Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.

spnego+kerberos+firefox

chrsvarma
Expert Contributor

Created on ‎03-05-2017 02:59 PM - edited ‎09-16-2022 04:11 AM

goal is to get authenticate oozie/nn/rm etc in browser

currently i'm getting below error

HTTP ERROR 403

Problem accessing /solr/. Reason:

    GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
4,108 Views
0 Kudos
5 REPLIES 5

jsensharma
Super Mentor

Created ‎03-05-2017 03:10 PM

@Raja Sekhar Chintalapati

Have you done the following?

Open the Firefox "about:config" and then search for the following two properties and set the values to the hostname/domain that are secured:

network.negotiate-auth.delegation-uris=sandbox.hortonworks.com,.hortonworks.com
network.negotiate-auth.trusted-uris=sandbox.hortonworks.com,.hortonworks.com

Here you need to define the hostname/domain that you are using.

Now get the keytab on your local machine (laptop) where browser is running and then do the kinit. Then refresh the browser. Example:

kinit --kdc-hostname=kdc.hortonworks.com  -t /PATH/TO/yarn.service.keytab yarn/sandbox.hortonworks.com@EXAMPLE.COM

.

2,221 Views
0 Kudos

chrsvarma
Expert Contributor

Created ‎03-05-2017 04:02 PM

@Jay SenSharma i got 5 node HDP cluster along with win2k8 AD.

I'm using browser on my windows 10 machine. i do not have any krb5.conf configured on my windows 10.

2,221 Views
0 Kudos

jsensharma
Super Mentor

Created ‎03-05-2017 06:11 PM

@Raja Sekhar Chintalapati

As you are getting the Keytab file from your cluster to your Windiws2k8 machine, In the same way you can get the krb5.conf file as well on your windows machine and then do a kinit.

2,221 Views
0 Kudos

chrsvarma
Expert Contributor

Created ‎03-05-2017 06:21 PM

@Jay SenSharma i got MIT kDC on linux host where SPN's were created by ambari.

users will get their ticket from AD. I've setup one way trust between AD & MIT KDC.

i followed below link even this didnot help

https://community.hortonworks.com/articles/28537/user-authentication-from-windows-workstation-to-hd....

2,221 Views
0 Kudos

pminovic
Guru

Created ‎03-06-2017 10:38 AM

You also must set in Firefox about:config network.auth.use-sspi = false to enable Kerberos. But most likely it still won't work because Windows doesn't know that your Oozie server etc. belong to another realm. Therefore install MIT Kerberos client for Windows, details how to install here, then copy krb5.conf from your cluster to "C:\Program Files\MIT\Kerberos\krb5.ini". Then, unlike in that article, change krb5.ini and set your default realm to your AD realm, and in the domain_realm section list all cluster master node FQDN's and set their realm to your HDP realm. After that restart your PC, and try to access Oozie Web UI. In the Kerberos Ticket Manager you can see which principals have been contacted, and that your cluster masters are in the right domain.

2,221 Views
0 Kudos
Take a Tour of the Community
Don't have an account?
Register
Your experience may be limited. Sign in to explore more.
Announcements
Product Announcements
CDP Public Cloud: May 2023 Release Summary
What's New @ Cloudera
Cloudera Operational Database (COD) provides enhancements to the --scale-type CDP CLI option
What's New @ Cloudera
Cloudera Operational Database (COD) UI supports creating a smaller cluster using a predefined Data Lake template
What's New @ Cloudera
Cloudera Operational Database (COD) supports scaling up the clusters vertically
Product Announcements
CDP Public Cloud: April 2023 Release Summary
View More Announcements