Member since
09-18-2017
15
Posts
0
Kudos Received
0
Solutions
10-04-2017
10:37 PM
Hi, I installed CDSW workbench in Centos machinme and also installed R there. The code worked there without any error. The encryption method of the ticket was not the problem there. But in Windows machine, the code worked for Java but not R. Probably R is not able to decrypt the the content of the ticket which Java is able to do. Have anyone came across similar problem? What Ecnryption code/process does R use and how is it different for Java in Windows? Thanks
... View more
09-29-2017
03:07 AM
Hi, I've looked into the kerberos logs of the code. Below are my debug result: 1) In R, where we get GSS initiate failed error: > library(rJava) > .jinit(,"-Dsun.security.krb5.debug=true") > #.jaddClassPath("C:/Program Files/Java/jdk1.8.0_101/jre/lib/security/local_policy.jar") > #.jaddClassPath("C:/Program Files/Java/jdk1.8.0_101/jre/lib/security/US_export_policy.jar") > #.jaddClassPath("D:/KerberosConfigrationFile/gss-jaas.conf") > .jaddClassPath("D:/Project/FAM/Workspace/TestImpala/bin") > v<-.jnew("TestClassPath") > impala_conn <-.jcall(v,returnSig = "S","getImpalaConnection") Test Impala start-----**** >>>KinitOptions cache name is C:\Users\user\krb5cc_user >>>DEBUG <CCacheInputStream> client principal is user1@COMPANY.COM >>>DEBUG <CCacheInputStream> server principal is krbtgt/COMPANY.COM@COMPANY.COM >>>DEBUG <CCacheInputStream> key type: 18 >>>DEBUG <CCacheInputStream> auth time: Thu Sep 28 11:29:07 IST 2017 >>>DEBUG <CCacheInputStream> start time: Thu Sep 28 11:29:07 IST 2017 >>>DEBUG <CCacheInputStream> end time: Thu Sep 28 21:29:07 IST 2017 >>>DEBUG <CCacheInputStream> renew_till time: null >>> CCacheInputStream: readFlags() INITIAL; PRE_AUTH; Host address is /xx.xxx.xx.xx ... >>> KrbCreds found the default ticket granting ticket in credential cache. Java config name: null Native config name: C:\WINDOWS\krb5.ini >>> Obtained TGT from LSA: Credentials: client=user@COMPANY.COM server=krbtgt/COMPANY.COM@COMPANY.COM flags=INITIAL;PRE-AUTHENT EType (skey)=18 (tkt key)=18 log4j:WARN No appenders could be found for logger (org.apache.thrift.transport.TSaslTransport). log4j:WARN Please initialize the log4j system properly. Found ticket for user@COMPANY.COM to go to krbtgt/COMPANY.COM@COMPANY.COM expiring on Thu Sep 28 21:29:07 IST 2017 Entered Krb5Context.initSecContext with state=STATE_NEW Found ticket for user@COMPANY.COM to go to krbtgt/COMPANY.COM@COMPANY.COM expiring on Thu Sep 28 21:29:07 IST 2017 Service ticket not found in the subject >>> Credentials acquireServiceCreds: main loop: [0] tempService=krbtgt/company.CO.IN@COMPANY.COM Using builtin default etypes for default_tgs_enctypes default etypes for default_tgs_enctypes: 18 17 16 23. >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType >>> KdcAccessibility: reset getKDCFromDNS using UDP >>> KrbKdcReq send: kdc=blopedcgintl001.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1622 >>> KDCCommunication: kdc=blopedcgintl001.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1622 >>>DEBUG: TCPClient reading 109 bytes >>> KrbKdcReq send: #bytes read=109 >>> KdcAccessibility: remove blopedcgintl001.company.com.:88 >>> KDCRep: init() encoding tag is 126 req type is 13 >>>KRBError: sTime is Thu Sep 28 15:45:34 IST 2017 1506593734000 suSec is 469828 error code is 7 error Message is Server not found in Kerberos database sname is krbtgt/company.CO.IN@COMPANY.COM msgType is 30 >>> Credentials acquireServiceCreds: no tgt; searching thru capath >>> Credentials acquireServiceCreds: inner loop: [1] tempService=krbtgt/COMPANY.COM@COMPANY.COM Using builtin default etypes for default_tgs_enctypes default etypes for default_tgs_enctypes: 18 17 16 23. >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType getKDCFromDNS using UDP >>> KrbKdcReq send: kdc=blropicgintl002.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1622 >>> KDCCommunication: kdc=blropicgintl002.