Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Issue with EMR Kerberos (cross-trust realm) with windows 2016 AD

Highlighted

Issue with EMR Kerberos (cross-trust realm) with windows 2016 AD

New Contributor

Hello,

I need some help with configuring nifi and Kylo with kerberos on Cross trust ream. i am able to run hdfs and beelive from my AD testadmin account (after i do the kinit testadmin@TESTAD.LOCAL) on the edge node. I created new keytab file /etc/kylo.keytab and /etc/nifi.keytab with these principals in them.


When i try to import a feed i am getting this:

java.lang.RuntimeException: java.sql.SQLException: Could not open client transport with JDBC Uri: jdbc:hive2://10.1.2.130:10000/;principal=hive/ip-10-1-2-130.ec2.internal@EC2.INTERNAL: GSS initiate failed


Edge node: ( ip-10-1-2-61) > with Nifi, Activemq, Kylo installed

Windows 2012 AD (ip-10-1-2-56.ec2.internal)

EMR Cluster: (ip-10-1-2-130)


krb5.conf on EMR cluster (ip-10-1-2-130) and same configuration copied to edge nodes & core nodes.

[libdefaults]
    default_realm = EC2.INTERNAL
    dns_lookup_realm = false
    dns_lookup_kdc = false
    rdns = false
    ticket_lifetime = 24h
    forwardable = true
    udp_preference_limit = 1000000
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1
    default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1
    permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1
[realms]
    EC2.INTERNAL = {
        kdc = ip-10-1-2-130.ec2.internal:88
        admin_server = ip-10-1-2-130.ec2.internal:749
        default_domain = ec2.internal
    }
   TESTAD.LOCAL = {
        kdc = ip-10-1-2-56.ec2.internal
        admin_server = ip-10-1-2-56.ec2.internal
        default_domain = testad.local
    }
[domain_realm]
    .ec2.internal = EC2.INTERNAL
     ec2.internal = EC2.INTERNAL
    .testad.local = TESTAD.LOCAL
     testad.local = TESTAD.LOCAL
[logging]
    kdc = FILE:/var/log/kerberos/krb5kdc.log
    admin_server = FILE:/var/log/kerberos/kadmin.log
    default = FILE:/var/log/kerberos/krb5lib.log
kylo keytab: 
# klist -ket /etc/kylo.keytab 
Keytab name: FILE:/etc/kylo.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 07/22/2019 14:42:59 kylo/ip-10-1-2-130.ec2.internal@EC2.INTERNAL (aes256-cts-hmac-sha1-96) 
   2 07/22/2019 14:42:59 kylo/ip-10-1-2-130.ec2.internal@EC2.INTERNAL (aes128-cts-hmac-sha1-96) 
   2 07/22/2019 14:42:59 kylo/ip-10-1-2-130.ec2.internal@EC2.INTERNAL (des3-cbc-sha1) 
   2 07/22/2019 14:43:12 kylo/ip-10-1-2-192.ec2.internal@EC2.INTERNAL (aes256-cts-hmac-sha1-96) 
   2 07/22/2019 14:43:12 kylo/ip-10-1-2-192.ec2.internal@EC2.INTERNAL (aes128-cts-hmac-sha1-96) 
   2 07/22/2019 14:43:12 kylo/ip-10-1-2-192.ec2.internal@EC2.INTERNAL (des3-cbc-sha1) 
   2 07/22/2019 14:43:24 kylo/ip-10-1-2-54.ec2.internal@EC2.INTERNAL (aes256-cts-hmac-sha1-96) 
   2 07/22/2019 14:43:24 kylo/ip-10-1-2-54.ec2.internal@EC2.INTERNAL (aes128-cts-hmac-sha1-96) 
   2 07/22/2019 14:43:24 kylo/ip-10-1-2-54.ec2.internal@EC2.INTERNAL (des3-cbc-sha1) 
   2 07/22/2019 14:43:34 kylo/ip-10-1-2-61.ec2.internal@EC2.INTERNAL (aes256-cts-hmac-sha1-96) 
   2 07/22/2019 14:43:34 kylo/ip-10-1-2-61.ec2.internal@EC2.INTERNAL (aes128-cts-hmac-sha1-96) 
   2 07/22/2019 14:43:34 kylo/ip-10-1-2-61.ec2.internal@EC2.INTERNAL (des3-cbc-sha1) 
   2 07/22/2019 14:43:43 kylo@EC2.INTERNAL (aes256-cts-hmac-sha1-96) 
   2 07/22/2019 14:43:43 kylo@EC2.INTERNAL (aes128-cts-hmac-sha1-96) 
   2 07/22/2019 14:43:43 kylo@EC2.INTERNAL (des3-cbc-sha1) 


