Issue with EMR Kerberos (cross-trust realm) with windows 2016 AD

udaya_suryadeva · ‎07-22-2019

Hello,

I need some help with configuring nifi and Kylo with kerberos on Cross trust ream. i am able to run hdfs and beelive from my AD testadmin account (after i do the kinit testadmin@TESTAD.LOCAL) on the edge node. I created new keytab file /etc/kylo.keytab and /etc/nifi.keytab with these principals in them.

When i try to import a feed i am getting this:

java.lang.RuntimeException: java.sql.SQLException: Could not open client transport with JDBC Uri: jdbc:hive2://10.1.2.130:10000/;principal=hive/ip-10-1-2-130.ec2.internal@EC2.INTERNAL: GSS initiate failed

Edge node: ( ip-10-1-2-61) > with Nifi, Activemq, Kylo installed

Windows 2012 AD (ip-10-1-2-56.ec2.internal)

EMR Cluster: (ip-10-1-2-130)

krb5.conf on EMR cluster (ip-10-1-2-130) and same configuration copied to edge nodes & core nodes.

[libdefaults]
    default_realm = EC2.INTERNAL
    dns_lookup_realm = false
    dns_lookup_kdc = false
    rdns = false
    ticket_lifetime = 24h
    forwardable = true
    udp_preference_limit = 1000000
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1
    default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1
    permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1
[realms]
    EC2.INTERNAL = {
        kdc = ip-10-1-2-130.ec2.internal:88
        admin_server = ip-10-1-2-130.ec2.internal:749
        default_domain = ec2.internal
    }
   TESTAD.LOCAL = {
        kdc = ip-10-1-2-56.ec2.internal
        admin_server = ip-10-1-2-56.ec2.internal
        default_domain = testad.local
    }
[domain_realm]
    .ec2.internal = EC2.INTERNAL
     ec2.internal = EC2.INTERNAL
    .testad.local = TESTAD.LOCAL
     testad.local = TESTAD.LOCAL
[logging]
    kdc = FILE:/var/log/kerberos/krb5kdc.log
    admin_server = FILE:/var/log/kerberos/kadmin.log
    default = FILE:/var/log/kerberos/krb5lib.log

kylo keytab: 
# klist -ket /etc/kylo.keytab 
Keytab name: FILE:/etc/kylo.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 07/22/2019 14:42:59 kylo/ip-10-1-2-130.ec2.internal@EC2.INTERNAL (aes256-cts-hmac-sha1-96) 
   2 07/22/2019 14:42:59 kylo/ip-10-1-2-130.ec2.internal@EC2.INTERNAL (aes128-cts-hmac-sha1-96) 
   2 07/22/2019 14:42:59 kylo/ip-10-1-2-130.ec2.internal@EC2.INTERNAL (des3-cbc-sha1) 
   2 07/22/2019 14:43:12 kylo/ip-10-1-2-192.ec2.internal@EC2.INTERNAL (aes256-cts-hmac-sha1-96) 
   2 07/22/2019 14:43:12 kylo/ip-10-1-2-192.ec2.internal@EC2.INTERNAL (aes128-cts-hmac-sha1-96) 
   2 07/22/2019 14:43:12 kylo/ip-10-1-2-192.ec2.internal@EC2.INTERNAL (des3-cbc-sha1) 
   2 07/22/2019 14:43:24 kylo/ip-10-1-2-54.ec2.internal@EC2.INTERNAL (aes256-cts-hmac-sha1-96) 
   2 07/22/2019 14:43:24 kylo/ip-10-1-2-54.ec2.internal@EC2.INTERNAL (aes128-cts-hmac-sha1-96) 
   2 07/22/2019 14:43:24 kylo/ip-10-1-2-54.ec2.internal@EC2.INTERNAL (des3-cbc-sha1) 
   2 07/22/2019 14:43:34 kylo/ip-10-1-2-61.ec2.internal@EC2.INTERNAL (aes256-cts-hmac-sha1-96) 
   2 07/22/2019 14:43:34 kylo/ip-10-1-2-61.ec2.internal@EC2.INTERNAL (aes128-cts-hmac-sha1-96) 
   2 07/22/2019 14:43:34 kylo/ip-10-1-2-61.ec2.internal@EC2.INTERNAL (des3-cbc-sha1) 
   2 07/22/2019 14:43:43 kylo@EC2.INTERNAL (aes256-cts-hmac-sha1-96) 
   2 07/22/2019 14:43:43 kylo@EC2.INTERNAL (aes128-cts-hmac-sha1-96) 
   2 07/22/2019 14:43:43 kylo@EC2.INTERNAL (des3-cbc-sha1)