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1622 >>>DEBUG: TCPClient reading 1573 bytes >>> KrbKdcReq send: #bytes read=1573 >>> KdcAccessibility: remove blropicgintl002.company.com.:88 >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType >>> Credentials acquireServiceCreds: got tgt >>> Credentials acquireServiceCreds: continuing with main loop counter reset to 1 >>> Credentials acquireServiceCreds: main loop: [1] tempService=krbtgt/company.CO.IN@COMPANY.COM Using builtin default etypes for default_tgs_enctypes default etypes for default_tgs_enctypes: 18 17 16 23. >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType getKDCFromDNS using UDP >>> KrbKdcReq send: kdc=phxgggcgcorp001.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1597 >>> KDCCommunication: kdc=phxgggcgcorp001.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1597 >>>DEBUG: TCPClient reading 104 bytes >>> KrbKdcReq send: #bytes read=104 >>> KdcAccessibility: remove phxgggcgcorp001.company.com.:88 >>> KDCRep: init() encoding tag is 126 req type is 13 >>>KRBError: sTime is Thu Sep 28 15:45:37 IST 2017 1506593737000 suSec is 579366 error code is 7 error Message is Server not found in Kerberos database sname is krbtgt/company.CO.IN@COMPANY.COM msgType is 30 >>> Credentials acquireServiceCreds: no tgt; searching thru capath >>> Credentials acquireServiceCreds: inner loop: [2] tempService=krbtgt/COMPANY.COM@COMPANY.COM Using builtin default etypes for default_tgs_enctypes default etypes for default_tgs_enctypes: 18 17 16 23. >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType getKDCFromDNS using UDP >>> KrbKdcReq send: kdc=tisgtgl01sdcg02.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1592 >>> KDCCommunication: kdc=tisgtgl01sdcg02.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1592 >>>DEBUG: TCPClient reading 99 bytes >>> KrbKdcReq send: #bytes read=99 >>> KdcAccessibility: remove tisgtgl01sdcg02.company.com.:88 >>> KDCRep: init() encoding tag is 126 req type is 13 >>>KRBError: sTime is Thu Sep 28 15:45:39 IST 2017 1506593739000 suSec is 369350 error code is 7 error Message is Server not found in Kerberos database sname is krbtgt/COMPANY.COM@CORP.FIRSTAM.COM msgType is 30 >>> Credentials acquireServiceCreds: inner loop: [3] tempService=krbtgt/COM@COMPANY.COM Using builtin default etypes for default_tgs_enctypes default etypes for default_tgs_enctypes: 18 17 16 23. >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType getKDCFromDNS using UDP >>> KrbKdcReq send: kdc=snatytcgcorp102.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1583 >>> KDCCommunication: kdc=snatytcgcorp102.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1583 >>>DEBUG: TCPClient reading 91 bytes >>> KrbKdcReq send: #bytes read=91 >>> KdcAccessibility: remove snatytcgcorp102.company.com.:88 >>> KDCRep: init() encoding tag is 126 req type is 13 >>>KRBError: sTime is Thu Sep 28 15:45:41 IST 2017 1506593741000 suSec is 179778 error code is 7 error Message is Server not found in Kerberos database sname is krbtgt/COM@CORP.COMPANY.COM msgType is 30 >>> Credentials acquireServiceCreds: inner loop: [4] tempService=krbtgt/IN@CORP.COMPANY.COM Using builtin default etypes for default_tgs_enctypes default etypes for default_tgs_enctypes: 18 17 16 23. >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType getKDCFromDNS using UDP >>> KrbKdcReq send: kdc=jfkvpdfrforp001.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1583 >>> KDCCommunication: kdc=jfkvpdfrforp001.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1583 >>>DEBUG: TCPClient reading 90 bytes >>> KrbKdcReq send: #bytes read=90 >>> KdcAccessibility: remove jfkvpdfrforp001.company.com.:88 >>> KDCRep: init() encoding tag is 126 req type is 13 >>>KRBError: error code is 7 error Message is Server not found in Kerberos database sname is krbtgt/IN@CORP.COMPANY.COM msgType is 30 >>> Credentials acquireServiceCreds: inner loop: [5] tempService=krbtgt/CO.IN@COMPANY.COM Using builtin default etypes for default_tgs_enctypes default etypes for default_tgs_enctypes: 18 17 16 23. >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType getKDCFromDNS using UDP >>> KrbKdcReq send: kdc=tinfrfc01sdcg01.