Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

impala - kerberosed - jdbc connection from SQL Workbench on Windows

avatar
author-rank krishnat
Rising Star

Created on ‎09-30-2016 11:41 AM - edited ‎09-16-2022 03:42 AM

We have a 15 Node Kerborised Impala Cluster with a HAProxy. We have no issue using HUE to run queries.

 

We are also able to use the ODBC Driver on a Windows Machine, authenticate with Kerberos and connect to the Impala via HA Proxy.

 

However, when we try to connect to the Impala HA Proxy using SQL Workbench via JDBC Driver. We get the following error message:

 

[Simba][ImpalaJDBCDriver](500310) Invalid operation: Unable to obtain Principal Name for authentication ;

 

The connection string is:

jdbc:impala://<PUBLIC IP ADDRESS>:21051;AuthMech=1;KrbRealm=<REALM>;KrbHostFQDN=<fqdn>;KrbServiceName=impala;

 

We tried adding the Principal parameter, but it doesn't help. Any ideas, on how to get Impala JDBC to work from a windows machine using Kerberos?

 

 

 

45,401 Views
0 Kudos
28 REPLIES 28

avatar
author-rank KamleshG
Explorer

Created ‎09-26-2017 05:30 AM

Hi,

 

We added the path of CacheCredential in JAAS file and then re-run the R script by setting the the environment variable of JAAS file in R

Now we're running into following error:

Error in .jcall(drv@jdrv, "Ljava/sql/Connection;", "connect", as.character(url)[1], : 
  java.sql.SQLException: [Cloudera][HiveJDBCDriver](500164) Error initialized or created transport for authentication: [Cloudera][HiveJDBCDriver](500169) Unable to connect to server: GSS initiate failed.

 

GSS initiated failed. I've JCE installed

21,741 Views
0 Kudos

avatar
author-rank KamleshG
Explorer

Created ‎09-27-2017 02:24 AM

Hi,

 

We're getting the following error in java:

 

null credentials from Ticket Cache

            [Krb5LoginModule] authentication failed

Unable to obtain password from user

 

Exception in thread "main" java.sql.SQLException: [Cloudera][HiveJDBCDriver](500166) Error creating login context using JAAS configuration: Unable to obtain password from user

.

      at com.cloudera.hiveserver2.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source)

      at com.cloudera.hiveserver2.hivecommon.api.ZooKeeperEnabledExtendedHS2Factory.createClient(Unknown Source)

      at com.cloudera.hiveserver2.hivecommon.core.HiveJDBCCommonConnection.establishConnection(Unknown Source)

      at com.cloudera.hiveserver2.jdbc.core.LoginTimeoutConnection.connect(Unknown Source)

      at com.cloudera.hiveserver2.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source)

      at com.cloudera.hiveserver2.jdbc.common.AbstractDriver.connect(Unknown Source)

      at java.sql.DriverManager.getConnection(Unknown Source)

      at java.sql.DriverManager.getConnection(Unknown Source)

Caused by: com.cloudera.hiveserver2.support.exceptions.GeneralException: [Cloudera][HiveJDBCDriver](500166) Error creating login context using JAAS configuration: Unable to obtain password from user

.

      ... 8 more

Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user

 

      at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Unknown Source)

      at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)

      at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)

      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

      at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

      at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

      at java.lang.reflect.Method.invoke(Unknown Source)

      at javax.security.auth.login.LoginContext.invoke(Unknown Source)

      at javax.security.auth.login.LoginContext.access$000(Unknown Source)

      at javax.security.auth.login.LoginContext$4.run(Unknown Source)

      at javax.security.auth.login.LoginContext$4.run(Unknown Source)

      at java.security.AccessController.doPrivileged(Native Method)

      at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)

      at javax.security.auth.login.LoginContext.login(Unknown Source)

      at com.cloudera.hiveserver2.jdbc.kerberos.Kerberos.getSubjectViaJAASConfig(Unknown Source)

      at com.cloudera.hiveserver2.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source)

      at com.cloudera.hiveserver2.hivecommon.api.ZooKeeperEnabledExtendedHS2Factory.createClient(Unknown Source)

      at com.cloudera.hiveserver2.hivecommon.core.HiveJDBCCommonConnection.establishConnection(Unknown Source)

      at com.cloudera.hiveserver2.jdbc.core.LoginTimeoutConnection.connect(Unknown Source)

      at com.cloudera.hiveserver2.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source)

      at com.cloudera.hiveserver2.jdbc.common.AbstractDriver.connect(Unknown Source)

      at java.sql.DriverManager.getConnection(Unknown Source)

      at java.sql.DriverManager.getConnection(Unknown Source)

      at HiveConnection.main(HiveConnection.java:26)

16,939 Views
0 Kudos

avatar
author-rank KamleshG
Explorer

Created ‎09-27-2017 10:39 PM

Hi,

 

Seems i installed JCE of 64 bit but required was 32 bit. It solved my issue in java. But i'm still facing issue in running it in R. Can you please help me resolve this issue.

I guess that R is not able to use the JCE policy files

16,923 Views
0 Kudos

avatar
author-rank KamleshG
Explorer

Created ‎09-28-2017 02:26 AM

Note we're getting the following error: 

Error in .jcall(drv@jdrv, "Ljava/sql/Connection;", "connect", as.character(url)[1], : 
  java.sql.SQLException: [Cloudera][HiveJDBCDriver](500164) Error initialized or created transport for authentication: [Cloudera][HiveJDBCDriver](500169) Unable to connect to server: GSS initiate failed.

 

16,912 Views
0 Kudos

avatar
author-rank KamleshG
Explorer

Created ‎09-29-2017 03:07 AM

Hi,

I've looked into the kerberos logs of the code. Below are my debug result:

 1) In R, where we get GSS initiate failed error:

