Support Questions

Find answers, ask questions, and share your expertise

Impala3.4 with kerberos auth, impala-shell get wrong principal

avatar
Explorer

Impala 3.4

 

When impala-shell is started, impalad.ERROR:

authentication.cc:177] SASL message (Kerberos (external)): GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No key table entry found for impala@node1)

 

I don't understand why it got the wrong principal. I passed in the correct principal and keytab in the startup file.

 

Can someone help me? Thank you very much.

 

4 REPLIES 4

avatar
Master Collaborator

Hi,

 

Can you regenerate the kerberos credentials for impala from CM and see if it helps?

 

Regards,

Chethan YM

avatar
Explorer

Thank you for the attention, I try to regenerate the Kerberos credentials but get the same result. Enable impala in Ambari

avatar
Super Guru

@ken_zz ,

 

Please run the following command to list the principals contained in your keytab:

klist -kt <keytab_file>

 

The full principal name is the long form: either username@REALM or username/fqdn@REALM.

Try specifying the full principal name when starting impala-shell.

 

Cheers,

André

 

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

avatar
Explorer

Thank you for the attention, the Principal name is complete and correct.

Impala Catalog and Impala Server will report an error:

 

9236 authentication.cc:177] SASL message (Kerberos (internal)): GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/statestore_hostname@TEST.COM not found in Kerberos database)

 

When I set "-skip_internal_kerberos_auth=true", only Coordinator gets this error.

When I set "-skip_internal_kerberos_auth=true" and "-skip_external_kerberos_auth=true", all components are fine, but then Kerberos authentication is lost.