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1586 >>> KDCCommunication: kdc=tinfrfc01sdcg01.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1586 >>>DEBUG: TCPClient reading 93 bytes >>> KrbKdcReq send: #bytes read=93 >>> KdcAccessibility: remove tinfrfc01sdcg01.company.com.:88 >>> KDCRep: init() encoding tag is 126 req type is 13 >>>KRBError: sTime is Thu Sep 28 15:45:44 IST 2017 1506593744000 suSec is 422560 error code is 7 error Message is Server not found in Kerberos database sname is krbtgt/CO.IN@CORP.COMPANY.COM msgType is 30 >>> Credentials acquireServiceCreds: no tgt; cannot get creds KrbException: Fail to create credential. (63) - No service creds at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:156) at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:458) at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:693) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179) at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:192) at org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:94) at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:253) at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37) at com.cloudera.hivecommon.api.HiveServerPrivilegedAction.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:360) at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source) at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createClient(Unknown Source) at com.cloudera.hivecommon.core.HiveJDBCCommonConnection.establishConnection(Unknown Source) at com.cloudera.impala.core.ImpalaJDBCConnection.establishConnection(Unknown Source) at com.cloudera.jdbc.core.LoginTimeoutConnection.connect(Unknown Source) at com.cloudera.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source) at com.cloudera.jdbc.common.AbstractDriver.connect(Unknown Source) at java.sql.DriverManager.getConnection(DriverManager.java:664) at java.sql.DriverManager.getConnection(DriverManager.java:270) at TestClassPath.getImpalaConnection(TestClassPath.java:20) java.sql.SQLException: [Simba][ImpalaJDBCDriver](500164) Error initialized or created transport for authentication: [Simba][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed. at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source) at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createClient(Unknown Source) at com.cloudera.hivecommon.core.HiveJDBCCommonConnection.establishConnection(Unknown Source) at com.cloudera.impala.core.ImpalaJDBCConnection.establishConnection(Unknown Source) at com.cloudera.jdbc.core.LoginTimeoutConnection.connect(Unknown Source) at com.cloudera.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source) at com.cloudera.jdbc.common.AbstractDriver.connect(Unknown Source) at java.sql.DriverManager.getConnection(DriverManager.java:664) at java.sql.DriverManager.getConnection(DriverManager.java:270) Caused by: com.cloudera.support.exceptions.GeneralException: [Simba][ImpalaJDBCDriver](500164) Error initialized or created transport for authentication: [Simba][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed. ... 9 more Caused by: java.lang.RuntimeException: [Simba][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed at com.cloudera.hivecommon.api.HiveServerPrivilegedAction.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:360) at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source) at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createClient(Unknown Source) at com.cloudera.hivecommon.core.HiveJDBCCommonConnection.establishConnection(Unknown Source) at com.cloudera.impala.core.ImpalaJDBCConnection.establishConnection(Unknown Source) at com.cloudera.jdbc.core.LoginTimeoutConnection.connect(Unknown Source) at com.cloudera.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source) at com.cloudera.jdbc.common.AbstractDriver.connect(Unknown Source) at java.sql.DriverManager.getConnection(DriverManager.java:664) at java.sql.DriverManager.getConnection(DriverManager.java:270) at TestClassPath.getImpalaConnection(TestClassPath.java:20) Caused by: org.apache.thrift.transport.TTransportException: GSS initiate failed at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:221) at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:297) at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37) ... 