First a couple of things that work :
-Nifi cluster running on 3 nodes (running Apache upstream V1.1.2) on Centos 6
-Login identity provider is kerberos and works A1 using username & password fields in the UI or though the API.
-Once I get an API token using username & password, I can query the API without any issues.
-KDC is Active Directory
-Service is using nifi.kerberos.service.principal as "serviceaccount@DOMAIN.ORG" with corresponding keytab.
Now I'm trying a little POC where I want a script to use the API to interact with some of my flows. Because I don't want to store a username & password for the script to use, I wanted to setup SPNEGO and just use a plain "kinit" with a keytab and fetch the API access token using something like : "curl --negotiate -X POST -v -u : https://myhost.mydomain.org:8989/nifi-api/access/kerberos"
Steps I've taken:
1-Create 3 new accounts in AD with the logon name (principal) named "HTTP/myhost.mydomain.org". One for each of of my machine.
2-Created a keytab for each of those machine by using ktutil. Tested this with a "kinit HTTP/myhost.mydomain.org@DOMAIN.ORG" and they work.
3-Setup the 3 SPNEGO properties in nifi.properties :
After a service restart, I try to run the curl command mentioned above and I get the following error :
curl --negotiate -X POST -v -u : https://myhost.mydomain.org:8989/nifi-api/access/kerberos
* About to connect() to myhost.mydomain.org port 8989 (#0)
* Trying [îp address]... connected
* Connected to myhost.mydomain.org ([îp address]) port 8989 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: [redacted]
* NSS: client certificate not found (nickname not specified)
* SSL connection using [redacted]
* Server certificate:
> POST /nifi-api/access/kerberos HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: myhost.mydomain.org:8989
> Accept: */*
< HTTP/1.1 401 Unauthorized
< Date: Thu, 10 Aug 2017 17:10:41 GMT
* gss_init_sec_context() failed: : Server not found in Kerberos databaseWWW-Authenticate: Negotiate
< Content-Type: text/plain
< Content-Length: 0
< Server: Jetty(9.3.9.v20160517)
* Connection #0 to host myhost.mydomain.org left intact
* Closing connection #0
I was wondering what's missing. DNS and Reverse DNS is setup properly and everything else is working fine (like HUE, also using SPNEGO with the same method).