Return-Path: X-Original-To: apmail-accumulo-user-archive@www.apache.org Delivered-To: apmail-accumulo-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 58C7B184FD for ; Tue, 26 Jan 2016 18:10:37 +0000 (UTC) Received: (qmail 82464 invoked by uid 500); 26 Jan 2016 18:10:37 -0000 Delivered-To: apmail-accumulo-user-archive@accumulo.apache.org Received: (qmail 82412 invoked by uid 500); 26 Jan 2016 18:10:37 -0000 Mailing-List: contact user-help@accumulo.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@accumulo.apache.org Delivered-To: mailing list user@accumulo.apache.org Received: (qmail 82402 invoked by uid 99); 26 Jan 2016 18:10:37 -0000 Received: from Unknown (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 26 Jan 2016 18:10:37 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 9EED2180427 for ; Tue, 26 Jan 2016 18:10:36 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.099 X-Spam-Level: X-Spam-Status: No, score=-0.099 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-eu-west.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id hBxlEPNulmhB for ; Tue, 26 Jan 2016 18:10:25 +0000 (UTC) Received: from mail-yk0-f170.google.com (mail-yk0-f170.google.com [209.85.160.170]) by mx1-eu-west.apache.org (ASF Mail Server at mx1-eu-west.apache.org) with ESMTPS id 1719625F81 for ; Tue, 26 Jan 2016 18:10:25 +0000 (UTC) Received: by mail-yk0-f170.google.com with SMTP id k129so210673756yke.0 for ; Tue, 26 Jan 2016 10:10:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=oe14icXDkOB5YDhAhpG3Lgk01UMhXLHSQbKnlAA9RUo=; b=UaBSoIVtY/JnTEiyxfEIBKHV1yhTk7iYJmVSQ4RkVKMfMFU1QYS29zfnijoeZW+Jj+ /jRg2449EtGDeZp3eP88TG9sgtmyc86+aNAmuDupoOKIr1/WyzLKqmv2Poe6EpV9t6Q1 +O4EQUMuGxEFoMeqErGjrivtBFUfae9bcO8ueWRZQ8/GEmo338F1LFVFlrsy4NHcEjIi FnsL+FlbEQ8ZGZuwkb6KSLGSZ6g+GyiZKbxMfJRWDHl00oNrjIYcSG/4WV4KV1AQkF3Q spRaHXbN/pFTHM31KS4ga+GuRwvfwyRAyu98qUZJmm+JXxlNbawE5GtmkK6cJqjSGKyQ 3RYg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=oe14icXDkOB5YDhAhpG3Lgk01UMhXLHSQbKnlAA9RUo=; b=RnI3QJ5pF+ve7fO9UMety5PMe175ri7nn8ImwfhO285M+TOgHtjxMCNnNv+xjZNBjf Ohb1uMbd6w8gEluubGLIBNyBw9NQY8XFzPRMZuDLxdww0I3a5J8RhJptkgo5HD7yp6R+ qP0UT/WfF7XuF7XEUZiLzIKGi0N6cjPG9bGN9ytRG4kA7P4LybR7ay27vlVwJcCnYB/X cuZKtpManTee0poWg2KmfqdQVO9+cv7oNsQl6EtSQTbnDzMZZwm+tU/JFZxSBUK8KnFK 1qKFXIQa/t8wkRDaCIUAs7VezcXSSq1bZRnndIWJpl9hg7/godKrF6iFec/rjvqshOI5 Xk0Q== X-Gm-Message-State: AG10YORDR2oMSx9LWl73apoizMhP9OZvTpKcbXbhO2XCgHLw1TgA8USItMl+imbxYA8nLA== X-Received: by 10.37.18.139 with SMTP id 133mr12306440ybs.169.1453831824105; Tue, 26 Jan 2016 10:10:24 -0800 (PST) Received: from hw10447.local (pool-96-244-226-201.bltmmd.fios.verizon.net. [96.244.226.201]) by smtp.googlemail.com with ESMTPSA id z129sm1701480ywb.26.2016.01.26.10.10.22 for (version=TLSv1/SSLv3 cipher=OTHER); Tue, 26 Jan 2016 10:10:23 -0800 (PST) Message-ID: <56A7B68D.7010906@gmail.com> Date: Tue, 26 Jan 2016 13:10:21 -0500 From: Josh Elser User-Agent: Postbox 3.0.11 (Macintosh/20140602) MIME-Version: 1.0 To: user@accumulo.apache.org Subject: Re: Accumulo and Kerberos References: In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit Hi Roman, Accumulo services (TabletServer, Master, etc) all use a keytab to automatically obtain a ticket from the KDC when they start up. You do not need to do anything with kinit when starting Accumulo. One worry is ACCUMULO-4069[1] with all presently released versions (most notably 1.7.0 which you are using). This is a bug in which services did not automatically renew their ticket. We're working on a 1.7.1, but it's not out yet. As for debugging your issue, take a look at the Kerberos section on debugging in the user manual [2]. Take a very close look at the principal the service is using to obtain the ticket and what the principal is for your keytab. A good sanity check is to make sure you can `kinit` in the shell using the keytab and the correct principal (rule out the keytab being incorrect). If you still get stuck, collect the output specifying -Dsun.security.krb5.debug=true in accumulo-env.sh (per the instructions) and try enabling log4j DEBUG on org.apache.hadoop.security.UserGroupInformation. - Josh [1] https://issues.apache.org/jira/browse/ACCUMULO-4069 [2] http://accumulo.apache.org/1.7/accumulo_user_manual.html#_debugging roman.drapeko@baesystems.com wrote: > Hi there, > > Trying to setup Accumulo 1.7 on Kerberized cluster. Only interested in > master/tablets to be kerberized (not end-users). Configured everything > as per manual: > > 1)Created principals > > 2)Generated glob keytab > > 3)Modified accumulo-site.xml providing general.kerberos.keytab and > general.kerberos.principal > > If I start as accumulo user I get: Caused by: GSSException: No valid > credentials provided (Mechanism level: Failed to find any Kerberos tgt) > > However, if I give explicitly a token with kinit and keytab generated > above in the shell � it works as expected. To my understanding Accumulo > has to obtain tickets automatically? Or the idea is to write a cron job > and apply kinit to every tablet server per day? > > Regards, > > Roman > > Please consider the environment before printing this email. This message > should be regarded as confidential. If you have received this email in > error please notify the sender and destroy it immediately. Statements of > intent shall only become binding when confirmed in hard copy by an > authorised signatory. The contents of this email may relate to dealings > with other companies under the control of BAE Systems Applied > Intelligence Limited, details of which can be found at > http://www.baesystems.com/Businesses/index.htm.