keytab file for /etc/nifi.keytab
# klist -ket /etc/nifi.keytab 
Keytab name: FILE:/etc/nifi.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 07/22/2019 14:10:05 nifi/ip-10-1-2-130.ec2.internal@EC2.INTERNAL (aes256-cts-hmac-sha1-96) 
   2 07/22/2019 14:10:05 nifi/ip-10-1-2-130.ec2.internal@EC2.INTERNAL (aes128-cts-hmac-sha1-96) 
   2 07/22/2019 14:10:05 nifi/ip-10-1-2-130.ec2.internal@EC2.INTERNAL (des3-cbc-sha1) 
   2 07/22/2019 14:10:15 nifi/ip-10-1-2-192.ec2.internal@EC2.INTERNAL (aes256-cts-hmac-sha1-96) 
   2 07/22/2019 14:10:15 nifi/ip-10-1-2-192.ec2.internal@EC2.INTERNAL (aes128-cts-hmac-sha1-96) 
   2 07/22/2019 14:10:15 nifi/ip-10-1-2-192.ec2.internal@EC2.INTERNAL (des3-cbc-sha1) 
   2 07/22/2019 14:10:42 nifi/ip-10-1-2-54.ec2.internal@EC2.INTERNAL (aes256-cts-hmac-sha1-96) 
   2 07/22/2019 14:10:42 nifi/ip-10-1-2-54.ec2.internal@EC2.INTERNAL (aes128-cts-hmac-sha1-96) 
   2 07/22/2019 14:10:42 nifi/ip-10-1-2-54.ec2.internal@EC2.INTERNAL (des3-cbc-sha1) 
   2 07/22/2019 14:10:52 nifi/ip-10-1-2-61.ec2.internal@EC2.INTERNAL (aes256-cts-hmac-sha1-96) 
   2 07/22/2019 14:10:52 nifi/ip-10-1-2-61.ec2.internal@EC2.INTERNAL (aes128-cts-hmac-sha1-96) 
   2 07/22/2019 14:10:52 nifi/ip-10-1-2-61.ec2.internal@EC2.INTERNAL (des3-cbc-sha1) 
   2 07/22/2019 14:15:30 nifi@EC2.INTERNAL (aes256-cts-hmac-sha1-96) 
   2 07/22/2019 14:15:30 nifi@EC2.INTERNAL (aes128-cts-hmac-sha1-96) 
   2 07/22/2019 14:15:30 nifi@EC2.INTERNAL (des3-cbc-sha1)

udaya_suryadeva · ‎07-22-2019

I am following this document

https://kylo.readthedocs.io/en/v0.9.1/security/KerberosNiFiConfiguration.html

kadmin.local

Authenticating as principal root/admin@EC2.INTERNAL with password.

kadmin.local: addprinc -randkey nifi@TESTAD.LOCAL

klist -kte /etc/security/keytabs/nifi.headless.keytab

Keytab name: FILE:/etc/security/keytabs/nifi.headless.keytab

KVNO Timestamp Principal

---- ------------------- ------------------------------------------------------

1 07/22/2019 17:50:14 nifi@TESTAD.LOCAL (aes256-cts-hmac-sha1-96)

1 07/22/2019 17:50:14 nifi@TESTAD.LOCAL (aes128-cts-hmac-sha1-96)

1 07/22/2019 17:50:14 nifi@TESTAD.LOCAL (des3-cbc-sha1)

Error:

# su - nifi

$ kinit -kt /etc/security/keytabs/nifi.headless.keytab nifi

kinit: Keytab contains no suitable keys for nifi@EC2.INTERNAL while getting initial credentials