> library(rJava)
> .jinit(,"-Dsun.security.krb5.debug=true")
> #.jaddClassPath("C:/Program Files/Java/jdk1.8.0_101/jre/lib/security/local_policy.jar")
> #.jaddClassPath("C:/Program Files/Java/jdk1.8.0_101/jre/lib/security/US_export_policy.jar")
> #.jaddClassPath("D:/KerberosConfigrationFile/gss-jaas.conf")
> .jaddClassPath("D:/Project/FAM/Workspace/TestImpala/bin")
> v<-.jnew("TestClassPath")
> impala_conn <-.jcall(v,returnSig = "S","getImpalaConnection")
Test Impala start-----****
>>>KinitOptions cache name is C:\Users\user\krb5cc_user
>>>DEBUG <CCacheInputStream> client principal is user1@COMPANY.COM
>>>DEBUG <CCacheInputStream> server principal is krbtgt/COMPANY.COM@COMPANY.COM
>>>DEBUG <CCacheInputStream> key type: 18
>>>DEBUG <CCacheInputStream> auth time: Thu Sep 28 11:29:07 IST 2017
>>>DEBUG <CCacheInputStream> start time: Thu Sep 28 11:29:07 IST 2017
>>>DEBUG <CCacheInputStream> end time: Thu Sep 28 21:29:07 IST 2017
>>>DEBUG <CCacheInputStream> renew_till time: null
>>> CCacheInputStream: readFlags() INITIAL; PRE_AUTH;
Host address is /xx.xxx.xx.xx
...
>>> KrbCreds found the default ticket granting ticket in credential cache.
Java config name: null
Native config name: C:\WINDOWS\krb5.ini
>>> Obtained TGT from LSA: Credentials:
client=user@COMPANY.COM
server=krbtgt/COMPANY.COM@COMPANY.COM
flags=INITIAL;PRE-AUTHENT
EType (skey)=18
(tkt key)=18
log4j:WARN No appenders could be found for logger (org.apache.thrift.transport.TSaslTransport).
log4j:WARN Please initialize the log4j system properly.
Found ticket for user@COMPANY.COM to go to krbtgt/COMPANY.COM@COMPANY.COM expiring on Thu Sep 28 21:29:07 IST 2017
Entered Krb5Context.initSecContext with state=STATE_NEW
Found ticket for user@COMPANY.COM to go to krbtgt/COMPANY.COM@COMPANY.COM expiring on Thu Sep 28 21:29:07 IST 2017
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: main loop: [0] tempService=krbtgt/company.CO.IN@COMPANY.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KdcAccessibility: reset
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=blopedcgintl001.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1622
>>> KDCCommunication: kdc=blopedcgintl001.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1622
>>>DEBUG: TCPClient reading 109 bytes
>>> KrbKdcReq send: #bytes read=109
>>> KdcAccessibility: remove blopedcgintl001.company.com.:88
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
sTime is Thu Sep 28 15:45:34 IST 2017 1506593734000
suSec is 469828
error code is 7
error Message is Server not found in Kerberos database
sname is krbtgt/company.CO.IN@COMPANY.COM
msgType is 30
>>> Credentials acquireServiceCreds: no tgt; searching thru capath
>>> Credentials acquireServiceCreds: inner loop: [1] tempService=krbtgt/COMPANY.COM@COMPANY.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=blropicgintl002.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1622
>>> KDCCommunication: kdc=blropicgintl002.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1622
>>>DEBUG: TCPClient reading 1573 bytes
>>> KrbKdcReq send: #bytes read=1573
>>> KdcAccessibility: remove blropicgintl002.company.com.:88
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> Credentials acquireServiceCreds: got tgt
>>> Credentials acquireServiceCreds: continuing with main loop counter reset to 1
>>> Credentials acquireServiceCreds: main loop: [1] tempService=krbtgt/company.CO.IN@COMPANY.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=phxgggcgcorp001.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1597
>>> KDCCommunication: kdc=phxgggcgcorp001.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1597
>>>DEBUG: TCPClient reading 104 bytes
>>> KrbKdcReq send: #bytes read=104
>>> KdcAccessibility: remove phxgggcgcorp001.company.com.:88
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
sTime is Thu Sep 28 15:45:37 IST 2017 1506593737000
suSec is 579366
error code is 7
error Message is Server not found in Kerberos database
sname is krbtgt/company.CO.IN@COMPANY.COM
msgType is 30
>>> Credentials acquireServiceCreds: no tgt; searching thru capath
>>> Credentials acquireServiceCreds: inner loop: [2] tempService=krbtgt/COMPANY.COM@COMPANY.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=tisgtgl01sdcg02.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1592
>>> KDCCommunication: kdc=tisgtgl01sdcg02.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1592
>>>DEBUG: TCPClient reading 99 bytes
>>> KrbKdcReq send: #bytes read=99
>>> KdcAccessibility: remove tisgtgl01sdcg02.company.com.:88
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
sTime is Thu Sep 28 15:45:39 IST 2017 1506593739000
suSec is 369350
error code is 7
error Message is Server not found in Kerberos database
sname is krbtgt/COMPANY.COM@CORP.FIRSTAM.COM
msgType is 30
>>> Credentials acquireServiceCreds: inner loop: [3] tempService=krbtgt/COM@COMPANY.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=snatytcgcorp102.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1583
>>> KDCCommunication: kdc=snatytcgcorp102.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1583
>>>DEBUG: TCPClient reading 91 bytes
>>> KrbKdcReq send: #bytes read=91
