Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Kerberos Cache in IPA /RedHat IDM (KEYRING) SOLVED!!

Labels:
avatar
author-rank mkataria
Expert Contributor

Created on ‎01-22-2016 04:48 PM - edited ‎09-16-2022 02:59 AM

Hi Everyone,

I came across a Kerberos cache issue and wanted to share and possible have more ideas.

One of our clients have RedHat IDM (supported version of freeIpa) and when you install sssd along with krb5 by IDM the default cache setting is 'KEYRING' than 'File'

You will still be able to get the tickets but will have GSSException error on Cluster.

KEYRING persistent cache setting works with many applications however not with HADOOP Cluster, I'm sure HDO engineering team must be looking into this for a solution, since KEYRING is the future for kerberos cache and the stuff you can do with it like keylist and etc.

To solve the errors you can comment out the "default_ccache_name=KEYRING....." on krb.conf or change it to "default_ccache_name = FILE:/tmp/krb5cc_%{uid}"

Logout and log in again - destroy the previous tickets and you should have something like "Ticket cache: FILE:/tmp/krb5cc_" in your klist output.

If you still see KEYRING PERSISTENT, kill all the running sessions of the user having the problem and restart SSSD service.

Thanks

32,898 Views
1 ACCEPTED SOLUTION

avatar
author-rank stevel author-rank
Guru

Created ‎01-23-2016 05:27 AM

@mkataria, thanks for this

"I'm sure HDO engineering team must be looking into this for a solution, since KEYRING is the future for kerberos cache and the stuff you can do with it like keylist and etc."

Hadoop uses the Kerberos libraries that come with the JVM. That's pretty problematic, because we have to delve into the private com.sun. and com.ibm. internal classes to get some stuff done, and that tends to break across major (and sometimes minor) releases. If we stay with the Oracle libraries, we're stuck with whatever they implement, which, as you've noticed, is pretty limited and out of date.

You may be interested to hear of Apache Kerby, an ongoing project to have a pure Java Kerberos Domain Controller and, importantly for production Hadoop —a modern Kerberos client library, with CPU-acceleration of encryption when available (i.e. latest intel parts, as Hadoop already does for HDFS encryption), and broader protocol support. I don't think its ready for production use yet, and nobody has —yet— gone beyond looking at what it would take to switch Hadoop over to it. But be assured: people are looking at it.

Finally, what was the error message you got? Was it the classic "unable to find TGT for user" kind of text, or something new? I'm trying to build a list list of common Kerberos error messages —adding a new message or a new possible cause of an existing message is something else to put in here.

View solution in original post

25,280 Views
8 REPLIES 8

avatar
author-rank abajwa author-rank
Guru

Created ‎01-22-2016 04:54 PM

@mkataria perhaps you would consider posting this as an article instead of a question? It would be a useful article because others have run into this in the past (see here)

25,280 Views
0 Kudos

avatar
author-rank mkataria
Expert Contributor

Created ‎01-22-2016 05:31 PM

Thanks @Ali Bajwa, posted as article

25,280 Views
0 Kudos

avatar
author-rank stevel author-rank
Guru

Created ‎01-23-2016 05:27 AM

@mkataria, thanks for this

"I'm sure HDO engineering team must be looking into this for a solution, since KEYRING is the future for kerberos cache and the stuff you can do with it like keylist and etc."

Hadoop uses the Kerberos libraries that come with the JVM. That's pretty problematic, because we have to delve into the private com.sun. and com.ibm. internal classes to get some stuff done, and that tends to break across major (and sometimes minor) releases. If we stay with the Oracle libraries, we're stuck with whatever they implement, which, as you've noticed, is pretty limited and out of date.

You may be interested to hear of Apache Kerby, an ongoing project to have a pure Java Kerberos Domain Controller and, importantly for production Hadoop —a modern Kerberos client library, with CPU-acceleration of encryption when available (i.e. latest intel parts, as Hadoop already does for HDFS encryption), and broader protocol support. I don't think its ready for production use yet, and nobody has —yet— gone beyond looking at what it would take to switch Hadoop over to it. But be assured: people are looking at it.

Finally, what was the error message you got? Was it the classic "unable to find TGT for user" kind of text, or something new? I'm trying to build a list list of common Kerberos error messages —adding a new message or a new possible cause of an existing message is something else to put in here.

25,281 Views

avatar
author-rank mkataria
Expert Contributor

Created ‎01-25-2016 04:37 PM

@stevel thanks for the explanation upcoming Kerby, we had the same error message which you have already documented however a different cause 'may be unsupported cache type" the error was

No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt

we commented out "default_ccache_name = KEYRING:persistent:%{uid}" and it fixed.

Thanks Mayank

25,280 Views

avatar
author-rank phil1
Explorer

Created ‎06-16-2016 10:06 PM

Looks like that freeipa-client on CentOS6.x is not adding the default_ccache_name entry in the /etc/krb5.conf while it adds it in CentOS7, and the KEYRING: thing makes it all go bonkers indeed.

Thanks a lot for the pointer!!!!

25,280 Views
0 Kudos

avatar
author-rank michael_van_de_
Explorer

Created ‎06-16-2016 10:18 PM

THANK YOU! I barely can imagine how many nights you wasted on this. This vicious issue appeared suddenly when we installed FreeIPA client on centos 7 nodes. Whereas, on CentOS 6.7, the KEYRING was absent...

25,280 Views
0 Kudos

avatar
author-rank michael_van_de_
Explorer

Created ‎06-20-2016 11:06 PM

Please also note the exact same error can be caused by missing Oracle JCE jar files. It turns out openJDK ships JCE policy jar files compatible with HDP, but not the Oracle JVM. Hence, the extensions should be installed (even if the $JAVA_HOME/lib/security folder already contain the jars, they may not be then proper ones). I learnt this the hard way.

25,280 Views
0 Kudos

avatar
author-rank dpal
New Contributor

Created ‎03-07-2017 10:46 PM

Using KEYRING was a state of art at the moment Kerberos was bundled for RHEL7. However moving forward into the world of containers using KEYRING becomes a challenge thus SSSD is building internal ticket cache that will be supported by the system Kerberos libraries. So in general the recommendation nowadays is to use native OS Kerberos libraries, they are most recent and will provide latest functionality and experience.

25,280 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements