About mazin_mohammed

mazin_mohammed · ‎07-31-2017

@Vipin Rathor Thanks for the pointer. The issue was with spnego.service.keytab. But it was was permission issue. Once we got the user oozie to be part of hadoop group the issue was fixed. We do run the daemon as oozie user and thus it was not able to read the keytab file. Thanks

mazin_mohammed · ‎07-31-2017

mazin.mohammed@oozie1001:~$ klist -eaf Ticket cache: FILE:/tmp/krb5cc_1993 Default principal: mazin.mohammed@EXAMPLE.COM Valid starting ExpiresService principal 07/31/2017 04:03:3507/31/2017 14:03:35krbtgt/EXAMPLE.COM@EXAMPLE.COM renew until 08/07/2017 04:03:31, Flags: FRIA Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 Addresses: (none) mazin.mohammed@oozie1001:~$ ls -al /etc/security/keytabs/spnego.service.keytab -rw-r----- 1 root hadoop 438 Jul 24 04:50 /etc/security/keytabs/spnego.service.keytab mazin.mohammed@oozie1001:~$ sudo klist -kte /etc/security/keytabs/spnego.service.keytab Keytab name: FILE:/etc/security/keytabs/spnego.service.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 1 07/24/2017 04:50:27 HTTP/oozie1001.example.com@EXAMPLE.COM (des3-cbc-sha1) 1 07/24/2017 04:50:27 HTTP/oozie1001.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96) 1 07/24/2017 04:50:27 HTTP/oozie1001.example.com@EXAMPLE.COM (arcfour-hmac) 1 07/24/2017 04:50:27 HTTP/oozie1001.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96) 1 07/24/2017 04:50:27 HTTP/oozie1001.example.com@EXAMPLE.COM (des-cbc-md5) kadmin: getprinc HTTP/oozie1001.example.com@EXAMPLE.COM Principal: HTTP/oozie1001.example.com@EXAMPLE.COM Expiration date: [never] Last password change: Mon Jul 24 04:50:25 UTC 2017 Password expiration date: [none] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Key: vno 1, aes256-cts-hmac-sha1-96, no salt Key: vno 1, arcfour-hmac, no salt Key: vno 1, des3-cbc-sha1, no salt Key: vno 1, des-cbc-crc, no salt Key: vno 1, des-cbc-md5, Version 4 Key: vno 1, des-cbc-md5, Version 5 - No Realm Key: vno 1, des-cbc-md5, Version 5 - Realm Only Key: vno 1, des-cbc-md5, AFS version 3 MKey: vno 1 Attributes: REQUIRES_PRE_AUTH Policy: [none]

mazin_mohammed · ‎07-28-2017

issue still persists 🙂 Thanks

mazin_mohammed · ‎07-28-2017

@Vipin Rathor @Geoffrey Shelton Okot I think by giving too many information I might have caused confusion :). Here is the exact traceback of what I do and where I end up with error. mazin.mohammed@gateway1005:~$ hadoop fs -ls / Java config name: null Native config name: /etc/krb5.conf Loaded from native config >>>KinitOptions cache name is /tmp/krb5cc_1993 ls: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]; Host Details : local host is: "gateway1005.example.com/192.168.141.182"; destination host is: "namenode1002.example.com":8020; The above error clearly mention user mazin.mohammed tgt is expired. I do a kinit to renew my ticket mazin.mohammed@gateway1005:~$ kinitPassword for mazin.mohammed@EXAMPLE.COM: KDC - Server Log Jul 28 05:23:15 kdc1000 krb5kdc[959]: AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.141.182: NEEDED_PREAUTH: mazin.mohammed@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM, Additional pre-authentication required Jul 28 05:23:34 kdc1000 krb5kdc[959]: AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.141.182: ISSUE: authtime 123456, etypes {rep=18 tkt=18 ses=18}, mazin.mohammed@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM mazin.mohammed@gateway1005:~$ klist Ticket cache: FILE:/tmp/krb5cc_1993 Default principal: mazin.mohammed@EXAMPLE.COM Valid starting ExpiresService principal 07/28/2017 05:23:34 07/28/2017 15:23:34 krbtgt/EXAMPLE.COM@EXAMPLE.COM renew until 08/04/2017 05:23:15 Now I try to access the cluster via hadoop command and this is where it ends up in the error even though I have valid TGT present in my cache. mazin.mohammed@gateway1005:~$ hadoop fs -ls / Found ticket for mazin.mohammed@EXAMPLE.COM to go to krbtgt/EXAMPLE.COM@EXAMPLE.COM expiring on Fri Jul 28 15:23:34 UTC 2017 Found ticket for mazin.mohammed@EXAMPLE.COM to go to nn/namenode1001.example.com@EXAMPLE.COM expiring on Fri Jul 28 15:23:34 UTC 2017 ls: Failed on local exception: java.io.IOException: Couldn't setup connection for mazin.mohammed@EXAMPLE.COM to namenode1001.example.com/192.168.140.232:8020; Host Details : local host is: "gateway.example.com/192.168.141.182"; destination host is: "namenode1001.example.com":8020; KDC server.log Jul 28 05:24:15 infosec1000 krb5kdc[959]: TGS_REQ (4 etypes {18 17 16 23}) 192.168.141.182: ISSUE: authtime 1501219414, etypes {rep=18 tkt=18 ses=18}, mazin.mohammed@EXAMPLE.COM for nn/namenode1001.example.com@EXAMPLE.COM Jul 28 05:24:18 infosec1000 krb5kdc[959]: TGS_REQ (4 etypes {18 17 16 23}) 192.168.141.182: ISSUE: authtime 1501219414, etypes {rep=18 tkt=18 ses=18}, mazin.mohammed@EXAMPLE.COM for nn/namenode1001.example.com@EXAMPLE.COM Namenode log 2017-07-28 06:20:52,151 WARN SecurityLogger.org.apache.hadoop.ipc.Server: Auth failed for 192.168.141.182:58192:null (Failure to initialize security context) 2017-07-28 06:20:52,151 WARN SecurityLogger.org.apache.hadoop.ipc.Server: Auth failed for 192.168.141.182:58192:null (Failure to initialize security context) 2017-07-28 06:20:52,151 INFO org.apache.hadoop.ipc.Server: Socket Reader #1 for port 8020: readAndProcess from client 192.168.141.182 threw exception [javax.security.sasl.SaslException: Failure to initialize security context [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos credentails)]] In this case I am the client and I do have a TGT and service ticket issued by TGS to access hadoop cluster but namenode is refusing by throwing an exception threw exception [javax.security.sasl.SaslException: Failure to initialize security context [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos credentails)]]. As said in the thread this issue is solved if I restart the namenode. I hope this will give some more insights to the issue we are facing.

mazin_mohammed · ‎07-25-2017

Hello, We are setting up a staging cluster with kerberos enabled. After enabling kerberos on oozie, we are able to start oozie server but not able to connect to the server. In oozie error log we see following error Authentication exception: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) -Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96) org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96) Keytabs are generated via ambari and following are the details of the same. user1@oozie1001:~$ sudo -u oozie klist -kte /etc/security/keytabs/oozie.service.keytab Keytab name: FILE:/etc/security/keytabs/oozie.service.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 1 07/24/2017 10:53:19 oozie/oozie1001.example.com@EXAMPLE.COM (des3-cbc-sha1) 1 07/24/2017 10:53:19 oozie/oozie1001.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96) 1 07/24/2017 10:53:19 oozie/oozie1001.example.com@EXAMPLE.COM (arcfour-hmac) 1 07/24/2017 10:53:19 oozie/oozie1001.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96) 1 07/24/2017 10:53:19 oozie/oozie1001.example.com@EXAMPLE.COM (des-cbc-md5) user1@oozie1001:~$ sudo -u oozie klist -e Ticket cache: FILE:/tmp/krb5cc_1183 Default principal: oozie/oozie1001.example.com@EXAMPLE.COM Valid starting ExpiresService principal07/25/2017 08:27:4507/25/2017 18:27:45krbtgt/EXAMPLE.COM@EXAMPLE.COM renew until 08/01/2017 08:27:45, Etype (skey, tkt): des3-cbc-sha1, aes256-cts-hmac-sha1-96 user1@oozie1001:~ cat /etc/krb5.conf |grep enctypes default_tgs_enctypes= des3-cbc-sha1 aes256-cts-hmac-sha1-96 arcfour-hmac aes128-cts-hmac-sha1-96 des-cbc-md5 default_tkt_enctypes = des3-cbc-sha1 aes256-cts-hmac-sha1-96 arcfour-hmac aes128-cts-hmac-sha1-96 des-cbc-md5 While starting the oozie server it is able to get tgt for oozie principal user1@oozie1001:~$ grep keytab /var/log/oozie/oozie.log 2017-07-25 09:12:18,161INFO main HadoopAccessorService - SERVER[oozie1001.example.com] Got Kerberos ticket, keytab [/etc/security/keytabs/oozie.service.keytab], Oozie principal principal [oozie/oozie1001.example.com@EXAMPLE.COM] To test the oozie we try following command and it ends up in Authentication failed. user1@oozie1001:~$ sudo -u oozie /opt/gridops/oozie/oozie_current/bin/oozie admin -status Error: IO_ERROR : java.io.IOException: Error while connecting Oozie server. No of retries = 1. Exception = Could not authenticate, Authentication failed, status: 403, message: Forbidden On KDC we are able to see that authentication is successful for oozie/oozie1001.example.com@EXAMPLE.COM Jul 25 11:50:50 kdcserver1000 krb5kdc[959]: TGS_REQ (4 etypes {16 18 23 17}) 192.168.142.13: ISSUE: authtime 1500971265, etypes {rep=16 tkt=18 ses=16}, oozie/oozie1001.example.com@EXAMPLE.COM for HTTP/oozie1001.example.com@EXAMPLE.COM Jul 25 11:50:50 kdcserver1000 krb5kdc[959]: TGS_REQ (4 etypes {16 18 23 17}) 192.168.142.13: ISSUE: authtime 1500971265, etypes {rep=16 tkt=18 ses=16}, oozie/oozie1001.example.com@EXAMPLE.COM for HTTP/oozie1001.example.com@EXAMPLE.COM Jul 25 11:51:18 kdcserver1000 krb5kdc[959]: AS_REQ (4 etypes {16 18 23 17}) 192.168.142.13: NEEDED_PREAUTH: oozie/oozie1001.example.com@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM, Additional pre-authentication required Jul 25 11:51:18 kdcserver1000 krb5kdc[959]: AS_REQ (4 etypes {16 18 23 17}) 192.168.142.13: ISSUE: authtime 1500983478, etypes {rep=16 tkt=18 ses=16}, oozie/oozie1001.example.com@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM Jul 25 11:51:20 kdcserver1000 krb5kdc[959]: AS_REQ (4 etypes {16 18 23 17}) 192.168.142.13: NEEDED_PREAUTH: oozie/oozie1001.example.com@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM, Additional pre-authentication required Jul 25 11:51:20 kdcserver1000 krb5kdc[959]: AS_REQ (4 etypes {16 18 23 17}) 192.168.142.13: ISSUE: authtime 1500983480, etypes {rep=16 tkt=18 ses=16}, oozie/oozie1001.example.com@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM Oozie log file: 2017-07-25 09:09:20,173WARN http-11000-2 AuthenticationFilter - SERVER[oozie1001.example.com] Authentication exception: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96) org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96) at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:399) JCE is configured on the server. user1@oozie1001:~$ zipgrep CryptoAllPermission $JAVA_HOME/jre/lib/security/local_policy.jar default_local.policy:permission javax.crypto.CryptoAllPermission; user1@oozie1001:~$ cat Test-JCE.java import javax.crypto.Cipher; class Test { public static void main(String[] args) { try { int maxKeyLen = Cipher.getMaxAllowedKeyLength("AES"); System.out.println(maxKeyLen); } catch (Exception e) {System.out.println("JCE not enable :(");}}} user1@oozie1001:~$ java Test 2147483647 spnego file is set to 640 user1@oozie001:~$ ls -al /etc/security/keytabs/spnego.service.keytab -rw-r----- 1 root hadoop 438 Jul 24 09:49 /etc/security/keytabs/spnego.service.keytab nslookup oozie1001.example.com is resolving. Kerberos version is same in both KDC as well as the keytab getprinc oozie/oozie1001.example.com@EXAMPLE.COM Principal: oozie/oozie1001.example.com@EXAMPLE.COM Expiration date: [never] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last failed authentication: [never] Failed password attempts: 0 Number of keys: 8 Key: vno 1, aes256-cts-hmac-sha1-96, no salt Key: vno 1, arcfour-hmac, no salt Key: vno 1, des3-cbc-sha1, no salt Key: vno 1, des-cbc-crc, no salt Key: vno 1, des-cbc-md5, Version 4 Key: vno 1, des-cbc-md5, Version 5 - No Realm Key: vno 1, des-cbc-md5, Version 5 - Realm Only Key: vno 1, des-cbc-md5, AFS version 3 MKey: vno 1 Attributes: REQUIRES_PRE_AUTH Any help in what else did I miss ? Thanks in advance,

mazin_mohammed · ‎07-25-2017

So it evident that - ticket will get expired and when it expires then service needed to restart. Isn't this a costly operation where you need to restart namenode every week or daily depending on ticket_lifetime. Is there a way to get this auto renewed or never_expire.

mazin_mohammed · ‎07-24-2017

Yes, I am seeing the error now which will be solved if namenode restars.

mazin_mohammed · ‎07-24-2017

user1@namenode1001:~$ sudo klist -kt /etc/security/keytabs/nn.service.keytab Keytab name: FILE:/etc/security/keytabs/nn.service.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 10 07/19/2017 07:54:02 nn/namenode1001.example.com@EXAMPLE.COM 10 07/19/2017 07:54:02 nn/namenode1001.example.com@EXAMPLE.COM 10 07/19/2017 07:54:02 nn/namenode1001.example.com@EXAMPLE.COM 10 07/19/2017 07:54:02 nn/namenode1001.example.com@EXAMPLE.COM 10 07/19/2017 07:54:02 nn/namenode1001.example.com@EXAMPLE.COM user1@namenode1001:~$ kinit -kt /etc/security/keytabs/nn.service.keytab nn/namenode1001.example.com@EXAMPLE.COM user1@namenode1001:~$ klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: nn/namenode1001.example.com@EXAMPLE.COM Valid starting ExpiresService principal 07/24/2017 08:28:50 07/24/2017 18:28:50 krbtgt/EXAMPLE.COM@EXAMPLE.COM renew until 07/31/2017 08:28:49

mazin_mohammed · ‎07-24-2017

On KDC we did set for all NN and Ambari related principle never expires here is the snapshot of the same. kadmin:getprinc nn/namenode1001.example.com@EXAMPLE.COM Principal: nn/namenode1001.example.com@EXAMPLE.COM Expiration date: [never] Password expiration date: [none] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00

mazin_mohammed · ‎07-24-2017

OS - Ubuntu 14.04 LTS trusty Ambari version - 2.4.20 HDP version - 2.2.4 Cluster size - 8 node (staging cluster) Yes, I did copy krb5.conf to all the nodes. renew_lifetime = 7d (yes this is set). Does this mean irrespective of what you set, ticket will get expired and we need to restart the service to renew the ticket ?

Online	Offline
Last Visited	‎11-10-2017 06:45 AM

Member Since	‎07-21-2017 06:17 AM
Last Visited	‎11-10-2017 06:45 AM
Posts	16

Cloudera Community

Re: Not able to connect to OOZIE server after kerb...

Re: Not able to connect to OOZIE server after kerb...

Re: Namenode needs restart everyday after setting ...

Re: Namenode needs restart everyday after setting ...

Not able to connect to OOZIE server after kerberiz...

Re: Namenode needs restart everyday after setting ...

Re: Namenode needs restart everyday after setting ...

Re: Namenode needs restart everyday after setting ...

Re: Namenode needs restart everyday after setting ...

Re: Namenode needs restart everyday after setting ...