Internal credentials cache error for server principal - 1765328188
Vato Kvantaliani
kvantaliani at gmail.com
Thu Jan 6 12:45:53 EST 2022
thanks Greg, In our case it is a single process as we are just testing
connection. No concurrency there. Very simple setup, PowerBI Report server
connects to Hive(Cloudera) with Cloudera's native odbc driver. For some
types of reports it works and we authenticate without problems but the most
important report(which is kind of legacy type) throws that GSS error.
Any advice with another message:
ccselect can't find appropriate cache for server principal
hive/bda1node01.bog.ge at BDA1.BOG.GE
<https://mailman.mit.edu/mailman/listinfo/kerberos>
log says client getting and creating authenticator, though klist shows
server credential is in client's cache
[10708] 1641384364.890004: ccselect can't find appropriate cache for
server principal hive/bda1node01.bog.ge at BDA1.BOG.GE
[10708] 1641384364.906000: Getting credentials vkvantaliani at BOG.GE ->
hive/bda1node01.bog.ge at BDA1.BOG.GE using ccache API:krb5cc
[10708] 1641384364.906001: Retrieving vkvantaliani at BOG.GE ->
hive/bda1node01.bog.ge at BDA1.BOG.GE from API:krb5cc with result:
0/Success
[10708] 1641384364.906003: Creating authenticator for
vkvantaliani at BOG.GE -> hive/bda1node01.bog.ge at BDA1.BOG.GE, seqnum
229919889, subkey
And in this case client authenticates and connection is good.
Could it be somehow related with kerberos pre authentication at AD?
Another questions is if there is any sense of playing with different
type of caches, like DIR, MEMORY etc.
Thank you,
On Thu, Jan 6, 2022 at 8:34 PM Greg Hudson <ghudson at mit.edu> wrote:
> On 1/5/22 7:52 AM, Vato Kvantaliani wrote:
> > Error: Unspecified GSS failure. Minor code may provide more information
> > (Internal credentials cache error)
>
> This error message came up in April:
>
> https://mailman.mit.edu/pipermail/kerberos/2021-April/022630.html
>
> It's hard to be sure that the cause is the same without knowing more
> about the setup. In that case the cause was multiple threads or
> processes trying to refresh the ccache from a client keytab at the same
> time.
>
> To address this issue, I implemented atomic replacement for most
> credential cache types:
>
>
> https://github.com/krb5/krb5/commit/371f09d4bf4ca0c7ba15c5ef909bc35307ed9cc3
>
> However, it will be some time before this works its way into a Kerberos
> for Windows release. I'm not sure I can offer concrete advice since I
> am not familiar with PowerBI.
>
More information about the Kerberos
mailing list