Cloudera Community

Welcome to the Cloudera Community

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Who agreed with this topic

kerberos Not working in Windows Client (GSSException: Defective token detected (Mechanism level: GSS

avatar
author-rank SadeekM
New Contributor

Created on ‎02-23-2016 06:16 AM - edited ‎02-23-2016 06:56 AM

Hi,

We have implemented kerberos for our Hadoop setup.
Please note that we are using MIT KDC 5 and we are not using AD/LDAP authentication. All the users are Unix users
Everything works fine but we face problem while using browser to open SOLR Admin UI and httpfs UI.

Here are our settings

Browser
1. Prompt for username and password for in Security->Intranet setction
2. Added http://*.intra.testlab.se & https://*.intra.testlab.se in local intranet section
3. "Enable Integrated windows authentication" in Advance settings.

Windows OS
1. Windows 2008
2. We login to windows machine as follows
Username: sadeek123
Password: password provided by AD
Domain: FOXNET.INTRA.TESTLAB.SE
2. Ran following command (One time)
ksetup /addkdc INTRA.TESTLAB.SE unixs49.intra.testlab.se
3. After running this command we could see registry entry as KDC names = unixs49.intra.testlab.se under HKEY_LOCAL_MACHINE->SYSTEM->CURRENTCONTROLSET->LSA->KERBEROS->DOMIANs

Here is our procedure to access SOLR UI.

1.Login to windows machine using AD username and password
2. hit the URL http://unixs50.intra.testlab.se:8983/solr
3. A username, password window pops up. we provide credentials like sadeek@INTRA.TESTLAB.SE & password
4. We get following error on SOLR.
2016-02-18 08:38:18,035 WARN org.apache.hadoop.security.authentication.server.AuthenticationFilter: Authentication exception: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:399)
at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler.authenticate(DelegationTokenAuthenticationHandler.java:347)
at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:517)
at org.apache.solr.servlet.SolrHadoopAuthenticationFilter.doFilter(SolrHadoopAuthenticationFilter.java:399)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.solr.servlet.HostnameFilter.doFilter(HostnameFilter.java:86)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:620)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Thread.java:745)
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:366)
at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:348)
at java.security.AccessController.doPrivileged(Native Method)
5. Same is happening with httpfs.

Additional notes

1. On unix machine we do kinit for sadeek user by doing kinit sadeek@INTRA.TESTLAB.SE and provide password
2. We try to access SOLR UI using curl by issuing following command
curl --negotiate -u : -b ~/cookiejar.txt -c ~/cookiejar.txt http://unixs50.intra.testlab.se:8983/solr
3. We are able to see SOLR admin UI html page successfully.


BR,
SM

2,734
0 Kudos
1
Who agreed with this topic