Replies: 7
I’m trying to enable security in HDP 2.0, deployed using Ambari 1.4.0 (from the developers’ repository), on a virtual machine, in a single-node cluster.
I have a problem with Kerberos TGT.
.
I try to execute the following 2 commands (taken from error messages from Puppet):
[root@dev01 ~]# /usr/bin/kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs
[root@dev01 ~]# su hdfs -c “hadoop –config /etc/hadoop/conf fs -mkdir -p /mapred”
13/06/25 10:14:04 ERROR security.UserGroupInformation: PriviledgedActionException as:hdfs (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
13/06/25 10:14:04 WARN ipc.Client: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
13/06/25 10:14:04 ERROR security.UserGroupInformation: PriviledgedActionException as:hdfs (auth:KERBEROS) cause:java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
mkdir: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]; Host Details : local host is: “dev01.hortonworks.com/192.168.56.101″; destination host is: “dev01.hortonworks.com”:8020;
[root@dev01 ~]#
The keytab file (/etc/security/keytabs/hdfs.headless.keytab) is in place, the 1st command finished OK, but the 2nd comand did not work.
Then I tried:
[root@dev01 ~]# kinit -R
kinit: Ticket expired while renewing credentials
It looks like a ticket has expired immediately after kinit.
Then I try to check:
[root@dev01 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hdfs@EXAMPLE.COM
Valid starting Expires Service principal
06/25/13 10:13:46 06/26/13 10:13:46 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 06/25/13 10:13:46
[root@dev01 ~]#
But it looks like the ticket is valid, as far as I understand.
Now I don’t understand what’s going on with Kerberos TGT here.
Here is the Kerberos config (/etc/krb5.conf):
——–
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.COM = {
kdc = dev01.hortonworks.com
admin_server = dev01.hortonworks.com
}
[domain_realm]
.hortonworks.com = EXAMPLE.COM
dev01.hortonworks.com = EXAMPLE.COM
——–
Can somebody help me?