Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Kerberos Authentication Failure : Catalog Server Unable to Connect to Statestore Port

Labels:
avatar
author-rank pandu2022
Explorer

Created ‎03-03-2022 02:55 AM

F0303 09:59:04.650674 32117 catalogd-main.cc:87] Couldn't open transport for hostname:11423 (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database))

 

I have used a customized service name for impala, can we do that? if not how can we achieve it?

principal - impala_<some text>@hostname@Domain

15,506 Views
0 Kudos
20 REPLIES 20

avatar
author-rank araujo author-rank
Super Guru

Created ‎03-21-2022 11:43 PM

@pandu2022 ,

 

Have you updated the properties below for *all* the Impala service roles (ID, catalog and statestore)?

 

  • principal: When using a load-balancer this should be of the form impala_test/<LB_fqdn>@<REALM>. If not using a LB, this should be impala_test/<host_fqdn>@<REALM>.
  • be_principal: This is only necessary when a LB is being used and should be of the form impala_test/<host_fqdn>@<REALM>.

 

Cheers,

André

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.
10,930 Views

avatar
author-rank pandu2022
Explorer

Created ‎03-21-2022 11:47 PM

Hi,
everything works fine for "impala" service name. but I will try and let you know. Thank you very much.

Thanks,
Panduka.

10,929 Views
0 Kudos

avatar
author-rank pandu2022
Explorer

Created ‎03-21-2022 08:32 PM

@araujo 
i do not know where else to configure this customized service name for impala services.

11,001 Views
0 Kudos

avatar
author-rank ram76
Contributor

Created ‎03-22-2022 10:34 AM

@pandu2022 

I have feeling that your kerberos principle doesn't exist on the KDC server. On the statestore server can you try running "kinit impala_test/<host_fqdn>@<REALM>". If you get prompt for password that indicate your principle is exist on KDC server. If you get error (not found in kerberos database) when you kinit, that indicate your principle doesn't exist on the KDC server.

If the kinit works from catalog server, then most likely on statestore you are using different KDC server. In this case may be you should check your /etc/krb5.conf to make sure there are match.

 

rgds,

Ram.

10,900 Views

avatar
author-rank pandu2022
Explorer

Created ‎03-23-2022 03:31 AM

Hi Ram,
kinit works fine in both of the servers as expected and no difference in krb5.conf files as well.

Thanks,
Panduka.

10,880 Views
0 Kudos

avatar
author-rank pandu2022
Explorer

Created ‎03-23-2022 03:37 AM

@araujo / @ram76 

should the backend host fqdn be accessible from the KDC server. I am using a custom fqdn for hosts which are accessible within the cluster but KDC can access only the LB fqdn.is this an issue? any comments?

10,878 Views
0 Kudos

avatar
author-rank araujo author-rank
Super Guru

Created ‎03-24-2022 05:17 PM

@pandu2022 ,

 

The KDC does not need to connect to Impala servers.

Do you happen to have multiple realms in your environment with cross-realm trust configured between them?

 

Could you please run the below commands and share the output?

kinit <your_user>
kvno impala/<host_fqdn>@<REALM>
kvno impala_test/<host_fqdn>@<REALM>

 

Cheers,

André

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.
10,819 Views

avatar
author-rank pandu2022
Explorer

Created ‎03-25-2022 04:18 AM

@araujo 

OMG!!

kinit <user> - works fine

kvno impala/<host fqdn> - works fine

but,

kvno impala_test/<host fqdn> - not working !!!
kvno: Server not found in Kerberos database while getting credentials for impala_test/<host fqdn>@domain 

10,787 Views
0 Kudos

avatar
author-rank pandu2022
Explorer

Created ‎03-25-2022 04:20 AM

and additionally ,
what does this kvno command do?
when i kinit relavant keytab for impala_test/<host fqdn>@domain. it works fine. but kvno command does not.

10,787 Views
0 Kudos

avatar
author-rank araujo author-rank
Super Guru

Created ‎03-25-2022 05:43 AM

@pandu2022 ,

 

Please check the servicePrincipalName (SPN) property of the AD user. It should be impala_test/<host>@realm.

 

André

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.
10,772 Views
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements