28684
DISCUSSIONS
101586
MEMBERS
3153
ARTICLES
[Active Directory, realm=ADREALM] | [KDC, realm=LOCALREALM] | [CLOUDERA CLUSTER]
hdfs dsf -ls /
[root@master1 ~]# kdestroy [root@master1 ~]# kinit TEST_USER@ADREALM Password for TEST_USER@ADREALM: [root@master1 ~]# klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: TEST_USER@ADREALM Valid starting Expires Service principal 05/02/19 15:27:48 06/02/19 01:27:48 krbtgt/ADREALM@ADREALM renew until 12/02/19 15:27:43, Etype (skey, tkt): aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 [root@master1 ~]# hdfs dfs -ls / 19/02/05 15:27:59 WARN security.UserGroupInformation: PriviledgedActionException as:TEST_USER@ADREALM (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)] 19/02/05 15:28:01 WARN security.UserGroupInformation: PriviledgedActionException as:TEST_USER@ADREALM (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)] 19/02/05 15:28:01 WARN security.UserGroupInformation: Not attempting to re-login since the last re-login was attempted less than 60 seconds before. Last Login=1549376879231 19/02/05 15:28:06 WARN security.UserGroupInformation: PriviledgedActionException as:TEST_USER@ADREALM (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)] 19/02/05 15:28:06 WARN security.UserGroupInformation: Not attempting to re-login since the last re-login was attempted less than 60 seconds before. Last Login=1549376879231Related to the error above, we see this message in the file /var/log/krb5kdc.log at the master1.clouderacluster.net (machine of the local KDC):
Feb 05 15:31:49 master1.clouderacluster.net krb5kdc[18098](info): TGS_REQ (3 etypes {17 23 16}) 10.251.188.10: PROCESS_TGS: authtime 0, <unknown client> for hdfs/master1.clouderacluster.net@LOCALREALM, Decrypt integrity check failed
Etype (skey, tkt): aes128-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 rc4-hmac des3-cbc-sha1 des-cbc-md5 default_tkt_enctypes = aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 rc4-hmac des3-cbc-sha1 des-cbc-md5 default_tgs_enctypes = aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 rc4-hmac des3-cbc-sha1 des-cbc-md5 default_realm = LOCALREALM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true allow-weak-crypto = true udp_preference_limit = 1 [realms] LOCALREALM = { kdc = master1.clouderacluster.net admin_server = master1.clouderacluster.net max_renewable_life = 7d 0h 0m 0s default_principal_flags = +renewable } ADREALM = { kdc = ad.domain.net:88 admin_server = ad.domain.net:749 } [domain_realm] .localrealm = LOCALREALM localrealm = LOCALREALM .ad.domain.net = ADREALM ad.domain.net = ADREALM