Trying to assist a client with the following Kerberos configuration error.

We have configured automatically Kerberos on Sandbox HDP 2.6.4as described in below how-to:

https://community.hortonworks.com/articles/29203/automated-kerberos-installation-and-configuration.h...

We created the Kerberos ticket using thehive.service.keytab(one of the keytabs automatically generated by HDP):

kinit –kt hive.service.keytabhive/sandbox-hdp.hortonworks.com@HWX.COM

In order to connect to Kerberos Hive in JDBC from Windows machine, we used the following code snippet:

System.setProperty("hadoop.home.dir","C:\\Users\\Emilio\\Desktop\\test");

try{

org.apache.hadoop.conf.Configurationconf=neworg.apache.hadoop.conf.Configuration();

conf.set("hadoop.security.authentication","Kerberos");

org.apache.hadoop.security.UserGroupInformation.setConfiguration(conf);

org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab("hive/sandbox-hdp.hortonworks.com@HWX.COM","C:/Users/Emilio/Desktop/keytabs/hive.service.keytab");

Class.forName("org.apache.hive.jdbc.HiveDriver");

Connection con = DriverManager.getConnection("jdbc:hive2://localhost:10000/foodmart;principal=hive/sandbox-hdp.hortonworks.com@HWX.COM");

con.close();

}catch(Exceptione) {

e.printStackTrace();

}

In this case we obtain the following error:

java.io.IOException: Login failure forhive/sandbox-hdp.hortonworks.com@HWX.COMfrom keytab C:/Users/Emilio/Desktop/keytabs/hive.service.keytab:javax.security.auth.login.LoginException: ICMP Port Unreachable

Then we tried to replace the path value specified into theloginUserFromKeytabmethod with the one of the server:

org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab("hive/sandbox-hdp.hortonworks.com@HWX.COM","/etc/security/keytabs/hive.service.keytab");

In this case we obtain the following error:

java.io.IOException:Login failure forhive/sandbox-hdp.hortonworks.com@HWX.COMfrom keytab /etc/security/keytabs/hive.service.keytab:javax.security.auth.login.LoginException: Unable to obtain password from user

We also tried to perform the same tests explained above using a new user. To create the new user we used thekadmintool with the command below:

add_principalhive-user/sandbox-hdp.hortonworks.com@HWX.COM

After the principal creation, we added encryption to the user and then we generated a keytab file:

ktutil:

add_entry -password -phive-user/sandbox-hdp.hortonworks.com@HWX.COM-k 1 -e aes256-cts

add_entry -password -phive-user/sandbox-hdp.hortonworks.com@HWX.COM-k 1 -e aes128-cts

add_entry -password -phive-user/sandbox-hdp.hortonworks.com@HWX.COM-k 1 -e des3-hmac-sha1

add_entry -password -phive-user/sandbox-hdp.hortonworks.com@HWX.COM-k 1 -e arcfour-hmac

add_entry -password -phive-user/sandbox-hdp.hortonworks.com@HWX.COM-k 1 -e des-hmac-sha1

add_entry -password -phive-user/sandbox-hdp.hortonworks.com@HWX.COM-k 1 -e des-cbc-md5

add_entry -password -phive-user/sandbox-hdp.hortonworks.com@HWX.COM-k 1 -e des-cbc-crc

wkt /etc/security/keytabs/hive-user.service.keytab

Finally we created the Kerberos ticket using the newly generated keytabhive-user.service.keytab:

kinit -kt hive-user.service.keytabhive-user/sandbox-hdp.hortonworks.com@HWX.COM

The same errors of the previous tests occur.

The last try we did was performed enabling Kerberos security manually on HDP, according to the official documentation available at the following link:

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.1/bk_security/content/configuring_amb_hdp_for...

Unfortunately, the above tests behave the same way in this case too.