13 more Test Impala End > impala_conn [1] "Test Impala" 2) In Java, when the krb5.ini file was not in place, we got error: Test Impala start-----**** >>>KinitOptions cache name is C:\Users\user1\krb5cc_user >>>DEBUG <CCacheInputStream> client principal is user1@COMPANY.COM >>>DEBUG <CCacheInputStream> server principal is krbtgt/COMPANY.COM >>>DEBUG <CCacheInputStream> key type: 18 >>>DEBUG <CCacheInputStream> auth time: Thu Sep 28 11:29:07 IST 2017 >>>DEBUG <CCacheInputStream> start time: Thu Sep 28 11:29:07 IST 2017 >>>DEBUG <CCacheInputStream> end time: Thu Sep 28 21:29:07 IST 2017 >>>DEBUG <CCacheInputStream> renew_till time: null >>> CCacheInputStream: readFlags() INITIAL; PRE_AUTH; Host address is /xx.xxx.xx.xx ... >>> KrbCreds found the default ticket granting ticket in credential cache. Java config name: null Native config name: C:\WINDOWS\krb5.ini >>> Obtained TGT from LSA: Credentials: client=user1@COMPANY.COM server=krbtgt/COMPANY.COM flags=INITIAL;PRE-AUTHENT EType (skey)=18 (tkt key)=18 log4j:WARN No appenders could be found for logger (org.apache.thrift.transport.TSaslTransport). log4j:WARN Please initialize the log4j system properly. Found ticket for user1@COMPANY.COM to go to krbtgt/COMPANY.COM expiring on Thu Sep 28 21:29:07 IST 2017 Entered Krb5Context.initSecContext with state=STATE_NEW Found ticket for user1@COMPANY.COM to go to krbtgt/COMPANY.COM expiring on Thu Sep 28 21:29:07 IST 2017 Service ticket not found in the subject >>> Credentials acquireServiceCreds: main loop: [0] tempService=krbtgt/company1.co.in@COMPANY.COM Using builtin default etypes for default_tgs_enctypes default etypes for default_tgs_enctypes: 18 17 16 23. >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType >>> KdcAccessibility: reset getKDCFromDNS using UDP >>> KrbKdcReq send: kdc=blrppdcgintl002.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1622 >>> KDCCommunication: kdc=blrppdcgintl002.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1622 >>>DEBUG: TCPClient reading 109 bytes >>> KrbKdcReq send: #bytes read=109 >>> KdcAccessibility: remove blrppdcgintl002.company.com.:88 >>> KDCRep: init() encoding tag is 126 req type is 13 >>>KRBError: sTime is Thu Sep 28 16:11:03 IST 2017 1506595263000 suSec is 629484 error code is 7 error Message is Server not found in Kerberos database sname is krbtgt/company1.co.in@COMPANY.COM msgType is 30 >>> Credentials acquireServiceCreds: no tgt; searching thru capath >>> Credentials acquireServiceCreds: inner loop: [1] tempService=krbtgt/CORP.COM@COMPANY.COM Using builtin default etypes for default_tgs_enctypes default etypes for default_tgs_enctypes: 18 17 16 23. >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType getKDCFromDNS using UDP >>> KrbKdcReq send: kdc=blrppdcgintl002.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1622 >>> KDCCommunication: kdc=blrppdcgintl002.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1622 >>>DEBUG: TCPClient reading 1573 bytes >>> KrbKdcReq send: #bytes read=1573 >>> KdcAccessibility: remove blrppdcgintl002.company.com.:88 >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType >>> Credentials acquireServiceCreds: got tgt >>> Credentials acquireServiceCreds: continuing with main loop counter reset to 1 >>> Credentials acquireServiceCreds: main loop: [1] tempService=krbtgt/company1.co.in@COMPANY.COM Using builtin default etypes for default_tgs_enctypes default etypes for default_tgs_enctypes: 18 17 16 23. >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType getKDCFromDNS using UDP >>> KrbKdcReq send: kdc=tincfdc01sdcg01.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1597 >>> KDCCommunication: kdc=tincfdc01sdcg01.