Kerberos cross-realms issue
Ram Chander
ramquick at gmail.com
Wed Jul 17 07:41:37 EDT 2013
Hi,
Am trying to copy hbase table to remote cluster via kerberos cross-realms.
But its failing with below error. Below is krb5.conf
Has anyone got it working ? Any pointers would be helpful.
# hbase org.apache.hadoop.hbase.
mapreduce.CopyTable --peer.adr=zoo.stage.domain2.com:2181:/hbase snap1
13/07/17 16:30:41 INFO zookeeper.ClientCnxn: Opening socket connection to
server host.stage.domain2.com/10.75.208.25:2181. Will attempt to
SASL-authenticate using Login Context section 'Client'
13/07/17 16:30:41 INFO zookeeper.ClientCnxn: Socket connection established
to host.stage.domain2.com/10.75.208.25:2181, initiating session
13/07/17 16:30:41 INFO zookeeper.ClientCnxn: Session establishment complete
on server host.stage.domain2.com/10.75.208.25:2181, sessionid =
0x13fcd8a987e0034, negotiated timeout = 120000
*13/07/17 16:30:41 ERROR client.ZooKeeperSaslClient: An error:
(java.security.PrivilegedActionException:
javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Fail to
create credential. (63) - No service creds)]) occurred when evaluating
Zookeeper Quorum Member's received SASL token. Zookeeper Client will go to
AUTH_FAILED state.
13/07/17 16:30:41 ERROR zookeeper.ClientCnxn: SASL authentication with
Zookeeper Quorum member failed: javax.security.sasl.SaslException: An
error: (java.security.PrivilegedActionException:
javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Fail to
create credential. (63) - No service creds)]) occurred when evaluating
Zookeeper Quorum Member's received SASL token. Zookeeper Client will go to
AUTH_FAILED state.*
13/07/17 16:30:41 WARN zookeeper.ZKUtil: hconnection-0x13fcd8a987e0034
Unable to set watcher on znode /hbase/master
org.apache.zookeeper.KeeperException$AuthFailedException: KeeperErrorCode =
AuthFailed for /hbase/master
* # cat /etc/krb5.conf*
[libdefaults]
default_realm = STAGE.COLO1.DOMAIN.COM<http://stage.colo1.domain.com/>
allow_weak_crypto = false
dns_fallback = true
dns_lookup_realm = true
dns_lookup_kdc = true
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
ticket_lifetime = 10h
renew_lifetime = 7d
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
STAGE.COLO1.DOMAIN.COM <http://stage.colo1.domain.com/> = {
kdc = host.colo1.domain.com
admin_server = host.colo1.domain.com
max_life = 72h
max_renewable_life = 8d
}
STAGE.COLO2.DOMAIN.COM <http://stage.colo2.domain.com/> = {
kdc = host.colo2.domain.com
admin_server = host.colo2.domain.com
max_life = 72h
max_renewable_life = 8d
}
[domain_realm]
.colo1.domain.com =
STAGE.COLO1.DOMAIN.COM<http://stage.colo1.domain.com/>
colo1.domain.com =
STAGE.COLO1.DOMAIN.COM<http://stage.colo1.domain.com/>
stage.colo1.domain.com =
STAGE.COLO1.DOMAIN.COM<http://stage.colo1.domain.com/>
.stage.colo1.domain.com =
STAGE.COLO1.DOMAIN.COM<http://stage.colo1.domain.com/>
.colo2.domain.com =
STAGE.COLO2.DOMAIN.COM<http://stage.colo2.domain.com/>
colo2.domain.com =
STAGE.COLO2.DOMAIN.COM<http://stage.colo2.domain.com/>
stage.colo2.domain.com =
STAGE.COLO2.DOMAIN.COM<http://stage.colo2.domain.com/>
.stage.colo2.domain.com =
STAGE.COLO2.DOMAIN.COM<http://stage.colo2.domain.com/>
[capaths]
STAGE.COLO1.DOMAIN.COM <http://stage.colo1.domain.com/> = {
STAGE.COLO2.DOMAIN.COM <http://stage.colo2.domain.com/>= .
}
STAGE.COLO2.DOMAIN.COM <http://stage.colo2.domain.com/> = {
STAGE.COLO1.DOMAIN.COM <http://stage.colo1.domain.com/> = .
}
[login]
krb4_convert = true
krb4_get_tickets = false
[logging]
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmin.log
default = FILE:/var/log/kerberos/krb5lib.log
*Hbase Ver*: 0.94.2+202-1.cdh4.2.0.p0.11~squeeze-cdh4.2.0
*Kerberos Ver*: 5
Regards,
Ram
More information about the Kerberos
mailing list