>>> KdcAccessibility: remove snatytcgcorp102.company.com.:88
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
sTime is Thu Sep 28 15:45:41 IST 2017 1506593741000
suSec is 179778
error code is 7
error Message is Server not found in Kerberos database
sname is krbtgt/COM@CORP.COMPANY.COM
msgType is 30
>>> Credentials acquireServiceCreds: inner loop: [4] tempService=krbtgt/IN@CORP.COMPANY.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=jfkvpdfrforp001.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1583
>>> KDCCommunication: kdc=jfkvpdfrforp001.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1583
>>>DEBUG: TCPClient reading 90 bytes
>>> KrbKdcReq send: #bytes read=90
>>> KdcAccessibility: remove jfkvpdfrforp001.company.com.:88
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
error code is 7
error Message is Server not found in Kerberos database
sname is krbtgt/IN@CORP.COMPANY.COM
msgType is 30
>>> Credentials acquireServiceCreds: inner loop: [5] tempService=krbtgt/CO.IN@COMPANY.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=tinfrfc01sdcg01.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1586
>>> KDCCommunication: kdc=tinfrfc01sdcg01.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1586
>>>DEBUG: TCPClient reading 93 bytes
>>> KrbKdcReq send: #bytes read=93
>>> KdcAccessibility: remove tinfrfc01sdcg01.company.com.:88
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
sTime is Thu Sep 28 15:45:44 IST 2017 1506593744000
suSec is 422560
error code is 7
error Message is Server not found in Kerberos database
sname is krbtgt/CO.IN@CORP.COMPANY.COM
msgType is 30
>>> Credentials acquireServiceCreds: no tgt; cannot get creds
KrbException: Fail to create credential. (63) - No service creds
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:156)
at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:458)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:693)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:192)
at org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:94)
at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:253)
at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
at com.cloudera.hivecommon.api.HiveServerPrivilegedAction.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:360)
at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source)
at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createClient(Unknown Source)
at com.cloudera.hivecommon.core.HiveJDBCCommonConnection.establishConnection(Unknown Source)
at com.cloudera.impala.core.ImpalaJDBCConnection.establishConnection(Unknown Source)
at com.cloudera.jdbc.core.LoginTimeoutConnection.connect(Unknown Source)
at com.cloudera.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source)
at com.cloudera.jdbc.common.AbstractDriver.connect(Unknown Source)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:270)
at TestClassPath.getImpalaConnection(TestClassPath.java:20)
java.sql.SQLException: [Simba][ImpalaJDBCDriver](500164) Error initialized or created transport for authentication: [Simba][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed.
at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source)
at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createClient(Unknown Source)
at com.cloudera.hivecommon.core.HiveJDBCCommonConnection.establishConnection(Unknown Source)
at com.cloudera.impala.core.ImpalaJDBCConnection.establishConnection(Unknown Source)
at com.cloudera.jdbc.core.LoginTimeoutConnection.connect(Unknown Source)
at com.cloudera.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source)
at com.cloudera.jdbc.common.AbstractDriver.connect(Unknown Source)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:270)
Caused by: com.cloudera.support.exceptions.GeneralException: [Simba][ImpalaJDBCDriver](500164) Error initialized or created transport for authentication: [Simba][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed.
... 9 more
Caused by: java.lang.RuntimeException: [Simba][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed
at com.cloudera.hivecommon.api.HiveServerPrivilegedAction.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:360)
at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source)
at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createClient(Unknown Source)
at com.cloudera.hivecommon.core.HiveJDBCCommonConnection.establishConnection(Unknown Source)
at com.cloudera.impala.core.ImpalaJDBCConnection.establishConnection(Unknown Source)
at com.cloudera.jdbc.core.LoginTimeoutConnection.connect(Unknown Source)
at com.cloudera.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source)
at com.cloudera.jdbc.common.AbstractDriver.connect(Unknown Source)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:270)
at TestClassPath.getImpalaConnection(TestClassPath.java:20)
Caused by: org.apache.thrift.transport.TTransportException: GSS initiate failed
at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:221)
at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:297)
at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
... 13 more
Test Impala End
> impala_conn
[1] "Test Impala"