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1597 >>>DEBUG: TCPClient reading 104 bytes >>> KrbKdcReq send: #bytes read=104 >>> KdcAccessibility: remove tincfdc01sdcg01.company.com.:88 >>> KDCRep: init() encoding tag is 126 req type is 13 >>>KRBError: sTime is Thu Sep 28 16:11:06 IST 2017 1506595266000 suSec is 385440 error code is 7 error Message is Server not found in Kerberos database sname is krbtgt/company1.co.in@COMPANY.COM msgType is 30 >>> Credentials acquireServiceCreds: no tgt; searching thru capath >>> Credentials acquireServiceCreds: inner loop: [2] tempService=krbtgt/COMPANY@CORP.COMPANY.COM Using builtin default etypes for default_tgs_enctypes default etypes for default_tgs_enctypes: 18 17 16 23. >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType getKDCFromDNS using UDP >>> KrbKdcReq send: kdc=snapascgcorp102.comapny.com. TCP:88, timeout=30000, number of retries =3, #bytes=1592 >>> KDCCommunication: kdc=snapascgcorp102.comapny.com. TCP:88, timeout=30000,Attempt =1, #bytes=1592 >>>DEBUG: TCPClient reading 99 bytes >>> KrbKdcReq send: #bytes read=99 >>> KdcAccessibility: remove snapascgcorp102.comapny.com.:88 >>> KDCRep: init() encoding tag is 126 req type is 13 >>>KRBError: sTime is Thu Sep 28 16:11:08 IST 2017 1506595268000 suSec is 888723 error code is 7 error Message is Server not found in Kerberos database sname is krbtgt/COMPANY@CORP.COMPANY.COM msgType is 30 >>> Credentials acquireServiceCreds: inner loop: [3] tempService=krbtgt/COM@COMPANY.COM Using builtin default etypes for default_tgs_enctypes default etypes for default_tgs_enctypes: 18 17 16 23. >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType getKDCFromDNS using UDP >>> KrbKdcReq send: kdc=fahwerl01vdcg02.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1584 >>> KDCCommunication: kdc=fahwerl01vdcg02.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1584 >>>DEBUG: TCPClient reading 91 bytes >>> KrbKdcReq send: #bytes read=91 >>> KdcAccessibility: remove fahwerl01vdcg02.company.com.:88 >>> KDCRep: init() encoding tag is 126 req type is 13 >>>KRBError: sTime is Thu Sep 28 16:11:09 IST 2017 1506595269000 suSec is 350172 error code is 7 error Message is Server not found in Kerberos database sname is krbtgt/COM@CORP.FIRSTAM.COM msgType is 30 >>> Credentials acquireServiceCreds: inner loop: [4] tempService=krbtgt/IN@COMPANY.COM Using builtin default etypes for default_tgs_enctypes default etypes for default_tgs_enctypes: 18 17 16 23. >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType getKDCFromDNS using UDP >>> KrbKdcReq send: kdc=snprrdcgcorp101.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1583 >>> KDCCommunication: kdc=snprrdcgcorp101.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1583 >>>DEBUG: TCPClient reading 90 bytes >>> KrbKdcReq send: #bytes read=90 >>> KdcAccessibility: remove snprrdcgcorp101.company.com.:88 >>> KDCRep: init() encoding tag is 126 req type is 13 >>>KRBError: sTime is Thu Sep 28 16:11:11 IST 2017 1506595271000 suSec is 821544 error code is 7 error Message is Server not found in Kerberos database sname is krbtgt/IN@COMPANY.COM msgType is 30 >>> Credentials acquireServiceCreds: inner loop: [5] tempService=krbtgt/CO.IN@COMPANY.COM Using builtin default etypes for default_tgs_enctypes default etypes for default_tgs_enctypes: 18 17 16 23. >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType getKDCFromDNS using UDP >>> KrbKdcReq send: kdc=snareecgcorp003.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1586 >>> KDCCommunication: kdc=snareecgcorp003.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1586 >>>DEBUG: TCPClient reading 93 bytes >>> KrbKdcReq send: #bytes read=93 >>> KdcAccessibility: remove snareecgcorp003.company.com.:88 >>> KDCRep: init() encoding tag is 126 req type is 13 >>>KRBError: sTime is Thu Sep 28 16:11:12 IST 2017 1506595272000 suSec is 316872 error code is 7 error Message is Server not found in Kerberos database sname is krbtgt/CO.IN@COMPANY.COM msgType is 30 >>> Credentials acquireServiceCreds: no tgt; cannot get creds KrbException: Fail to create credential. (63) - No service creds at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source) at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source) at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source) at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source) at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source) at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source) at org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:94) at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:253) at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37) at com.cloudera.hivecommon.api.HiveServerPrivilegedAction.