Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Kerberos ticket error in a cron job

Labels:
sarah_maadawy
Explorer

Created on ‎10-17-2016 04:54 AM - edited ‎09-16-2022 03:44 AM

I have a script that should run in a cron job and should be authenticated with hdfs user through kerberos.

To run the script outside the cron job, from the shell, I execute the following commands:

sudo -i
kinit -V -k -t /etc/security/keytabs/hdfs.headless.keytab hdfs
callMyScriptWithParams

The above commands execute as I needed them to. However, when I call the same set of commands in a cron job, I get the following error

javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]

I get the same error if I tried to run the same commands from the shell but not through (Using my current user) the root as below

sudo kinit -V -k -t /etc/security/keytabs/hdfs.headless.keytab hdfs #works fine
sudo callMyScriptWithParams #throw the error

I tried to create several versions of the cron job, one of them is below (Runs every three minutes for testing purposes)

*/3 * * * * root sudo -i; kinit -V -kt /etc/security/keytabs/hdfs.headless.keytab hdfs; klist; callMyScriptWithParams; klist

I am calling 'klist' to check that I am getting the correct ticket. Klist returen the hdfs user ticket before and after calling my script. Since I have a valid ticket, I am not sure why am I getting the above error. Below is the output when I obtain the ticket:

Using default cache: /run/user/krb5cc/krb5cc_0
Using principal: hdfs@MyRealm
Using keytab: /etc/security/keytabs/hdfs.headless.keytab
Authenticated to Kerberos v5

and this is an example of a retrieved ticket from 'klist'

Ticket cache: FILE:/run/user/krb5cc/krb5cc_0
Default principal: hdfs@MyRealm

Valid starting       Expires              Service principal
10/17/2016 15:12:01  10/18/2016 15:12:01  krbtgt/MyRealm@MyRealm

If I am retrieving a valid ticket before and after calling myscript, then why am I getting 'Failed to find any Kerberos tgt' error when I call the script? specially that I called the same commands outside the cron job and they worked fine.

P.S. I tried to cron job without the 'sudo -i' as well but I am still getting the same error.

6,468 Views
0 Kudos
2 REPLIES 2

umair_khan
Expert Contributor

Created ‎10-17-2016 06:21 PM

Please check if the user running the cron job has permission to read keytab file.

Following is a relevant post that can help you further.

https://community.hortonworks.com/questions/5488/what-are-the-required-steps-we-need-to-follow-in-s....

3,741 Views
0 Kudos

sarah_maadawy
Explorer

Created ‎10-17-2016 10:32 PM

The user does have permission, when I run klist before and after calling my script I find a valid ticket which means that the cron job was able read the keytab file. I used the link to be able to call multiple commands in the same cron job line. It still does not explain why am I having this error I am afraid 😞

3,741 Views
0 Kudos
Take a Tour of the Community
Don't have an account?
Register
Your experience may be limited. Sign in to explore more.
Announcements
Community Announcements
March 2023 Community Highlights
What's New @ Cloudera
Cloudera DataFlow Designer for self-service data flow development is now generally available to all CDP Public Cloud customers
What's New @ Cloudera
Cloudera Operational Database (COD) UI provides the JWT configuration details to connect to your HBase client
What's New @ Cloudera
Cloudera Operational Database (COD) UI allows storage type selection when creating an operational database
What's New @ Cloudera
Release of Cloudera Streaming Analytics (CSA) 1.9.0 for CDP 7.1.7 SP2 & CDP 7.1.8
View More Announcements