Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Metron Rest with Kerberos support

Metron Rest with Kerberos support

New Contributor

HCP : 1.3.0

HDP : 2.5.0

Kerberos Authentication enabled for Hadoop cluster.

When Metron Rest trying to connect to Storm, error is thrown as no Server not found in Kerberos database (7) - LOOKING_UP_SERVER

>>>KRBError: cTime is Thu Oct 28 12:56:54 AEST 1971 57466614000 sTime is Wed Jan 03 22:57:12 AEDT 2018 1514980632000 suSec is 418131 error code is 7 error Message is Server not found in Kerberos database cname is metron@XXXXX.COM sname is HTTPS/cbro-test-ms5.networks.in.xxxxx.com.au@XXXXX.COM msgType is 30 KrbException: Server not found in Kerberos database (7) - LOOKING_UP_SERVER at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:73) at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:251) at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:262) at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:308) at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:126) at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:458) at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:693) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)

In KDC there is no principal with HTTPS/cbro-test-ms5.networks.in.xxxxx.com.au@XXXXX.COM

We can see only HTTP/cbro-test-ms5.networks.in.xxxxx.com.au@XXXXX.COM

If we add manually principal (HTTPS/cbro-test-ms5.networks.in.xxxxx.com.au@XXXXX.COM) using kadmin in kerberos server, getting error as checksum failed

Jan 03, 2018 10:32:20 PM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is org.springframework.web.client.RestClientException: Error running rest call; nested exception is org.springframework.web.client.HttpClientErrorException: 403 GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)] with root cause org.springframework.web.client.HttpClientErrorException: 403 GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed) at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:91) at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:667) at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:620)

Please suggest how to resolve this issue, thanks

2 REPLIES 2
Highlighted

Re: Metron Rest with Kerberos support

New Contributor

Are you using keytabs?

Kerberos Checksum failures, in my experience, usually are caused by the principal changing but the Keytab not being re-exported. Or sometimes the keytab may be exported but into the same file and so now there are multiple entries in the keytab file.

When you say you manually added the HTTPS principal did you generate the keytab? Are the encryption types specified for the principal the same encryption types specified as valid in your krb5.conf and/or kdc.conf?

Highlighted

Re: Metron Rest with Kerberos support

New Contributor

Hi, Thanks for your analysis.

This is due to bug in HttpClient, which metron is using. This is rightnow being analysed in metron user community forum

Don't have an account?
Coming from Hortonworks? Activate your account here