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Unknown Source) at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source) at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createClient(Unknown Source) at com.cloudera.hivecommon.core.HiveJDBCCommonConnection.establishConnection(Unknown Source) at com.cloudera.impala.core.ImpalaJDBCConnection.establishConnection(Unknown Source) at com.cloudera.jdbc.core.LoginTimeoutConnection.connect(Unknown Source) at com.cloudera.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source) at com.cloudera.jdbc.common.AbstractDriver.connect(Unknown Source) at java.sql.DriverManager.getConnection(Unknown Source) at java.sql.DriverManager.getConnection(Unknown Source) at TestClassPath.getImpalaConnection(TestClassPath.java:21) at TestClassPath.main(TestClassPath.java:41) java.sql.SQLException: [Simba][ImpalaJDBCDriver](500164) Error initialized or created transport for authentication: [Simba][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed. at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source) at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createClient(Unknown Source) at com.cloudera.hivecommon.core.HiveJDBCCommonConnection.establishConnection(Unknown Source) at com.cloudera.impala.core.ImpalaJDBCConnection.establishConnection(Unknown Source) at com.cloudera.jdbc.core.LoginTimeoutConnection.connect(Unknown Source) at com.cloudera.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source) at com.cloudera.jdbc.common.AbstractDriver.connect(Unknown Source) at java.sql.DriverManager.getConnection(Unknown Source) at java.sql.DriverManager.getConnection(Unknown Source) at TestClassPath.getImpalaConnection(TestClassPath.java:21) Caused by: com.cloudera.support.exceptions.GeneralException: [Simba][ImpalaJDBCDriver](500164) Error initialized or created transport for authentication: [Simba][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed. ... 10 more Caused by: java.lang.RuntimeException: [Simba][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed at com.cloudera.hivecommon.api.HiveServerPrivilegedAction.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Unknown Source) at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source) at com.cloudera.hivecommon.api.HiveServer2ClientFactory.createClient(Unknown Source) at com.cloudera.hivecommon.core.HiveJDBCCommonConnection.establishConnection(Unknown Source) at com.cloudera.impala.core.ImpalaJDBCConnection.establishConnection(Unknown Source) at com.cloudera.jdbc.core.LoginTimeoutConnection.connect(Unknown Source) at com.cloudera.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source) at com.cloudera.jdbc.common.AbstractDriver.connect(Unknown Source) at java.sql.DriverManager.getConnection(Unknown Source) at java.sql.DriverManager.getConnection(Unknown Source) at TestClassPath.getImpalaConnection(TestClassPath.java:21) at TestClassPath.main(TestClassPath.java:41) Caused by: org.apache.thrift.transport.TTransportException: GSS initiate failed at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:221) at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:297) at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37) ... 