Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

LDAP connection issues- Could not start SASL: Error in sasl_client_start

LDAP connection issues- Could not start SASL: Error in sasl_client_start

Explorer

Hi Team,

While we have enabled LDAP authentication for Impala (just for one of the Daemon nodes),and trying to connect to that node from impala shell (impala-shell  -i <hostname> -s <service id> -l -u <userid>, we are getting the following error, but obviously it is not found in kerberos because we disabled kerberos. Looking around for some inputs, I am not sure if I am missing some fundamentals here

 

Starting Impala Shell using LDAP-based authentication
LDAP password for <user>:
Error connecting: TTransportException, TSocket read 0 bytes
Kerberos ticket found in the credentials cache, retrying the connection with a secure transport.
Error connecting: TTransportException, Could not start SASL: Error in sasl_client_start (-1) SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server /xxx not foundin Kerberos database)

 

Any inputs appreciated.

 

Regards

Sreeman

 

 

1 REPLY 1

Re: LDAP connection issues- Could not start SASL: Error in sasl_client_start

Rising Star

Hi Sreeman - 

 

You're right, this is unrelated to Kerberos. The Impala shell is able to detect a Kerberos ticket in the cache, and tries to authenticate using that even though Kerberos isn't specified on the remote host. I think this is probably a bug if a separate kind of authentication (i.e. LDAP) is specified.

 

What's probably happening is that the password you are typing is not recognised for the user. The reason for that with LDAP is usually that the userid you're trying isn't actually the userid present in the LDAP database. For example, many deployments require usernames in the form user@DOMAIN.COM.

 

In Impala 1.4, there are options to map short userids onto the longer strings that an LDAP server requires. See http://www.cloudera.com/content/cloudera-content/cloudera-docs/Impala/latest/Installing-and-Using-Im... under "Support for custom bind strings". 

 

Best,

Henry

Don't have an account?
Coming from Hortonworks? Activate your account here