

2) In Java, when the krb5.ini file was not in place, we got error:

Test Impala start-----****
>>>KinitOptions cache name is C:\Users\user1\krb5cc_user
>>>DEBUG <CCacheInputStream> client principal is user1@COMPANY.COM
>>>DEBUG <CCacheInputStream> server principal is krbtgt/COMPANY.COM
>>>DEBUG <CCacheInputStream> key type: 18
>>>DEBUG <CCacheInputStream> auth time: Thu Sep 28 11:29:07 IST 2017
>>>DEBUG <CCacheInputStream> start time: Thu Sep 28 11:29:07 IST 2017
>>>DEBUG <CCacheInputStream> end time: Thu Sep 28 21:29:07 IST 2017
>>>DEBUG <CCacheInputStream> renew_till time: null
>>> CCacheInputStream: readFlags() INITIAL; PRE_AUTH;
Host address is /xx.xxx.xx.xx
...
>>> KrbCreds found the default ticket granting ticket in credential cache.
Java config name: null
Native config name: C:\WINDOWS\krb5.ini
>>> Obtained TGT from LSA: Credentials:
client=user1@COMPANY.COM
server=krbtgt/COMPANY.COM
flags=INITIAL;PRE-AUTHENT
EType (skey)=18
(tkt key)=18
log4j:WARN No appenders could be found for logger (org.apache.thrift.transport.TSaslTransport).
log4j:WARN Please initialize the log4j system properly.
Found ticket for user1@COMPANY.COM to go to krbtgt/COMPANY.COM expiring on Thu Sep 28 21:29:07 IST 2017
Entered Krb5Context.initSecContext with state=STATE_NEW
Found ticket for user1@COMPANY.COM to go to krbtgt/COMPANY.COM expiring on Thu Sep 28 21:29:07 IST 2017
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: main loop: [0] tempService=krbtgt/company1.co.in@COMPANY.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KdcAccessibility: reset
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=blrppdcgintl002.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1622
>>> KDCCommunication: kdc=blrppdcgintl002.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1622
>>>DEBUG: TCPClient reading 109 bytes
>>> KrbKdcReq send: #bytes read=109
>>> KdcAccessibility: remove blrppdcgintl002.company.com.:88
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
sTime is Thu Sep 28 16:11:03 IST 2017 1506595263000
suSec is 629484
error code is 7
error Message is Server not found in Kerberos database
sname is krbtgt/company1.co.in@COMPANY.COM
msgType is 30
>>> Credentials acquireServiceCreds: no tgt; searching thru capath
>>> Credentials acquireServiceCreds: inner loop: [1] tempService=krbtgt/CORP.COM@COMPANY.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=blrppdcgintl002.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1622
>>> KDCCommunication: kdc=blrppdcgintl002.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1622
>>>DEBUG: TCPClient reading 1573 bytes
>>> KrbKdcReq send: #bytes read=1573
>>> KdcAccessibility: remove blrppdcgintl002.company.com.:88
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> Credentials acquireServiceCreds: got tgt
>>> Credentials acquireServiceCreds: continuing with main loop counter reset to 1
>>> Credentials acquireServiceCreds: main loop: [1] tempService=krbtgt/company1.co.in@COMPANY.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=tincfdc01sdcg01.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1597
>>> KDCCommunication: kdc=tincfdc01sdcg01.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1597
>>>DEBUG: TCPClient reading 104 bytes
>>> KrbKdcReq send: #bytes read=104
>>> KdcAccessibility: remove tincfdc01sdcg01.company.com.:88
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
sTime is Thu Sep 28 16:11:06 IST 2017 1506595266000
suSec is 385440
error code is 7
error Message is Server not found in Kerberos database
sname is krbtgt/company1.co.in@COMPANY.COM
msgType is 30
>>> Credentials acquireServiceCreds: no tgt; searching thru capath
>>> Credentials acquireServiceCreds: inner loop: [2] tempService=krbtgt/COMPANY@CORP.COMPANY.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=snapascgcorp102.comapny.com. TCP:88, timeout=30000, number of retries =3, #bytes=1592
>>> KDCCommunication: kdc=snapascgcorp102.comapny.com. TCP:88, timeout=30000,Attempt =1, #bytes=1592
>>>DEBUG: TCPClient reading 99 bytes
>>> KrbKdcReq send: #bytes read=99
>>> KdcAccessibility: remove snapascgcorp102.comapny.com.:88
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
sTime is Thu Sep 28 16:11:08 IST 2017 1506595268000
suSec is 888723
error code is 7
error Message is Server not found in Kerberos database
sname is krbtgt/COMPANY@CORP.COMPANY.COM
msgType is 30
>>> Credentials acquireServiceCreds: inner loop: [3] tempService=krbtgt/COM@COMPANY.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=fahwerl01vdcg02.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1584
>>> KDCCommunication: kdc=fahwerl01vdcg02.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1584
>>>DEBUG: TCPClient reading 91 bytes
>>> KrbKdcReq send: #bytes read=91
>>> KdcAccessibility: remove fahwerl01vdcg02.company.com.:88
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
sTime is Thu Sep 28 16:11:09 IST 2017 1506595269000
suSec is 350172
error code is 7