14 more Test Impala End 3) In Java, the working code. Test Impala start-----**** >>>KinitOptions cache name is C:\Users\user1\krb5cc_user >>>DEBUG <CCacheInputStream> client principal is user1@COMPANY.COM >>>DEBUG <CCacheInputStream> server principal is krbtgt/COMPANY.COM >>>DEBUG <CCacheInputStream> key type: 18 >>>DEBUG <CCacheInputStream> auth time: Thu Sep 28 11:29:07 IST 2017 >>>DEBUG <CCacheInputStream> start time: Thu Sep 28 11:29:07 IST 2017 >>>DEBUG <CCacheInputStream> end time: Thu Sep 28 21:29:07 IST 2017 >>>DEBUG <CCacheInputStream> renew_till time: null >>> CCacheInputStream: readFlags() INITIAL; PRE_AUTH; Host address is /xx.xxx.xx.xx ... >>> KrbCreds found the default ticket granting ticket in credential cache. Java config name: null Native config name: C:\WINDOWS\krb5.ini Loaded from native config >>> Obtained TGT from LSA: Credentials: client=user@COMPANY.COM server=krbtgt/COMPANY@COMPANY.COM flags=INITIAL;PRE-AUTHENT EType (skey)=18 (tkt key)=18 Found ticket for user@COMPANY.COM to go to krbtgt/COMPANY.COM@COMPANY.COM expiring on Thu Sep 28 21:29:07 IST 2017 Entered Krb5Context.initSecContext with state=STATE_NEW Found ticket for user@COMPANY.COM to go to krbtgt/COMPANY.COM@COMPANY.COM expiring on Thu Sep 28 21:29:07 IST 2017 Service ticket not found in the subject >>> Credentials acquireServiceCreds: main loop: [0] tempService=krbtgt/COMPANY.COM@COMPANY.COM default etypes for default_tgs_enctypes: 18 17 23. >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType >>> KdcAccessibility: reset getKDCFromDNS using UDP >>> KrbKdcReq send: kdc=inttyna09vdcg01.company.com.. TCP:88, timeout=30000, number of retries =3, #bytes=1619 >>> KDCCommunication: kdc=inttyna09vdcg01.company.com.. TCP:88, timeout=30000,Attempt =1, #bytes=1619 >>>DEBUG: TCPClient reading 1573 bytes >>> KrbKdcReq send: #bytes read=1573 >>> KdcAccessibility: remove inttyna09vdcg01.company.com.:88 >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType >>> Credentials acquireServiceCreds: got tgt >>> Credentials acquireServiceCreds: got right tgt >>> Credentials acquireServiceCreds: obtaining service creds for impala/hostname@CORP.COMPANY.COM default etypes for default_tgs_enctypes: 18 17 23. >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType getKDCFromDNS using UDP >>> KrbKdcReq send: kdc=snappfrgcorp101.company.com. TCP:88, timeout=30000, number of retries =3, #bytes=1610 >>> KDCCommunication: kdc=snappfrgcorp101.company.com. TCP:88, timeout=30000,Attempt =1, #bytes=1610 >>>DEBUG: TCPClient reading 1630 bytes >>> KrbKdcReq send: #bytes read=1630 >>> KdcAccessibility: remove snappfrgcorp101.company.com.:88 >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>> Credentials acquireServiceCreds: returning creds: >>> DEBUG: ----Credentials---- client: user@COMPANY.COM server: impala/hostname@CORP.COMPANY.COM ticket: sname: impala/hostname@CORP.COMPANY.COM startTime: 1506595126000 endTime: 1506614347000 ----Credentials end---- >>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000 >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType Krb5Context setting mySeqNumber to: 293786502 Created InitSecContextToken: 0000: 01 00 6E 82 05 FE 30 82 05 FA A0 03 02 01 05 A1 ..n...0......... 0010: 03 02 01 0E A2 07 03 05 00 20 00 00 00 A3 82 05 ......... ...... Krb5Context.wrap: data=[01 01 00 00 ] Krb5Context.wrap: token=[60 30 06 09 2a 86 48 86 f7 12 01 02 02 02 01 11 00 ff ff ff ff 71 1a 06 60 97 6b e4 e7 35 7d 2a d4 a7 53 4a d5 5e ce 9f 9b 87 7c 18 a3 01 01 00 00 01 ] Connecting with jdbc:impala://connectionstring:21050/db;AuthMech=1;KrbRealm=_HOST@COMPANY.COM;KrbHostFQDN=host;KrbServiceName=impala;KrbAuthType=2 document epr_lineage infa_hstg_lookup_name_785113698026062326 infa_hstg_lookup_property_785113698026062326 infa_hstg_lookup_reference_785113698026062326 infa_hstg_read_document_4045257916572541191 infa_hstg_read_document_5426399195748447698 infa_hstg_read_document_785113698026062326 .... Please see the logs above and help me resolve the issue. I've changed the company and domain names Note: I'm trying to run the code from windows env and the complete set up of all applications are in centos. I've R and RStudio in Windows in the same network
... View more
09-28-2017
02:26 AM
Note we're getting the following error: Error in .jcall(drv@jdrv, "Ljava/sql/Connection;", "connect", as.character(url)[1], : java.sql.SQLException: [Cloudera][HiveJDBCDriver](500164) Error initialized or created transport for authentication: [Cloudera][HiveJDBCDriver](500169) Unable to connect to server: GSS initiate failed.
