[38327] in Kerberos

home help back first fref pref prev next nref lref last post


daemon@ATHENA.MIT.EDU (Ben Gooley)
Wed Sep 5 13:55:49 2018

MIME-Version: 1.0
In-Reply-To: <1533719967.S.506632.1970.f4mail-235-141.rediffmail.com.1536146382.20517@webmail.rediffmail.com>
From: Ben Gooley <bgooley@cloudera.com>
Date: Wed, 5 Sep 2018 10:32:30 -0700
Message-ID: <CAP9ATs+bhM1Mmntg=rXN=Fywfo3ge1E8p_nO3pRpQBJWesCyhw@mail.gmail.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

A couple things:


You are using kfw to kinit but using the Windows "klist" to look at
tickets.  Windows has a native klist command of its own that pulls from its
memory-based credentials cache.
Make sure to use the MIT "klist" from the command line tool or the KFW UI


The ODBC client uses SPNEGO and the exception is saying "GSSHeader did not
find the right tag".
The error is pretty generic, but usually indicates that there was something
wrong getting a Service Ticket on the client side.

 - Use MIT KFW klist or KFW UI to make sure you obtain the HTTP principal
service ticket for your connection to the server.
 - set KRB5_TRACE environment variable in order to get tracing to determine
if there are any problems obtaining the service ticket
 - Verify your krb5.ini configuration and that KRB5_CONFIG and KRB5CCNAME
are set appropriately for your configuration.

Bottom line is that the situation you see can be caused by a lot of
different things, so making sure you can obtain a service ticket and tat it
appears in your credentials cache is the first step.

On Wed, Sep 5, 2018 at 4:22 AM ANILESH_TENNETI <venkata_anil@rediffmail.com>

> HiCan you please respond to my email?Thanks,AnilFrom: &
> quot;ANILESH_TENNETI&quot;&lt;venkata_anil@rediffmail.com&gt;Sent: Wed,
> 08 Aug 2018 14:49:27To: &lt;kerberos@mit.edu&gt;Subject: Phoenix ODBC
> client on Windows connecting to Kerberos Hadoop Phoenix is throwing error
> &ldquo;GSSException: Defective token detected&rdquo;Hi,Hello MIT
> team,&nbsp;I&#39;m Anil working for IBM and implemented Kebreros for a
> customer.&nbsp;Kerberos &ndash; AD is implemented on Hadoop environment.
> Phoenix is enabled to open JDBC / ODBC connection to Hadoop HBase. Hadoop
> is setup on RHEL 7.2Windows client machines connecting to Hadoop Phoenix
> using Hortonworks Phoenix ODBC driver (64 bit). As connection should be
> established to Kerberos Phoenix, the Windows ODBC client machine also must
> be setup with Kerberos.Windows odbc client machine has been setup with MIT
> Kerberos as per the documentation link
> https://community.hortonworks.com/articles/28537/user-authentication-from-windows-workstation-to-hd.h
> !
>  tmlCopied the krb5.conf file to windows machine as krb5.ini.&nbsp;Using
> MIT Kerberos key tool, get new Kerberos ticket say for user
> &lsquo;kpiuser&rsquo; as shown below;On establishing connection from ODBC
> client, phoenix connection fails with log message &ldquo;GSSException:
> Defective token detected (Mechanism level: GSSHeader did not find the right
> tag)&rdquo;.Refer to Error-in-phoenix-log.txtThis implies, the Kerberos
> ticket format is different or corrupted.The phoenix ODBC client logs shows
> connection errors.Refer to HortonworksPhoenixODBCDriver_connection_1.log
> and phoenix_driver.logOn windows client machine, doing kinit for a user
> does not show the cached ticket when run klist command.Refer to
> klist-on-windows-odbc-client.txtThanks,Anil&nbsp;
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

Ben Gooley
*Customer Operations Engineer*

* <http://www.cloudera.com>*
Kerberos mailing list           Kerberos@mit.edu

home help back first fref pref prev next nref lref last post