 

2) In Java, when the krb5.ini file was not in place, we got error:

Test Impala start-----****
>>>KinitOptions cache name is C:\Users\user1\krb5cc_user
>>>DEBUG <CCacheInputStream> client principal is user1@COMPANY.COM
>>>DEBUG <CCacheInputStream> server principal is krbtgt/COMPANY.COM
>>>DEBUG <CCacheInputStream> key type: 18
>>>DEBUG <CCacheInputStream> auth time: Thu Sep 28 11:29:07 IST 2017
>>>DEBUG <CCacheInputStream> start time: Thu Sep 28 11:29:07 IST 2017
>>>DEBUG <CCacheInputStream> end time: Thu Sep 28 21:29:07 IST 2017
>>>DEBUG <CCacheInputStream> renew_till time: null
>>> CCacheInputStream: readFlags() INITIAL; PRE_AUTH;
Host address is /xx.xxx.xx.xx
...
>>> KrbCreds found the default ticket granting ticket in credential cache.
Java config name: null
Native config name: C:\WINDOWS\krb5.ini
>>> Obtained TGT from LSA: Credentials:
client=user1@COMPANY.COM
server=krbtgt/COMPANY.COM
flags=INITIAL;PRE-AUTHENT
EType (skey)=18
(tkt key)=18
log4j:WARN No appenders could be found for logger (org.apache.thrift.transport.TSaslTransport).
log4j:WARN Please initialize the log4j system properly.
Found ticket for user1@COMPANY.COM to go to krbtgt/COMPANY.COM expiring on Thu Sep 28 21:29:07 IST 2017
Entered Krb5Context.initSecContext with state=STATE_NEW
Found ticket for user1@COMPANY.COM to go to krbtgt/COMPANY.COM expiring on Thu Sep 28 21:29:07 IST 2017
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: main loop: [0] tempService=krbtgt/company1.co.in@COMPANY.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KdcAccessibility: reset
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=blrppdcgintl002.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1622
>>> KDCCommunication: kdc=blrppdcgintl002.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1622
>>>DEBUG: TCPClient reading 109 bytes
>>> KrbKdcReq send: #bytes read=109
>>> KdcAccessibility: remove blrppdcgintl002.company.com.:88
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
sTime is Thu Sep 28 16:11:03 IST 2017 1506595263000
suSec is 629484
error code is 7
error Message is Server not found in Kerberos database
sname is krbtgt/company1.co.in@COMPANY.COM
msgType is 30
>>> Credentials acquireServiceCreds: no tgt; searching thru capath
>>> Credentials acquireServiceCreds: inner loop: [1] tempService=krbtgt/CORP.COM@COMPANY.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=blrppdcgintl002.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1622
>>> KDCCommunication: kdc=blrppdcgintl002.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1622
>>>DEBUG: TCPClient reading 1573 bytes
>>> KrbKdcReq send: #bytes read=1573
>>> KdcAccessibility: remove blrppdcgintl002.company.com.:88
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> Credentials acquireServiceCreds: got tgt
>>> Credentials acquireServiceCreds: continuing with main loop counter reset to 1
>>> Credentials acquireServiceCreds: main loop: [1] tempService=krbtgt/company1.co.in@COMPANY.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=tincfdc01sdcg01.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1597
>>> KDCCommunication: kdc=tincfdc01sdcg01.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1597
>>>DEBUG: TCPClient reading 104 bytes
>>> KrbKdcReq send: #bytes read=104
>>> KdcAccessibility: remove tincfdc01sdcg01.company.com.:88
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
sTime is Thu Sep 28 16:11:06 IST 2017 1506595266000
suSec is 385440
error code is 7
error Message is Server not found in Kerberos database
sname is krbtgt/company1.co.in@COMPANY.COM
msgType is 30
>>> Credentials acquireServiceCreds: no tgt; searching thru capath
>>> Credentials acquireServiceCreds: inner loop: [2] tempService=krbtgt/COMPANY@CORP.COMPANY.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=snapascgcorp102.comapny.com. TCP:88, timeout=30000, number of retries =3, #bytes=1592
>>> KDCCommunication: kdc=snapascgcorp102.comapny.com. TCP:88, timeout=30000,Attempt =1, #bytes=1592
>>>DEBUG: TCPClient reading 99 bytes
>>> KrbKdcReq send: #bytes read=99
>>> KdcAccessibility: remove snapascgcorp102.comapny.com.:88
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
sTime is Thu Sep 28 16:11:08 IST 2017 1506595268000
suSec is 888723
error code is 7
error Message is Server not found in Kerberos database
sname is krbtgt/COMPANY@CORP.COMPANY.COM
msgType is 30
>>> Credentials acquireServiceCreds: inner loop: [3] tempService=krbtgt/COM@COMPANY.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=fahwerl01vdcg02.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1584
>>> KDCCommunication: kdc=fahwerl01vdcg02.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1584
>>>DEBUG: TCPClient reading 91 bytes
>>> KrbKdcReq send: #bytes read=91
>>> KdcAccessibility: remove fahwerl01vdcg02.company.com.:88
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
sTime is Thu Sep 28 16:11:09 IST 2017 1506595269000
suSec is 350172
error code is 7