... View more
09-27-2017
10:39 PM
Hi, Seems i installed JCE of 64 bit but required was 32 bit. It solved my issue in java. But i'm still facing issue in running it in R. Can you please help me resolve this issue. I guess that R is not able to use the JCE policy files
... View more
09-27-2017
02:24 AM
Hi, We're getting the following error in java: null credentials from Ticket Cache [Krb5LoginModule] authentication failed Unable to obtain password from user Exception in thread "main" java.sql.SQLException: [Cloudera][HiveJDBCDriver](500166) Error creating login context using JAAS configuration: Unable to obtain password from user . at com.cloudera.hiveserver2.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source) at com.cloudera.hiveserver2.hivecommon.api.ZooKeeperEnabledExtendedHS2Factory.createClient(Unknown Source) at com.cloudera.hiveserver2.hivecommon.core.HiveJDBCCommonConnection.establishConnection(Unknown Source) at com.cloudera.hiveserver2.jdbc.core.LoginTimeoutConnection.connect(Unknown Source) at com.cloudera.hiveserver2.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source) at com.cloudera.hiveserver2.jdbc.common.AbstractDriver.connect(Unknown Source) at java.sql.DriverManager.getConnection(Unknown Source) at java.sql.DriverManager.getConnection(Unknown Source) Caused by: com.cloudera.hiveserver2.support.exceptions.GeneralException: [Cloudera][HiveJDBCDriver](500166) Error creating login context using JAAS configuration: Unable to obtain password from user . ... 8 more Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Unknown Source) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source) at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at javax.security.auth.login.LoginContext.invoke(Unknown Source) at javax.security.auth.login.LoginContext.access$000(Unknown Source) at javax.security.auth.login.LoginContext$4.run(Unknown Source) at javax.security.auth.login.LoginContext$4.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(Unknown Source) at javax.security.auth.login.LoginContext.login(Unknown Source) at com.cloudera.hiveserver2.jdbc.kerberos.Kerberos.getSubjectViaJAASConfig(Unknown Source) at com.cloudera.hiveserver2.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source) at com.cloudera.hiveserver2.hivecommon.api.ZooKeeperEnabledExtendedHS2Factory.createClient(Unknown Source) at com.cloudera.hiveserver2.hivecommon.core.HiveJDBCCommonConnection.establishConnection(Unknown Source) at com.cloudera.hiveserver2.jdbc.core.LoginTimeoutConnection.connect(Unknown Source) at com.cloudera.hiveserver2.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source) at com.cloudera.hiveserver2.jdbc.common.AbstractDriver.connect(Unknown Source) at java.sql.DriverManager.getConnection(Unknown Source) at java.sql.DriverManager.getConnection(Unknown Source) at HiveConnection.main(HiveConnection.java:26)
... View more
09-26-2017
05:30 AM
Hi, We added the path of CacheCredential in JAAS file and then re-run the R script by setting the the environment variable of JAAS file in R Now we're running into following error: Error in .jcall(drv@jdrv, "Ljava/sql/Connection;", "connect", as.character(url)[1], : java.sql.SQLException: [Cloudera][HiveJDBCDriver](500164) Error initialized or created transport for authentication: [Cloudera][HiveJDBCDriver](500169) Unable to connect to server: GSS initiate failed. GSS initiated failed. I've JCE installed
... View more
09-26-2017
02:40 AM
Yes we have the environment variable set: KRB5CCNAME: C:\KerberosTickets.txt We also tried removing it for the JAAS conf requirement. We have the env variable set currently
... View more
09-26-2017
02:21 AM
Hi, Just wanted to add a point: after kinit the ticket is generated succefully. It is shown in the MIT Kerberos Ticket Manager but it is not viewed in klist. We're following this link: https://www.cloudera.com/documentation/other/connectors/hive-jdbc/latest/Cloudera-JDBC-Driver-for-Apache-Hive-Install-Guide.pdf Just few things: 1) Set an environment variable that points to kerberostickets.txt After it didn't work: 1) Removed the environment variable and followed the next step of JAAS conf. This led to successful hive connectivity through java but in R we're getting the error 2) After running kdestroy, and then kinit. The klist does not give anything. It gives null or empty. Now unable to run it through java too. 2) Set the environment variable again to point to CredentialCache file. It again gives empty klist. This is in Windows machine
... View more
09-26-2017
01:54 AM
Hi, I'm not able to klist now. After i run kdestroy -a and then i generate a ticket, the ticket is created successfully but the the ticket is not displayed through klist and the error happens to be the same.
... View more
09-25-2017
05:43 AM
Hi, We're trying to connect from windows machine. We have a valid ticket listed from klist. The error we are getting from rstudio is : “Error in .jcall(drv@jdrv, "Ljava/sql/Connection;", "connect", as.character(url)[1], : java.sql.SQLException: [Cloudera][HiveJDBCDriver](500168) Error creating login context using ticket cache: Unable to obtain Principal Name for authentication .”
... View more