error Message is Server not found in Kerberos database
sname is krbtgt/COM@CORP.FIRSTAM.COM
msgType is 30
>>> Credentials acquireServiceCreds: inner loop: [4] tempService=krbtgt/IN@COMPANY.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=snprrdcgcorp101.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1583
>>> KDCCommunication: kdc=snprrdcgcorp101.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1583
>>>DEBUG: TCPClient reading 90 bytes
>>> KrbKdcReq send: #bytes read=90
>>> KdcAccessibility: remove snprrdcgcorp101.company.com.:88
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
sTime is Thu Sep 28 16:11:11 IST 2017 1506595271000
suSec is 821544
error code is 7
error Message is Server not found in Kerberos database
sname is krbtgt/IN@COMPANY.COM
msgType is 30
>>> Credentials acquireServiceCreds: inner loop: [5] tempService=krbtgt/CO.IN@COMPANY.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=snareecgcorp003.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1586
>>> KDCCommunication: kdc=snareecgcorp003.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1586
>>>DEBUG: TCPClient reading 93 bytes
>>> KrbKdcReq send: #bytes read=93
>>> KdcAccessibility: remove snareecgcorp003.company.com.:88
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
sTime is Thu Sep 28 16:11:12 IST 2017 1506595272000
suSec is 316872
error code is 7
error Message is Server not found in Kerberos database
sname is krbtgt/CO.IN@COMPANY.COM
msgType is 30
>>> Credentials acquireServiceCreds: no tgt; cannot get creds
KrbException: Fail to create credential. (63) - No service creds
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
at org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:94)
at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:253)
at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
at com.cloudera.hivecommon.api.HiveServerPrivilegedAction.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source)
at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createClient(Unknown Source)
at com.cloudera.hivecommon.core.HiveJDBCCommonConnection.establishConnection(Unknown Source)
at com.cloudera.impala.core.ImpalaJDBCConnection.establishConnection(Unknown Source)
at com.cloudera.jdbc.core.LoginTimeoutConnection.connect(Unknown Source)
at com.cloudera.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source)
at com.cloudera.jdbc.common.AbstractDriver.connect(Unknown Source)
at java.sql.DriverManager.getConnection(Unknown Source)
at java.sql.DriverManager.getConnection(Unknown Source)
at TestClassPath.getImpalaConnection(TestClassPath.java:21)
at TestClassPath.main(TestClassPath.java:41)
java.sql.SQLException: [Simba][ImpalaJDBCDriver](500164) Error initialized or created transport for authentication: [Simba][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed.
at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source)
at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createClient(Unknown Source)
at com.cloudera.hivecommon.core.HiveJDBCCommonConnection.establishConnection(Unknown Source)
at com.cloudera.impala.core.ImpalaJDBCConnection.establishConnection(Unknown Source)
at com.cloudera.jdbc.core.LoginTimeoutConnection.connect(Unknown Source)
at com.cloudera.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source)
at com.cloudera.jdbc.common.AbstractDriver.connect(Unknown Source)
at java.sql.DriverManager.getConnection(Unknown Source)
at java.sql.DriverManager.getConnection(Unknown Source)
at TestClassPath.getImpalaConnection(TestClassPath.java:21)
Caused by: com.cloudera.support.exceptions.GeneralException: [Simba][ImpalaJDBCDriver](500164) Error initialized or created transport for authentication: [Simba][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed.
... 10 more
Caused by: java.lang.RuntimeException: [Simba][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed
at com.cloudera.hivecommon.api.HiveServerPrivilegedAction.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source)
at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createClient(Unknown Source)
at com.cloudera.hivecommon.core.HiveJDBCCommonConnection.establishConnection(Unknown Source)
at com.cloudera.impala.core.ImpalaJDBCConnection.establishConnection(Unknown Source)
at com.cloudera.jdbc.core.LoginTimeoutConnection.connect(Unknown Source)
at com.cloudera.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source)
at com.cloudera.jdbc.common.AbstractDriver.connect(Unknown Source)
at java.sql.DriverManager.getConnection(Unknown Source)
at java.sql.DriverManager.getConnection(Unknown Source)
at TestClassPath.getImpalaConnection(TestClassPath.java:21)
at TestClassPath.main(TestClassPath.java:41)
Caused by: org.apache.thrift.transport.TTransportException: GSS initiate failed
at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:221)
at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:297)
at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
... 14 more
Test Impala End