error Message is Server not found in Kerberos database
sname is krbtgt/COM@CORP.FIRSTAM.COM
msgType is 30
>>> Credentials acquireServiceCreds: inner loop: [4] tempService=krbtgt/IN@COMPANY.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=snprrdcgcorp101.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1583
>>> KDCCommunication: kdc=snprrdcgcorp101.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1583
>>>DEBUG: TCPClient reading 90 bytes
>>> KrbKdcReq send: #bytes read=90
>>> KdcAccessibility: remove snprrdcgcorp101.company.com.:88
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
sTime is Thu Sep 28 16:11:11 IST 2017 1506595271000
suSec is 821544
error code is 7
error Message is Server not found in Kerberos database
sname is krbtgt/IN@COMPANY.COM
msgType is 30
>>> Credentials acquireServiceCreds: inner loop: [5] tempService=krbtgt/CO.IN@COMPANY.COM
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=snareecgcorp003.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1586
>>> KDCCommunication: kdc=snareecgcorp003.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1586
>>>DEBUG: TCPClient reading 93 bytes
>>> KrbKdcReq send: #bytes read=93
>>> KdcAccessibility: remove snareecgcorp003.company.com.:88
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
sTime is Thu Sep 28 16:11:12 IST 2017 1506595272000
suSec is 316872
error code is 7
error Message is Server not found in Kerberos database
sname is krbtgt/CO.IN@COMPANY.COM
msgType is 30
>>> Credentials acquireServiceCreds: no tgt; cannot get creds
KrbException: Fail to create credential. (63) - No service creds
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
at org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:94)
at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:253)
at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
at com.cloudera.hivecommon.api.HiveServerPrivilegedAction.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source)
at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createClient(Unknown Source)
at com.cloudera.hivecommon.core.HiveJDBCCommonConnection.establishConnection(Unknown Source)
at com.cloudera.impala.core.ImpalaJDBCConnection.establishConnection(Unknown Source)
at com.cloudera.jdbc.core.LoginTimeoutConnection.connect(Unknown Source)
at com.cloudera.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source)
at com.cloudera.jdbc.common.AbstractDriver.connect(Unknown Source)
at java.sql.DriverManager.getConnection(Unknown Source)
at java.sql.DriverManager.getConnection(Unknown Source)
at TestClassPath.getImpalaConnection(TestClassPath.java:21)
at TestClassPath.main(TestClassPath.java:41)
java.sql.SQLException: [Simba][ImpalaJDBCDriver](500164) Error initialized or created transport for authentication: [Simba][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed.
at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source)
at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createClient(Unknown Source)
at com.cloudera.hivecommon.core.HiveJDBCCommonConnection.establishConnection(Unknown Source)
at com.cloudera.impala.core.ImpalaJDBCConnection.establishConnection(Unknown Source)
at com.cloudera.jdbc.core.LoginTimeoutConnection.connect(Unknown Source)
at com.cloudera.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source)
at com.cloudera.jdbc.common.AbstractDriver.connect(Unknown Source)
at java.sql.DriverManager.getConnection(Unknown Source)
at java.sql.DriverManager.getConnection(Unknown Source)
at TestClassPath.getImpalaConnection(TestClassPath.java:21)
Caused by: com.cloudera.support.exceptions.GeneralException: [Simba][ImpalaJDBCDriver](500164) Error initialized or created transport for authentication: [Simba][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed.
... 10 more
Caused by: java.lang.RuntimeException: [Simba][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed
at com.cloudera.hivecommon.api.HiveServerPrivilegedAction.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source)
at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createClient(Unknown Source)
at com.cloudera.hivecommon.core.HiveJDBCCommonConnection.establishConnection(Unknown Source)
at com.cloudera.impala.core.ImpalaJDBCConnection.establishConnection(Unknown Source)
at com.cloudera.jdbc.core.LoginTimeoutConnection.connect(Unknown Source)
at com.cloudera.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source)
at com.cloudera.jdbc.common.AbstractDriver.connect(Unknown Source)
at java.sql.DriverManager.getConnection(Unknown Source)
at java.sql.DriverManager.getConnection(Unknown Source)
at TestClassPath.getImpalaConnection(TestClassPath.java:21)
at TestClassPath.main(TestClassPath.java:41)
Caused by: org.apache.thrift.transport.TTransportException: GSS initiate failed
at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:221)
at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:297)
at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
... 14 more
Test Impala End

