Support Questions

Find answers, ask questions, and share your expertise

Identifier doesn't match expected value (906)

avatar
Contributor

KrbException: Server not found in Kerberos database (7) - LOOKING_UP_SERVER at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:73) at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:251) at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:262) at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:308) at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:126) at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:458) at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:693) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179) at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:192) at org.apache.zookeeper.client.ZooKeeperSaslClient$2.run(ZooKeeperSaslClient.java:366) at org.apache.zookeeper.client.ZooKeeperSaslClient$2.run(ZooKeeperSaslClient.java:363) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:422) at org.apache.zookeeper.client.ZooKeeperSaslClient.createSaslToken(ZooKeeperSaslClient.java:362) at org.apache.zookeeper.client.ZooKeeperSaslClient.createSaslToken(ZooKeeperSaslClient.java:348) at org.apache.zookeeper.client.ZooKeeperSaslClient.sendSaslPacket(ZooKeeperSaslClient.java:420) at org.apache.zookeeper.client.ZooKeeperSaslClient.initialize(ZooKeeperSaslClient.java:458) at org.apache.zookeeper.ClientCnxn$SendThread.run(ClientCnxn.java:1013) Caused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140) at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65) at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60) at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55)

5 REPLIES 5

avatar
Expert Contributor

Did you ever figure it out. i"m facing the same issue.

avatar
Contributor

Am seeing the same issue? Did you find a way to workaround this issue?

avatar
Explorer

Hi.

Has your client machine a valid kerberos client setup?
Is it's krb5.ini, or krb5.conf for windows machines, coherent with underlying kerberos server setup?

 

Stefano

avatar
New Contributor

Make sure username is in lower case and domain name is in upper case when generating keytab using ktpass command.

This is right: ktpass .... -mapUser user@EXAMPLE.COM

This is wrong: ktpass .... -mapUser USER@EXAMPLE.COM or user@example.com

avatar
Cloudera Employee

Saw the same issue and debug it by adding Java option 

-Dsun.security.krb5.debug=true

In the logs, I found the IP address of KDC is shown instead of the hostname. That's suspicious. So I tried adding the IP -> hostname mapping of the KDC server in /etc/hosts. It resolved the issue.

There could be other causes for your issue. The debug logs can show you more clues.