AnsweredAssumed Answered

Error while setting up kerberos on MapR

Question asked by Arunav on Jan 17, 2017
Latest reply on Mar 15, 2017 by Arunav

Hi,

I've a 3 node mapr cluster on AWS. I'm using MapR version 5.2. The cluster is configured with wire level security. The security features are working fine.

I'm trying to setup kerberos authentication on the cluster and I'm following this doc: Configuring Kerberos User Authentication - MapR 5.0 Documentation - doc.mapr.com 

 

I've a working kerberos set up in place. I've configured the machines in the cluster as kerberos clients. I'm able to do 'kinit' as the existing users and get tickets from the KDC.
Also, I've created the Principal for the MapR cluster in the kerberos server (mapr/dgkrtest.cluster.com@EC2.INTERNAL
) & added the key.

On the CLDB node when I run the configure.sh, I get the following error:

# /opt/mapr/server/configure.sh -K -P "mapr/dgkrtest.cluster.com@EC2.INTERNAL" -C ip-172-31-17-132.ec2.internal -Z ip-172-31-17-132.ec2.internal -N dgkrtest.cluster.com
Configuring Hadoop-2.7.0 at /opt/mapr/hadoop/hadoop-2.7.0
Done configuring Hadoop
CLDB node list: ip-172-31-17-132.ec2.internal:7222
Zookeeper node list: ip-172-31-17-132.ec2.internal:5181
Node setup configuration: cldb fileserver hbaserest hbinternal nfs nodemanager resourcemanager webserver zookeeper
Log can be found at: /opt/mapr/logs/configure.log
sed: -e expression #1, char 47: unknown option to `s'

But I checked the mapr-cluster.conf file and it shows that the cluster is secure and Kerberos is enabled and the CLDB principal is correct.

Same goes for the mapr.login.conf file. The CLDB principal is correct in there as well.

 

So, I tried to check the 'maprlogin kerberos'

$ maprlogin kerberos
>>>KinitOptions cache name is /tmp/krb5cc_5000
Failure during kerberos authentication. Unable to obtain Principal Name for authentication

Now, I checked the log file maprlogin-mapr-5000.log:

2017-01-17 11:41:02,626 ERROR com.mapr.login.MapRLogin main [main]: Login exception
com.mapr.login.MapRLoginException: Failure during kerberos authentication. Unable to obtain Principal Name for authentication
at com.mapr.login.client.MapRLoginHttpsClient.getMapRCredentialsViaKerberos(MapRLoginHttpsClient.java:469)
at com.mapr.login.MapRLogin.execute(MapRLogin.java:549)
at com.mapr.login.MapRLogin.main(MapRLogin.java:649)
Caused by: javax.security.auth.login.LoginException: Unable to obtain Principal Name for authentication
at com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:841)

I've followed the debugging instructions and performed/checked the following things: 

 

  1. I've enabled kerberos debugging. 
  2. I've verified the version number of the keys for the CLDB principal in the kdc with the keys in the keytab. No mismatches there.

    kadmin: getprinc mapr/dgkrtest.cluster.com
    Principal: mapr/dgkrtest.cluster.com@EC2.INTERNAL
    Expiration date: [never]
    Last password change: Tue Jan 17 05:50:23 EST 2017
    Password expiration date: [none]
    Maximum ticket life: 1 day 00:00:00
    Maximum renewable life: 0 days 00:00:00
    Last modified: Tue Jan 17 05:50:23 EST 2017 (root/admin@EC2.INTERNAL)
    Last successful authentication: [never]
    Last failed authentication: [never]
    Failed password attempts: 0
    Number of keys: 8
    Key: vno 2, aes256-cts-hmac-sha1-96
    Key: vno 2, aes128-cts-hmac-sha1-96
    Key: vno 2, des3-cbc-sha1
    Key: vno 2, arcfour-hmac
    Key: vno 2, camellia256-cts-cmac
    Key: vno 2, camellia128-cts-cmac
    Key: vno 2, des-hmac-sha1
    Key: vno 2, des-cbc-md5
    MKey: vno 1
    Attributes:
    Policy: [none]

    ktutil: rkt /opt/mapr/conf/mapr.keytab
    ktutil: list
    slot KVNO Principal
    ---- ---- ---------------------------------------------------------------------
    1 2 mapr/dgkrtest.cluster.com@EC2.INTERNAL
    2 2 mapr/dgkrtest.cluster.com@EC2.INTERNAL
    3 2 mapr/dgkrtest.cluster.com@EC2.INTERNAL
    4 2 mapr/dgkrtest.cluster.com@EC2.INTERNAL
    5 2 mapr/dgkrtest.cluster.com@EC2.INTERNAL
    6 2 mapr/dgkrtest.cluster.com@EC2.INTERNAL
    7 2 mapr/dgkrtest.cluster.com@EC2.INTERNAL
    8 2 mapr/dgkrtest.cluster.com@EC2.INTERNAL
  3. After the keyadd, along with running the configure.sh, I've also restarted warden (for CLDB restart).
  4. Downloaded the Java (OpenJDK 1.8.0) jurisdiction policy files from the oracle website and updated those under the $JAVA_HOME/lib/security

 

The error still persists.

 

Please look into this and suggest. 

 

Appreciate you help,

Addy

 

Outcomes