  

3) In Java, the working code.

Test Impala start-----****
>>>KinitOptions cache name is C:\Users\user1\krb5cc_user
>>>DEBUG <CCacheInputStream> client principal is user1@COMPANY.COM
>>>DEBUG <CCacheInputStream> server principal is krbtgt/COMPANY.COM
>>>DEBUG <CCacheInputStream> key type: 18
>>>DEBUG <CCacheInputStream> auth time: Thu Sep 28 11:29:07 IST 2017
>>>DEBUG <CCacheInputStream> start time: Thu Sep 28 11:29:07 IST 2017
>>>DEBUG <CCacheInputStream> end time: Thu Sep 28 21:29:07 IST 2017
>>>DEBUG <CCacheInputStream> renew_till time: null
>>> CCacheInputStream: readFlags() INITIAL; PRE_AUTH;
Host address is /xx.xxx.xx.xx
...
>>> KrbCreds found the default ticket granting ticket in credential cache.
Java config name: null
Native config name: C:\WINDOWS\krb5.ini
Loaded from native config
>>> Obtained TGT from LSA: Credentials:
client=user@COMPANY.COM
server=krbtgt/COMPANY@COMPANY.COM
flags=INITIAL;PRE-AUTHENT
EType (skey)=18
(tkt key)=18
Found ticket for user@COMPANY.COM to go to krbtgt/COMPANY.COM@COMPANY.COM expiring on Thu Sep 28 21:29:07 IST 2017
Entered Krb5Context.initSecContext with state=STATE_NEW
Found ticket for user@COMPANY.COM to go to krbtgt/COMPANY.COM@COMPANY.COM expiring on Thu Sep 28 21:29:07 IST 2017
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: main loop: [0] tempService=krbtgt/COMPANY.COM@COMPANY.COM
default etypes for default_tgs_enctypes: 18 17 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KdcAccessibility: reset
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=inttyna09vdcg01.company.com.. TCP:88, timeout=30000, number of retries =3, #bytes=1619
>>> KDCCommunication: kdc=inttyna09vdcg01.company.com.. TCP:88, timeout=30000,Attempt =1, #bytes=1619
>>>DEBUG: TCPClient reading 1573 bytes
>>> KrbKdcReq send: #bytes read=1573
>>> KdcAccessibility: remove inttyna09vdcg01.company.com.:88
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> Credentials acquireServiceCreds: got tgt
>>> Credentials acquireServiceCreds: got right tgt
>>> Credentials acquireServiceCreds: obtaining service creds for impala/hostname@CORP.COMPANY.COM
default etypes for default_tgs_enctypes: 18 17 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=snappfrgcorp101.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1610
>>> KDCCommunication: kdc=snappfrgcorp101.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1610
>>>DEBUG: TCPClient reading 1630 bytes
>>> KrbKdcReq send: #bytes read=1630
>>> KdcAccessibility: remove snappfrgcorp101.company.com.:88
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> Credentials acquireServiceCreds: returning creds:
>>> DEBUG: ----Credentials----
client: user@COMPANY.COM
server: impala/hostname@CORP.COMPANY.COM
ticket: sname: impala/hostname@CORP.COMPANY.COM
startTime: 1506595126000
endTime: 1506614347000
----Credentials end----
>>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Krb5Context setting mySeqNumber to: 293786502
Created InitSecContextToken:
0000: 01 00 6E 82 05 FE 30 82 05 FA A0 03 02 01 05 A1 ..n...0.........
0010: 03 02 01 0E A2 07 03 05 00 20 00 00 00 A3 82 05 ......... ......

