AnsweredAssumed Answered

Secure MapR 5.0 with one cldb question regarding the mapr kerberos principal and other issues

Question asked by midair77 on Jan 14, 2016
Latest reply on Mar 6, 2016 by nregonda
Hi all,

I have a mapr-ker-node1 with cldb installed however when I ran configure.sh I used -P mapr/mapr-ker-node1.mydomain.com@MYDOMAIN.COM.  My cluster name is mapr5_ker.

I have a non root/mapr kerberos principal such as myuser@MYDOMAIN.COM.

On my only cldb host I have this:
[ec2-user@mapr-ker-node1 ~]$ sudo klist -ket /opt/mapr/conf/mapr.keytab

Keytab name: FILE:/opt/mapr/conf/mapr.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   1 01/12/16 16:15:27 mapr/mapr-ker-node1.mydomain.com@MYDOMAIN.COM (aes256-cts-hmac-sha1-96) 
   1 01/12/16 16:15:27 mapr/mapr-ker-node1.mydomain.com@MYDOMAIN.COM (aes128-cts-hmac-sha1-96) 
   1 01/12/16 16:15:27 mapr/mapr-ker-node1.mydomain.com@MYDOMAIN.COM (des3-cbc-sha1) 
   1 01/12/16 16:15:27 mapr/mapr-ker-node1.mydomain.com@MYDOMAIN.COM (arcfour-hmac) 
   1 01/12/16 16:15:27 mapr/mapr-ker-node1.mydomain.com@MYDOMAIN.COM (des-hmac-sha1) 
   1 01/12/16 16:15:27 mapr/mapr-ker-node1.mydomain.com@MYDOMAIN.COM (des-cbc-md5) 

I logged in as ec2-user and did this:

kinit myuser

klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: myuser@MYDOMAIN.COM

Valid starting     Expires            Service principal

01/13/16 15:19:07  01/14/16 15:19:07  krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
    renew until 01/20/16 15:19:07

I then user maprlogin kerberos for this ec2-user and I got this error message:

maprlogin kerberos

Failure in kerberos handshake Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)

On my cldb server, I found this under /opt/mapr/logs/maprlogin-ec2-user-500.log because I enabled debug logging.

Header: hostName: mapr-ker-node1.mydomain.com, Time Zone: Pacific Standard Time, processName: null, processId: null

2016-01-13 15:20:12,948 DEBUG com.mapr.login.client.MapRLoginHttpsClient [main]: No subject found

2016-01-13 15:20:12,949 DEBUG com.mapr.login.client.MapRLoginHttpsClient [main]: UGI checking disabled.

2016-01-13 15:20:12,949 DEBUG com.mapr.login.client.MapRLoginHttpsClient [main]: No subject with Kerberos found even after (optionally) checking Hadoop UGI object

2016-01-13 15:20:13,093 DEBUG com.mapr.login.client.MapRLoginHttpsClient [main]: Client kerberos identity: [myuser@MYDOMAIN.COM]

2016-01-13 15:20:13,150 DEBUG com.mapr.login.client.MapRLoginHttpsClient [main]: Attempting to connect to kerberos server that has the identity 'mapr/mapr-ker-node1.mydomain.com@MYDOMAIN.COM'

2016-01-13 15:20:13,363 DEBUG com.mapr.login.client.MapRLoginHttpsClient [main]: Attempting authentication with cluster - mapr5_ker. Request - krb token: YIICmwYGKwYBBQUCoIICjzCCAougDTALBgkqhkiG9xIBAgKhBAMCAXaiggJyBIICbmCCAmoGCSqGSIb3EgECAgEAboICWTCCAlWgAwIBBaEDAgEOogcDBQAgAAAAo4IBamGCAWYwggFioAMCAQWhDxsNUEFYQVRBREVWLkNPTaIvMC2gAwIBAKEmMCQbBG1hcHIbHG1hcHIta2VyLW5vZGUxLnBheGF0YWRldi5jb22jggEXMIIBE6ADAgESoQMCAQGiggEFBIIBAUrqH2V4ZHgwO0PHRCJEGFkPNKdqFIi0zoH1/fMrlJAjODq+kuqsWILqjZlx28HSmM/4NzQYaTVZ9lrIUTQ+4kDWe/kOtasVcJ8lv9u6ar9o6+P3pnqu2I3muJRYqnlIryvG3AxrA3F9uk1/8LjKU3KI8Ch41ZHni2qczJSAbmjksMv5Jz7ro1haXqRzq5fzORhL5QBC56CCl57tH4tT03ujOcPcyjAuJBvV1GzkITTnpgnUHa2UoIM0MOLJ7xMf6lPT3R/2/v70nMU2NYHQhsF66vdA1uWJfzqYWcLtKcAzNZDLsJKk+jH2pNYG5QU9IJesCwmtAqQjg3DzzviykorXpIHRMIHOoAMCARKigcYEgcNEq5XHvaCdmOQWI1JIAQ5RyvQui49u9/7VDu+AnUisJsbKoZYjczJP4OVQSv8D6vOfwOY+Yn/jwy52dU1y6z3WArhd7n5HBx4DBXJI4REqqu8OLWAIrnFqKpDHYJ+dLjVJL/1MKscrJ66dUrYcACYKQ8/74LI8xw+gn5xSEtui2IIkvbJuMiPWq/1SZwqbFVPHvyAnUg9cFS+alcVn61+50b9WFPsDIp1hLGQ2k6V5AK+425McItr1/fGW7z3OViNJeNU=, auth scheme: /login/kerberos

2016-01-13 15:20:13,498 DEBUG com.mapr.login.client.MapRLoginHttpsClient [main]: Obtained auth response status: 10004, error: Failure in kerberos handshake Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96), ticketAndKeyString: null from cldb @ mapr-ker-node1.mydomain.com:7443

2016-01-13 15:20:13,498 ERROR com.mapr.login.client.MapRLoginHttpsClient processResponse [main]: Error obtaining mapr credentials for cluster : mapr5_ker. Error message from cldb: Failure in kerberos handshake Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)

2016-01-13 15:20:13,501 ERROR com.mapr.login.MapRLogin main [main]: Login exception
com.mapr.login.MapRLoginException: Failure in kerberos handshake Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)

        at com.mapr.login.client.MapRLoginHttpsClient.processResponse(MapRLoginHttpsClient.java:663)

        at com.mapr.login.client.MapRLoginHttpsClient.processResponse(MapRLoginHttpsClient.java:646)

        at com.mapr.login.client.MapRLoginHttpsClient.getMapRCredentialsViaKerberos(MapRLoginHttpsClient.java:470)

        at com.mapr.login.MapRLogin.execute(MapRLogin.java:508)

        at com.mapr.login.MapRLogin.main(MapRLogin.java:603)


----
Note: I did this on the same host that has cldb running just to minimized any missing files like trust store/key store/cldb.key or maprserverticket.

Please tell me what I need to change in order for this to work or I have to resort to using mapr/clustername@kerberos_realm ( in my case mapr/mapr5_ker@MYDOMAIN.COM) instead of mapr/host_fqdn@kerberos_realm. 

Thank you very much.

Outcomes