  

3) In Java, the working code.

Test Impala start-----****
>>>KinitOptions cache name is C:\Users\user1\krb5cc_user
>>>DEBUG <CCacheInputStream> client principal is user1@COMPANY.COM
>>>DEBUG <CCacheInputStream> server principal is krbtgt/COMPANY.COM
>>>DEBUG <CCacheInputStream> key type: 18
>>>DEBUG <CCacheInputStream> auth time: Thu Sep 28 11:29:07 IST 2017
>>>DEBUG <CCacheInputStream> start time: Thu Sep 28 11:29:07 IST 2017
>>>DEBUG <CCacheInputStream> end time: Thu Sep 28 21:29:07 IST 2017
>>>DEBUG <CCacheInputStream> renew_till time: null
>>> CCacheInputStream: readFlags() INITIAL; PRE_AUTH;
Host address is /xx.xxx.xx.xx
...
>>> KrbCreds found the default ticket granting ticket in credential cache.
Java config name: null
Native config name: C:\WINDOWS\krb5.ini
Loaded from native config
>>> Obtained TGT from LSA: Credentials:
client=user@COMPANY.COM
server=krbtgt/COMPANY@COMPANY.COM
flags=INITIAL;PRE-AUTHENT
EType (skey)=18
(tkt key)=18
Found ticket for user@COMPANY.COM to go to krbtgt/COMPANY.COM@COMPANY.COM expiring on Thu Sep 28 21:29:07 IST 2017
Entered Krb5Context.initSecContext with state=STATE_NEW
Found ticket for user@COMPANY.COM to go to krbtgt/COMPANY.COM@COMPANY.COM expiring on Thu Sep 28 21:29:07 IST 2017
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: main loop: [0] tempService=krbtgt/COMPANY.COM@COMPANY.COM
default etypes for default_tgs_enctypes: 18 17 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KdcAccessibility: reset
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=inttyna09vdcg01.company.com.. TCP:88, timeout=30000, number of retries =3, #bytes=1619
>>> KDCCommunication: kdc=inttyna09vdcg01.company.com.. TCP:88, timeout=30000,Attempt =1, #bytes=1619
>>>DEBUG: TCPClient reading 1573 bytes
>>> KrbKdcReq send: #bytes read=1573
>>> KdcAccessibility: remove inttyna09vdcg01.company.com.:88
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> Credentials acquireServiceCreds: got tgt
>>> Credentials acquireServiceCreds: got right tgt
>>> Credentials acquireServiceCreds: obtaining service creds for impala/hostname@CORP.COMPANY.COM
default etypes for default_tgs_enctypes: 18 17 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=snappfrgcorp101.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1610
>>> KDCCommunication: kdc=snappfrgcorp101.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1610
>>>DEBUG: TCPClient reading 1630 bytes
>>> KrbKdcReq send: #bytes read=1630
>>> KdcAccessibility: remove snappfrgcorp101.company.com.:88
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> Credentials acquireServiceCreds: returning creds:
>>> DEBUG: ----Credentials----
client: user@COMPANY.COM
server: impala/hostname@CORP.COMPANY.COM
ticket: sname: impala/hostname@CORP.COMPANY.COM
startTime: 1506595126000
endTime: 1506614347000
----Credentials end----
>>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Krb5Context setting mySeqNumber to: 293786502
Created InitSecContextToken:
0000: 01 00 6E 82 05 FE 30 82 05 FA A0 03 02 01 05 A1 ..n...0.........
0010: 03 02 01 0E A2 07 03 05 00 20 00 00 00 A3 82 05 ......... ......

Krb5Context.wrap: data=[01 01 00 00 ]
Krb5Context.wrap: token=[60 30 06 09 2a 86 48 86 f7 12 01 02 02 02 01 11 00 ff ff ff ff 71 1a 06 60 97 6b e4 e7 35 7d 2a d4 a7 53 4a d5 5e ce 9f 9b 87 7c 18 a3 01 01 00 00 01 ]

Connecting with jdbc:impala://connectionstring:21050/db;AuthMech=1;KrbRealm=_HOST@COMPANY.COM;KrbHostFQDN=host;KrbServiceName=impala;KrbAuthType=2

document
epr_lineage
infa_hstg_lookup_name_785113698026062326
infa_hstg_lookup_property_785113698026062326
infa_hstg_lookup_reference_785113698026062326
infa_hstg_read_document_4045257916572541191
infa_hstg_read_document_5426399195748447698
infa_hstg_read_document_785113698026062326

 ....

 

Please see the logs above and help me resolve the issue.

I've changed the company and domain names

Note: I'm trying to run the code from windows env and the complete set up of all applications are in centos. I've R and RStudio in Windows in the same network

avatar
Explorer

Hi,

 

I installed CDSW workbench in Centos machinme and also installed R there. The code worked there without any error. The encryption method of the ticket was not the problem there. 

 

But in Windows machine, the  code worked for Java but not R. Probably R is not able to decrypt the the content of the ticket which Java is able to do. Have anyone came across similar problem? What Ecnryption code/process does R use and how is it different for Java in Windows?

 

Thanks

avatar
Expert Contributor
Can you try to kinit at the beginning of your script, in R e.g.
system("kinit username@REALM.COM -k -t username.keytab")

Have you generated keytab on your own or got it from admin?

avatar
New Contributor

hi @Diegolotr99
Did u fixed this issue?? im facing the same issue i cant find any solution..please help me...

avatar
Expert Contributor

Install JCE.