Krb5Context.wrap: data=[01 01 00 00 ]
Krb5Context.wrap: token=[60 30 06 09 2a 86 48 86 f7 12 01 02 02 02 01 11 00 ff ff ff ff 71 1a 06 60 97 6b e4 e7 35 7d 2a d4 a7 53 4a d5 5e ce 9f 9b 87 7c 18 a3 01 01 00 00 01 ]

Connecting with jdbc:impala://connectionstring:21050/db;AuthMech=1;KrbRealm=_HOST@COMPANY.COM;KrbHostFQDN=host;KrbServiceName=impala;KrbAuthType=2

document
epr_lineage
infa_hstg_lookup_name_785113698026062326
infa_hstg_lookup_property_785113698026062326
infa_hstg_lookup_reference_785113698026062326
infa_hstg_read_document_4045257916572541191
infa_hstg_read_document_5426399195748447698
infa_hstg_read_document_785113698026062326

 ....

 

Please see the logs above and help me resolve the issue.

I've changed the company and domain names

Note: I'm trying to run the code from windows env and the complete set up of all applications are in centos. I've R and RStudio in Windows in the same network

16,896 Views
0 Kudos

avatar
author-rank KamleshG
Explorer

Created ‎10-04-2017 10:37 PM

Hi,

 

I installed CDSW workbench in Centos machinme and also installed R there. The code worked there without any error. The encryption method of the ticket was not the problem there. 

 

But in Windows machine, the  code worked for Java but not R. Probably R is not able to decrypt the the content of the ticket which Java is able to do. Have anyone came across similar problem? What Ecnryption code/process does R use and how is it different for Java in Windows?

 

Thanks

16,859 Views
0 Kudos

avatar
author-rank andrzej_jedrzej
Expert Contributor

Created ‎10-17-2017 03:41 AM

Can you try to kinit at the beginning of your script, in R e.g.
system("kinit username@REALM.COM -k -t username.keytab")

Have you generated keytab on your own or got it from admin?
16,774 Views
0 Kudos

avatar
author-rank dharu
New Contributor

Created on ‎06-14-2017 11:20 PM - edited ‎06-15-2017 02:52 AM

hi @Diegolotr99
Did u fixed this issue?? im facing the same issue i cant find any solution..please help me...

22,584 Views
0 Kudos

avatar
author-rank andrzej_jedrzej
Expert Contributor

Created ‎06-19-2017 09:07 AM

Install JCE.

22,533 Views
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements