About rsheikh

rsheikh · ‎05-08-2024

For doc purpose and if it could be helpful to someone We took krb5.ini that was used at the CDP cluster and saved it to client WIN server We used LogLevel=6 LogPath=<some-path> in our jdbc URI to enable trace level log Based on findings from the trace level logs java.security.auth.login.config was pointing to an incorrect login module. Since we turned on memory based cache, removing pointer to the java.security.auth.login.config forced correct tgt ticket to be picked. We did not opt for a custom jaas.conf either. There were minor tweak of domain & realm value. This resolved our issue.

rsheikh · ‎05-02-2024

update: I have made some progress, placed the krb5.ini file. Currently at: ERROR: Caused by: com.cloudera.hiveserver2.support.exceptions.GeneralException: [Cloudera][HiveJDBCDriver](500168) Error creating login context using ticket cache: Unable to obtain Principal Name for authentication . ERROR: ... 12 more ERROR: Caused by: javax.security.auth.login.LoginException: Unable to obtain Principal Name for authentication May I get an example of a jaas.conf file I did find some using keytab etc while my setup is memory based sharing of tgt tickets. I appreciate your time. Thank you in advance.

rsheikh · ‎05-01-2024

Dear @chethan, much thanks for the reply. I am using Kerberos outbound only setup and I have followed all steps including registry key change to allow TGTSession sharing (WIN Memory). I have not se any jaas.conf. The examples I find use file based cache. Also, below is a debug output of what the session sees: get normal credential >>> KrbCreds found the default ticket granting ticket in credential cache. Java config name: null Native config name: C:\Windows\krb5.ini Loaded from native config >>> Obtained TGT from LSA: Credentials: client=demo@DC1.PW.ORG server=krbtgt/DC1.PW.ORG@DC1.PW.ORG authTime=20240425145720Z startTime=20240425145720Z endTime=20240426005720Z renewTill=null flags=INITIAL;PRE-AUTHENT Question, when I go to C:\Windows\krb5.ini (of demo user) there is no such file, how should I interpret this? #2 all jaas config sample I see are pointing to file-based cache or where IWA is enabled. I have not, what I have done is enabled WIN memory sharing of the TGT ticket, enabled unconstrained delegation, ensure all steps & settings nuances for a WIN are placed. I do appreciate the help!!!

rsheikh · ‎04-30-2024

Hello my client is a WIN server 2019, setup outbound Kerberos only, I have enabled WIN registry keys for TGT Session sharing, environment var pointing to CDP JARS, CONFIG paths and default Java_Home to the bundled Zulu private JRE which these days is using Java 11 and comes with unlimited strength JCE (per provider). I could do kinit and receive klist. SAS is the application. I have setup the CDP JDBC URI provided by CDP team and trustore w credentials. I have not done krb5.ini, nor jaas config, nor pointed the env variable java.security.auth.login.config to jaas config. I get this error: ERROR: java.sql.SQLException: [Cloudera][HiveJDBCDriver](500168) Error creating login context using ticket cache: Unable to obtain Principal Name for authentication . ERROR: Error trying to establish connection: [Cloudera][HiveJDBCDriver](500168) Error creating login context using ticket cache: Unable to obtain Principal Name for authentication . I researched here and some questions are around 2017-18 and community manager responded to another user to start a new question, hence my question here. Thank you in advance for your time and suggestions.

rsheikh · ‎08-01-2018

Hello, I have been stuck with this issue, giving the error, any insight is deeply appreciated. Using HDP 2.6.5 Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/hadoop/hive/thrift/TFilterTransport at java.lang.ClassLoader.defineClass1(Native Method) at java.lang.ClassLoader.defineClass(ClassLoader.java:803) at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142) at java.net.URLClassLoader.defineClass(URLClassLoader.java:442) at java.net.URLClassLoader.access$100(URLClassLoader.java:64) at java.net.URLClassLoader$1.run(URLClassLoader.java:354) at java.net.URLClassLoader$1.run(URLClassLoader.java:348) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(URLClassLoader.java:347) at java.lang.ClassLoader.loadClass(ClassLoader.java:425) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:315) at java.lang.ClassLoader.loadClass(ClassLoader.java:358) at org.apache.hive.jdbc.HiveConnection.createBinaryTransport(HiveConnection.java:415) at org.apache.hive.jdbc.HiveConnection.openTransport(HiveConnection.java:192) at org.apache.hive.jdbc.HiveConnection.<init>(HiveConnection.java:156) at org.apache.hive.jdbc.HiveDriver.connect(HiveDriver.java:105) at HiveCheck.main(HiveCheck.java:388) Caused by: java.lang.ClassNotFoundException: org.apache.hadoop.hive.thrift.TFilterTransport at java.net.URLClassLoader$1.run(URLClassLoader.java:359) at java.net.URLClassLoader$1.run(URLClassLoader.java:348) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(URLClassLoader.java:347) at java.lang.ClassLoader.loadClass(ClassLoader.java:425) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:315) at java.lang.ClassLoader.loadClass(ClassLoader.java:358) ... 17 more 2018-08-01 11:34:13,942 DEBUG [Thread-0] util.Shell (Shell.java:isSetsidSupported(778)) - setsid exited with exit code 0

rsheikh · ‎07-24-2018

Could not load shims in class org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge23

rsheikh · ‎02-16-2018

@emaxwell Your explanation, specially last paragraph, is the most closest explanation I have come across, of what we are trying to resolve. Indeed (using SAS client on a desktop) that connects to a SAS server (as in a session) and the need is to pass the user's kerberos ticket to HDP from that server. We have turned the registry setting in WIN server so the ticket cache is shareable, but no go. I was wondering if there is any doc or step by step that is available? Also, the steps you showed in code section above, needs to be done for ea. end user on the client (to HDP) server? There is NO direct end-user login to the server (only via clients). Is there anything that could have WIN OS perform kinit on behalf of the end user and pass that ticket to HDP. Any insight is appreciated as we are going in circle. *(Still discovering kerberos not expert level)

rsheikh · ‎02-16-2018

@Ravi MutyalaWill this work where client (desktop) connects to its server (win server) which then acts as a client to the HDP cluster. There is no direct login. We are not finding much info. Any advice?

rsheikh · ‎02-16-2018

Precise pain point we see, if on Linux one could do PAM but zero info on WIN. I would add, how does one have WIN OS to kinit on a user's (session) behalf?

Online	Offline
Last Visited	‎05-23-2024 06:58 PM

Member Since	‎07-16-2017 02:47 PM
Last Visited	‎05-23-2024 06:58 PM
Posts	12
Kudos received	2

Cloudera Community

Re: Error creating login context using ticket cach...

Re: Error creating login context using ticket cach...

Re: Error creating login context using ticket cach...

Re: Error creating login context using ticket cach...

Error creating login context using ticket cache: U...

Re: Could not load shims in class org.apache.hadoo...

Could not load shims in class org.apache.hadoop.hi...

Re: Automation of kinit process without login into...

Re: Automation of kinit process without login into...

Re: Automation of kinit process without login into...