Support Questions
Find answers, ask questions, and share your expertise

Two realms in kerberos config

Explorer

I have configured HDP with kerberos for the realm DATA.EXAMPLE.COM

This generated this config at /etc/krb5.conf

[domain_realm]
  .data.example.com = DATA.EXAMPLE.COM


[realms] 
 DATA.EXAMPLE.COM = {
    admin_server = data.example.com     kdc = data.example.com
 }

However I need to allow corp users as well to use kinit, so I've modified this to:

[domain_realm]
  .data.example.com = DATA.EXAMPLE.COM  .corp.example.com = CORP.EXAMPLE.COM

[realms] 
 DATA.EXAMPLE.COM = {
    admin_server = data.example.com     kdc = data.example.com
 }

 CORP.EXAMPLE.COM = {
    admin_server = corp.example.com 
    kdc = corp.example.com
 }

So this works in terms of authenticating using kinit. But...
It does not, when I try to interact with the cluster. Whenever I type hdfs dfs -ls /
I get this message:

18/07/27 11:01:24 INFO util.KerberosName: No auth_to_local rules applied to user@CORP.EXAMPLE.COM
18/07/27 11:01:29 WARN security.UserGroupInformation: Not attempting to re-login since the last re-login was attempted less than 60 seconds before. Last Login=1532689285894
18/07/27 11:01:33 WARN security.UserGroupInformation: Not attempting to re-login since the last re-login was attempted less than 60 seconds before. Last Login=1532689285894
18/07/27 11:01:34 WARN security.UserGroupInformation: Not attempting to re-login since the last re-login was attempted less than 60 seconds before. Last Login=1532689285894
18/07/27 11:01:39 WARN security.UserGroupInformation: Not attempting to re-login since the last re-login was attempted less than 60 seconds before. Last Login=1532689285894
18/07/27 11:01:43 WARN ipc.Client: Couldn't setup connection for user@CORP.EXAMPLE.COM to ds-beta-prod-02-m3.data.example.com/10.251.2.76:8020
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)]
	at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211)
	at org.apache.hadoop.security.SaslRpcClient.saslConnect(SaslRpcClient.java:414)
	at org.apache.hadoop.ipc.Client$Connection.setupSaslConnection(Client.java:595)
	at org.apache.hadoop.ipc.Client$Connection.access$2000(Client.java:397)
	at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:762)
	at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:758)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Subject.java:422)
	at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1869)
	at org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:758)
	at org.apache.hadoop.ipc.Client$Connection.access$3200(Client.java:397)
	at org.apache.hadoop.ipc.Client.getConnection(Client.java:1620)
	at org.apache.hadoop.ipc.Client.call(Client.java:1451)
	at org.apache.hadoop.ipc.Client.call(Client.java:1398)
	at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:233)
	at com.sun.proxy.$Proxy10.getFileInfo(Unknown Source)
	at org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolTranslatorPB.getFileInfo(ClientNamenodeProtocolTranslatorPB.java:823)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(RetryInvocationHandler.java:290)
	at org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:202)
	at org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:184)
	at com.sun.proxy.$Proxy11.getFileInfo(Unknown Source)
	at org.apache.hadoop.hdfs.DFSClient.getFileInfo(DFSClient.java:2177)
	at org.apache.hadoop.hdfs.DistributedFileSystem$26.doCall(DistributedFileSystem.java:1442)
	at org.apache.hadoop.hdfs.DistributedFileSystem$26.doCall(DistributedFileSystem.java:1438)
	at org.apache.hadoop.fs.FileSystemLinkResolver.resolve(FileSystemLinkResolver.java:81)
	at org.apache.hadoop.hdfs.DistributedFileSystem.getFileStatus(DistributedFileSystem.java:1454)
	at org.apache.hadoop.fs.Globber.getFileStatus(Globber.java:57)
	at org.apache.hadoop.fs.Globber.glob(Globber.java:265)
	at org.apache.hadoop.fs.FileSystem.globStatus(FileSystem.java:1697)
	at org.apache.hadoop.fs.shell.PathData.expandAsGlob(PathData.java:326)
	at org.apache.hadoop.fs.shell.Command.expandArgument(Command.java:235)
	at org.apache.hadoop.fs.shell.Command.expandArguments(Command.java:218)
	at org.apache.hadoop.fs.shell.FsCommand.processRawArguments(FsCommand.java:103)
	at org.apache.hadoop.fs.shell.Command.run(Command.java:165)
	at org.apache.hadoop.fs.FsShell.run(FsShell.java:297)
	at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:76)
	at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:90)
	at org.apache.hadoop.fs.FsShell.main(FsShell.java:356)
Caused by: GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)
	at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:770)
	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
	at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:192)
	... 41 more
Caused by: KrbException: Fail to create credential. (63) - No service creds
	at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:162)
	at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:458)
	at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:693)
	... 44 more
ls: Failed on local exception: java.io.IOException: Couldn't setup connection for user@CORP.EXAMPLE.COM to ds-beta-prod-02-m3.data.example.com/10.251.2.76:8020; Host Details : local host is: "ds-beta-prod-02-m2.data.exmple.com/10.251.2.74"; destination host is: "ds-beta-prod-02-m3.data.example.com":8020;
3 REPLIES 3

New Contributor

Hello,

I have the exact same problem: were you able to fix it?

Thanks

New Contributor

Hello,


Me too, I have this same problem and I didn't found the solution.

Have you found a workaround ?


Thanks

Alain

New Contributor

Hello, have you solved it ?

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.