Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Re: Test cross realm kerberos

Re: Test cross realm kerberos

New Contributor

My kvno command is failing. Any suggestion?

 

[root@ip-172-30-0-30 ~]# kvno hdfs/ip-172-30-0-30.ec2.internal@BTVISHAL.COM
[7857] 1532292032.877686: Getting credentials alice@BLUETALON.COM -> hdfs/ip-172-30-0-30.ec2.internal@BTVISHAL.COM using ccache FILE:/tmp/krb5cc_0
[7857] 1532292032.877907: Retrieving alice@BLUETALON.COM -> hdfs/ip-172-30-0-30.ec2.internal@BTVISHAL.COM from FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found
[7857] 1532292032.878006: Retrieving alice@BLUETALON.COM -> krbtgt/BTVISHAL.COM@BLUETALON.COM from FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found
[7857] 1532292032.878113: Retrieving alice@BLUETALON.COM -> krbtgt/BLUETALON.COM@BLUETALON.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[7857] 1532292032.878146: Starting with TGT for client realm: alice@BLUETALON.COM -> krbtgt/BLUETALON.COM@BLUETALON.COM
[7857] 1532292032.878263: Retrieving alice@BLUETALON.COM -> krbtgt/BTVISHAL.COM@BLUETALON.COM from FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found
[7857] 1532292032.878287: Requesting TGT krbtgt/BTVISHAL.COM@BLUETALON.COM using TGT krbtgt/BLUETALON.COM@BLUETALON.COM
[7857] 1532292032.878365: Generated subkey for TGS request: aes256-cts/C7B3
[7857] 1532292032.878392: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac
[7857] 1532292032.878669: Sending request (1454 bytes) to BLUETALON.COM
[7857] 1532292032.878960: Resolving hostname WIN-BPOJ9NP3GPQ.bluetalon.com
[7857] 1532292032.879606: Sending initial UDP request to dgram 172.30.1.236:88
[7857] 1532292032.880656: Received answer from dgram 172.30.1.236:88
[7857] 1532292032.880953: Response was not from master KDC
[7857] 1532292032.881080: TGS reply is for alice@BLUETALON.COM -> krbtgt/BTVISHAL.COM@BLUETALON.COM with session key aes256-cts/7165
[7857] 1532292032.881120: TGS request result: 0/Success
[7857] 1532292032.881145: Removing alice@BLUETALON.COM -> krbtgt/BTVISHAL.COM@BLUETALON.COM from FILE:/tmp/krb5cc_0
[7857] 1532292032.881167: Storing alice@BLUETALON.COM -> krbtgt/BTVISHAL.COM@BLUETALON.COM in FILE:/tmp/krb5cc_0
[7857] 1532292032.881489: Received TGT for service realm: krbtgt/BTVISHAL.COM@BLUETALON.COM
[7857] 1532292032.881512: Requesting tickets for hdfs/ip-172-30-0-30.ec2.internal@BTVISHAL.COM, referrals on
[7857] 1532292032.881543: Generated subkey for TGS request: aes256-cts/089A
[7857] 1532292032.881572: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac
[7857] 1532292032.881921: Sending request (1460 bytes) to BTVISHAL.COM
[7857] 1532292032.881952: Resolving hostname WIN-AQ8AUJ7CUVK.btvishal.com
[7857] 1532292032.882089: Sending initial UDP request to dgram 172.30.1.252:88
[7857] 1532292032.883450: Received answer from dgram 172.30.1.252:88
[7857] 1532292032.883499: Response was not from master KDC
[7857] 1532292032.883526: TGS request result: -1765328372/KDC policy rejects request
[7857] 1532292032.883548: Requesting tickets for hdfs/ip-172-30-0-30.ec2.internal@BTVISHAL.COM, referrals off
[7857] 1532292032.883579: Generated subkey for TGS request: aes256-cts/A3B9
[7857] 1532292032.883605: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac
[7857] 1532292032.883907: Sending request (1460 bytes) to BTVISHAL.COM
[7857] 1532292032.883936: Resolving hostname WIN-AQ8AUJ7CUVK.btvishal.com
[7857] 1532292032.884059: Sending initial UDP request to dgram 172.30.1.252:88
[7857] 1532292032.885094: Received answer from dgram 172.30.1.252:88
[7857] 1532292032.885142: Response was not from master KDC
[7857] 1532292032.885168: TGS request result: -1765328372/KDC policy rejects request
kvno: KDC policy rejects request while getting credentials for hdfs/ip-172-30-0-30.ec2.internal@BTVISHAL.COM

1 REPLY 1

Re: Test cross realm kerberos

Super Guru

@johnty_vishal,

 

I moved this to a new topic as it is a different problem than the original.

 

the error you are getting when getting a service ticket is:

 

kvno: KDC policy rejects request while getting credentials for hdfs/ip-172-30-0-30.ec2.internal@BTVISHAL.COM

 

Your KDC is rejecting the request for some reason.  To debug further, you will need to have a closer look at hour KDC logs I would expect.

How you would troubleshoot this at the server side depends on what brand of KDC you are running.