Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

security.UserGroupInformation: Not attempting to re-login since the last re-login was attempted less than 600 seconds before

Labels:
avatar
author-rank SK1
Guru

Created on ‎03-12-2017 10:51 AM - edited ‎09-16-2022 04:14 AM

Hi Team,

I have integerated my kerberos cluster to AD, but when I am executing hadoop command then getting following error.

security.UserGroupInformation: Not attempting to re-login since the last re-login was attempted less than 600 seconds before

17/03/12 06:32:35 WARN ipc.Client: Couldn't setup connection for sonu@AD.COM to m1.hdp22/192.168.56.41:8020

javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)]

at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212)

at org.apache.hadoop.security.SaslRpcClient.saslConnect(SaslRpcClient.java:413)

at org.apache.hadoop.ipc.Client$Connection.setupSaslConnection(Client.java:558)

at org.apache.hadoop.ipc.Client$Connection.access$1800(Client.java:373)

at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:727)

at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:723)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.Subject.doAs(Subject.java:415)

10,281 Views
0
4 REPLIES 4

avatar
author-rank SK1
Guru

Created ‎03-12-2017 11:00 AM

I have following value in my krb5.conf

[libdefaults]

renew_lifetime = 7d

forwardable = true

default_realm = HADOOPADMIN.COM

ticket_lifetime = 24h

dns_lookup_realm = false

dns_lookup_kdc = false

#default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5

#default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5

[domain_realm]

m1.hdp22 = HADOOPADMIN.COM

adserver.ad.com = AD.COM

[logging]

default = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

kdc = FILE:/var/log/krb5kdc.log

[realms]

HADOOPADMIN.COM = {

admin_server = m1.hdp22

kdc = m1.hdp22

}

AD.COM = {

kdc = adserver.ad.com:88

master_kdc = adserver.ad.com:88

kpasswd = adserver.ad.com:464

kpasswd_server = adserver.ad.com:464

}

7,775 Views
0 Kudos

avatar
author-rank SK1
Guru

Created ‎03-14-2017 07:50 AM

Any help ?

7,775 Views
0 Kudos

avatar
author-rank juan_manuel_nie
Expert Contributor

Created ‎03-14-2017 10:53 AM

Hello @Saurabh have you configured a one way trust relationship between the kdc and the AD?

If you didn't please check https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.0/bk_security/content/kerb-oneway-trust.html

7,775 Views
0 Kudos

avatar
author-rank VR46 author-rank
Guru

Created ‎03-14-2017 04:21 PM

Hello @Saurabh,

If you look the error message closely, it says 'No service creds'. Since you are running hadoop command, this most probably means that the NameNode service keytab is either missing or not good. For both the cases, please check NameNode log for any error during service startup.

To verify the service keytabs, try running these on NameNode:

su - hdfs
kinit -kt /etc/security/keytabs/nn.service.keytab nn/<nn-host-fqdn>@REALM

The last command should give you a correct TGT for NN service principal, that would show that NN service keytab is good.

Lastly, you can try to regenerate the keytabs for all the services.

Hope this helps !

7,775 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements