Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

security.UserGroupInformation: Not attempting to re-login since the last re-login was attempted less than 600 seconds before

Labels:
avatar
author-rank SK1
Guru

Created on ‎03-12-2017 10:51 AM - edited ‎09-16-2022 04:14 AM

Hi Team,

I have integerated my kerberos cluster to AD, but when I am executing hadoop command then getting following error.

security.UserGroupInformation: Not attempting to re-login since the last re-login was attempted less than 600 seconds before

17/03/12 06:32:35 WARN ipc.Client: Couldn't setup connection for sonu@AD.COM to m1.hdp22/192.168.56.41:8020

javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)]

at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212)

at org.apache.hadoop.security.SaslRpcClient.saslConnect(SaslRpcClient.java:413)

at org.apache.hadoop.ipc.Client$Connection.setupSaslConnection(Client.java:558)

at org.apache.hadoop.ipc.Client$Connection.access$1800(Client.java:373)

at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:727)

at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:723)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.Subject.doAs(Subject.java:415)

9,907 Views
4 REPLIES 4

avatar
author-rank SK1
Guru

Created ‎03-12-2017 11:00 AM

I have following value in my krb5.conf

[libdefaults]

renew_lifetime = 7d

forwardable = true

default_realm = HADOOPADMIN.COM

ticket_lifetime = 24h

dns_lookup_realm = false

dns_lookup_kdc = false

#default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5

#default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5

[domain_realm]

m1.hdp22 = HADOOPADMIN.COM

adserver.ad.com = AD.COM

[logging]

default = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

kdc = FILE:/var/log/krb5kdc.log

[realms]

HADOOPADMIN.COM = {

admin_server = m1.hdp22

kdc = m1.hdp22

}

AD.COM = {

kdc = adserver.ad.com:88

master_kdc = adserver.ad.com:88

kpasswd = adserver.ad.com:464

kpasswd_server = adserver.ad.com:464

}

7,401 Views
0 Kudos

avatar
author-rank SK1
Guru

Created ‎03-14-2017 07:50 AM

Any help ?

7,401 Views
0 Kudos

avatar
author-rank juan_manuel_nie
Expert Contributor

Created ‎03-14-2017 10:53 AM

Hello @Saurabh have you configured a one way trust relationship between the kdc and the AD?

If you didn't please check https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.0/bk_security/content/kerb-oneway-trust.html

7,401 Views
0 Kudos

avatar
author-rank VR46 author-rank
Guru

Created ‎03-14-2017 04:21 PM

Hello @Saurabh,

If you look the error message closely, it says 'No service creds'. Since you are running hadoop command, this most probably means that the NameNode service keytab is either missing or not good. For both the cases, please check NameNode log for any error during service startup.

To verify the service keytabs, try running these on NameNode:

su - hdfs
kinit -kt /etc/security/keytabs/nn.service.keytab nn/<nn-host-fqdn>@REALM

The last command should give you a correct TGT for NN service principal, that would show that NN service keytab is good.

Lastly, you can try to regenerate the keytabs for all the services.

Hope this helps !

7,401 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
View More Announcements