For those that are interested, it had nothing to do with JCE extensions, the error was a red herring as the JVM simply couldn't read the SPNEGO keytab as it didn't have the correct permissions. ... View more

Hi Jonas, I got as far as creating the smoke test films collection, but when I run the curl command I get: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96) From the solr server log this seems to be during SPNEGO of authenticating the client. The rest of my kerberised cluster seems fine, and I've made sure the JCE 8 extensions are installed: [root@master solr]# ls -lrt /usr/java/default/jre/lib/security/ total 164 -rw-rw-r-- 1 root root 3023 Dec 20 2013 US_export_policy.jar -rw-rw-r-- 1 root root 3035 Dec 20 2013 local_policy.jar and also made sure solr is using that java by setting SOLR_JAVA_HOME in solr.in.sh. I'm logged in as the following solr principal. [root@master solr]# klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: solr/master.sandbox.lbg.com@LBG.COM Valid starting Expires Service principal 06/21/16 23:07:24 06/22/16 23:07:24 krbtgt/LBG.COM@LBG.COM renew until 06/21/16 23:07:24, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 06/21/16 23:07:27 06/22/16 23:07:24 HTTP/master.sandbox.lbg.com@LBG.COM renew until 06/21/16 23:07:24, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 I'm a little perplexed as the error suggests the extensions aren't installed, but i can't really see how they're not. Have you got any ideas? Cheers, Tom ... View more

I guess a further question would then be - how does the HBase Thrift Server do it when authenticating user principals? ... View more