keytab file for /etc/nifi.keytab
# klist -ket /etc/nifi.keytab 
Keytab name: FILE:/etc/nifi.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 07/22/2019 14:10:05 nifi/ip-10-1-2-130.ec2.internal@EC2.INTERNAL (aes256-cts-hmac-sha1-96) 
   2 07/22/2019 14:10:05 nifi/ip-10-1-2-130.ec2.internal@EC2.INTERNAL (aes128-cts-hmac-sha1-96) 
   2 07/22/2019 14:10:05 nifi/ip-10-1-2-130.ec2.internal@EC2.INTERNAL (des3-cbc-sha1) 
   2 07/22/2019 14:10:15 nifi/ip-10-1-2-192.ec2.internal@EC2.INTERNAL (aes256-cts-hmac-sha1-96) 
   2 07/22/2019 14:10:15 nifi/ip-10-1-2-192.ec2.internal@EC2.INTERNAL (aes128-cts-hmac-sha1-96) 
   2 07/22/2019 14:10:15 nifi/ip-10-1-2-192.ec2.internal@EC2.INTERNAL (des3-cbc-sha1) 
   2 07/22/2019 14:10:42 nifi/ip-10-1-2-54.ec2.internal@EC2.INTERNAL (aes256-cts-hmac-sha1-96) 
   2 07/22/2019 14:10:42 nifi/ip-10-1-2-54.ec2.internal@EC2.INTERNAL (aes128-cts-hmac-sha1-96) 
   2 07/22/2019 14:10:42 nifi/ip-10-1-2-54.ec2.internal@EC2.INTERNAL (des3-cbc-sha1) 
   2 07/22/2019 14:10:52 nifi/ip-10-1-2-61.ec2.internal@EC2.INTERNAL (aes256-cts-hmac-sha1-96) 
   2 07/22/2019 14:10:52 nifi/ip-10-1-2-61.ec2.internal@EC2.INTERNAL (aes128-cts-hmac-sha1-96) 
   2 07/22/2019 14:10:52 nifi/ip-10-1-2-61.ec2.internal@EC2.INTERNAL (des3-cbc-sha1) 
   2 07/22/2019 14:15:30 nifi@EC2.INTERNAL (aes256-cts-hmac-sha1-96) 
   2 07/22/2019 14:15:30 nifi@EC2.INTERNAL (aes128-cts-hmac-sha1-96) 
   2 07/22/2019 14:15:30 nifi@EC2.INTERNAL (des3-cbc-sha1) 
1 REPLY 1

Re: Issue with EMR Kerberos (cross-trust realm) with windows 2016 AD

New Contributor

I am following this document


https://kylo.readthedocs.io/en/v0.9.1/security/KerberosNiFiConfiguration.html


kadmin.local

Authenticating as principal root/admin@EC2.INTERNAL with password.

kadmin.local: addprinc -randkey nifi@TESTAD.LOCAL


klist -kte /etc/security/keytabs/nifi.headless.keytab

Keytab name: FILE:/etc/security/keytabs/nifi.headless.keytab

KVNO Timestamp Principal

---- ------------------- ------------------------------------------------------

1 07/22/2019 17:50:14 nifi@TESTAD.LOCAL (aes256-cts-hmac-sha1-96)

1 07/22/2019 17:50:14 nifi@TESTAD.LOCAL (aes128-cts-hmac-sha1-96)

1 07/22/2019 17:50:14 nifi@TESTAD.LOCAL (des3-cbc-sha1)


Error:

# su - nifi

$ kinit -kt /etc/security/keytabs/nifi.headless.keytab nifi

kinit: Keytab contains no suitable keys for nifi@EC2.INTERNAL while getting initial credentials

Don't have an account?
Coming from Hortonworks? Activate your account here