Support Questions

Find answers, ask questions, and share your expertise

Getting "Server not found in Kerberos database" while trying to get API access token with SPNEGO on NiFi

avatar
Explorer

Hi,

First a couple of things that work :
-Nifi cluster running on 3 nodes (running Apache upstream V1.1.2) on Centos 6
-Login identity provider is kerberos and works A1 using username & password fields in the UI or though the API.
-Once I get an API token using username & password, I can query the API without any issues.
-KDC is Active Directory
-Service is using nifi.kerberos.service.principal as "serviceaccount@DOMAIN.ORG" with corresponding keytab.

Now I'm trying a little POC where I want a script to use the API to interact with some of my flows. Because I don't want to store a username & password for the script to use, I wanted to setup SPNEGO and just use a plain "kinit" with a keytab and fetch the API access token using something like : "curl --negotiate -X POST -v -u : https://myhost.mydomain.org:8989/nifi-api/access/kerberos"

Steps I've taken:
1-Create 3 new accounts in AD with the logon name (principal) named "HTTP/myhost.mydomain.org". One for each of of my machine.
2-Created a keytab for each of those machine by using ktutil. Tested this with a "kinit HTTP/myhost.mydomain.org@DOMAIN.ORG" and they work.
3-Setup the 3 SPNEGO properties in nifi.properties :
-nifi.kerberos.spnego.principal=HTTP/myhost.mydomain.org@DOMAIN.ORG
-nifi.kerberos.spnego.keytab.location=[the_location_of_the_key_tab]
-nifi.kerberos.spnego.authentication.expiration=12 hours

After a service restart, I try to run the curl command mentioned above and I get the following error :

curl --negotiate -X POST -v  -u : https://myhost.mydomain.org:8989/nifi-api/access/kerberos
* About to connect() to myhost.mydomain.org port 8989 (#0)
*   Trying [îp address]... connected
* Connected to myhost.mydomain.org ([îp address]) port 8989 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: [redacted]
  CApath: none
* NSS: client certificate not found (nickname not specified)
* SSL connection using [redacted]
* Server certificate:
*       [redacted]
> POST /nifi-api/access/kerberos HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: myhost.mydomain.org:8989
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Date: Thu, 10 Aug 2017 17:10:41 GMT
* gss_init_sec_context() failed: : Server not found in Kerberos databaseWWW-Authenticate: Negotiate
< Content-Type: text/plain
< Content-Length: 0
< Server: Jetty(9.3.9.v20160517)
<
* Connection #0 to host myhost.mydomain.org left intact
* Closing connection #0

I was wondering what's missing. DNS and Reverse DNS is setup properly and everything else is working fine (like HUE, also using SPNEGO with the same method).

Any idea?

1 ACCEPTED SOLUTION

avatar
Explorer

Was about to delete my question (if that's even possible) but I managed to isolate the issue after triple-checking everything so I figure I'd post that here.

Turns out the 3 accounts in AD did not have the SPN set (servicePrincipalName) correctly. Changed them to "HTTP/myhost.mydomain.org" and everything works great now.

Lessons learned : don't eyeball the correctness of properties : copy paste them in an editor and check them there.

View solution in original post

1 REPLY 1

avatar
Explorer

Was about to delete my question (if that's even possible) but I managed to isolate the issue after triple-checking everything so I figure I'd post that here.

Turns out the 3 accounts in AD did not have the SPN set (servicePrincipalName) correctly. Changed them to "HTTP/myhost.mydomain.org" and everything works great now.

Lessons learned : don't eyeball the correctness of properties : copy paste them in an editor and check them there.