accumulo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Josh Elser <>
Subject Re: Accumulo and Kerberos
Date Tue, 26 Jan 2016 18:10:21 GMT
Hi Roman,

Accumulo services (TabletServer, Master, etc) all use a keytab to 
automatically obtain a ticket from the KDC when they start up. You do 
not need to do anything with kinit when starting Accumulo.

One worry is ACCUMULO-4069[1] with all presently released versions (most 
notably 1.7.0 which you are using). This is a bug in which services did 
not automatically renew their ticket. We're working on a 1.7.1, but it's 
not out yet.

As for debugging your issue, take a look at the Kerberos section on 
debugging in the user manual [2]. Take a very close look at the 
principal the service is using to obtain the ticket and what the 
principal is for your keytab. A good sanity check is to make sure you 
can `kinit` in the shell using the keytab and the correct principal 
(rule out the keytab being incorrect).

If you still get stuck, collect the output specifying in (per the instructions) 
and try enabling log4j DEBUG on

- Josh

[2] wrote:
> Hi there,
> Trying to setup Accumulo 1.7 on Kerberized cluster. Only interested in
> master/tablets to be kerberized (not end-users). Configured everything
> as per manual:
> 1)Created principals
> 2)Generated glob keytab
> 3)Modified accumulo-site.xml providing general.kerberos.keytab and
> general.kerberos.principal
> If I start as accumulo user I get: Caused by: GSSException: No valid
> credentials provided (Mechanism level: Failed to find any Kerberos tgt)
> However, if I give explicitly a token with kinit and keytab generated
> above in the shell – it works as expected. To my understanding Accumulo
> has to obtain tickets automatically? Or the idea is to write a cron job
> and apply kinit to every tablet server per day?
> Regards,
> Roman
> Please consider the environment before printing this email. This message
> should be regarded as confidential. If you have received this email in
> error please notify the sender and destroy it immediately. Statements of
> intent shall only become binding when confirmed in hard copy by an
> authorised signatory. The contents of this email may relate to dealings
> with other companies under the control of BAE Systems Applied
> Intelligence Limited, details of which can be found at

View raw message