Return-Path: 
 <user-return-7366-apmail-hadoop-hdfs-user-archive=hadoop.apache.org@hadoop.apache.org>
X-Original-To: apmail-hadoop-hdfs-user-archive@minotaur.apache.org
Delivered-To: apmail-hadoop-hdfs-user-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 85CC01040F
	for <apmail-hadoop-hdfs-user-archive@minotaur.apache.org>;
 Thu, 25 Apr 2013 19:35:30 +0000 (UTC)
Received: (qmail 18673 invoked by uid 500); 25 Apr 2013 19:35:23 -0000
Delivered-To: apmail-hadoop-hdfs-user-archive@hadoop.apache.org
Received: (qmail 18495 invoked by uid 500); 25 Apr 2013 19:35:23 -0000
Mailing-List: contact user-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:user-help@hadoop.apache.org>
List-Unsubscribe: <mailto:user-unsubscribe@hadoop.apache.org>
List-Post: <mailto:user@hadoop.apache.org>
List-Id: <user.hadoop.apache.org>
Reply-To: user@hadoop.apache.org
Delivered-To: mailing list user@hadoop.apache.org
Received: (qmail 18488 invoked by uid 99); 25 Apr 2013 19:35:23 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 25 Apr 2013 19:35:23 +0000
X-ASF-Spam-Status: No, hits=2.2 required=5.0
	tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_NEUTRAL
X-Spam-Check-By: apache.org
Received-SPF: neutral (athena.apache.org: 216.145.54.171 is neither permitted
 nor denied by domain of daryn@yahoo-inc.com)
Received: from [216.145.54.171] (HELO mrout1.yahoo.com) (216.145.54.171)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 25 Apr 2013 19:35:18 +0000
Received: from GQ1-EX10-CAHT14.y.corp.yahoo.com
 (gq1-ex10-caht14.corp.gq1.yahoo.com [10.73.119.195])
	by mrout1.yahoo.com (8.14.4/8.14.4/y.out) with ESMTP id r3PJYTMs044298
	(version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO)
	for <user@hadoop.apache.org>; Thu, 25 Apr 2013 12:34:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=yahoo-inc.com;
	s=cobra; t=1366918470;
	bh=UcQhQ4MlXxYQwzYNHF0Wd+uM0wirVNLAU07XSKBsueA=;
	h=From:To:Subject:Date:Message-ID:References:In-Reply-To:
	 Content-Type:MIME-Version;
	b=ujWXnxbt3jqstVo4rYNFfI8pXF0EZghkbZA7EDIbmIv6avXqNerLaWncEXPLOTCP1
	 iDYt+eyEE41uLLnh9Z3RjuvU+mNor5lr/a38+A410Q/C7akwU9fiCntgDj0YsnUPnu
	 IkKi2OYxU4tWjxHDWUVlpNRWbZy83QD3LP7LnrXE=
Received: from GQ1-MB01-02.y.corp.yahoo.com ([fe80::a049:b5af:9055:ada6]) by
 GQ1-EX10-CAHT14.y.corp.yahoo.com ([fe80::191f:3466:d1b7:3b3d%14]) with mapi
 id 14.03.0123.003; Thu, 25 Apr 2013 12:34:29 -0700
From: Daryn Sharp <daryn@yahoo-inc.com>
To: "<user@hadoop.apache.org>" <user@hadoop.apache.org>
Subject: Re: How to connect to hadoop through ssh tunnel and kerberos
 authentication
Thread-Topic: How to connect to hadoop through ssh tunnel and kerberos
 authentication
Thread-Index: AQHOQXcucqk+tWXDlkWtP2MSH1MR1JjnyjaA
Date: Thu, 25 Apr 2013 19:34:28 +0000
Message-ID: <3AFF04F7-584B-4F25-A0A9-E6ECB9EDF895@yahoo-inc.com>
References: 
 <CAADy7x74CaoLkczf6oHLQMnpM706-xOfbF2qxC6T2P7tSAG3HA@mail.gmail.com>
In-Reply-To: 
 <CAADy7x74CaoLkczf6oHLQMnpM706-xOfbF2qxC6T2P7tSAG3HA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.74.226.61]
Content-Type: multipart/alternative;
	boundary="_000_3AFF04F7584B4F25A0A9E6ECB9EDF895yahooinccom_"
MIME-Version: 1.0
X-Milter-Version: master.31+4-gbc07cd5+
X-CLX-ID: 918470000
X-Virus-Checked: Checked by ClamAV on apache.org

--_000_3AFF04F7584B4F25A0A9E6ECB9EDF895yahooinccom_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

The important part of the error is "Cannot get kdc for realm CORP.EBAY.COM<=
http://CORP.EBAY.COM>".  Check if the gateway's /etc/krb5.conf has an entry=
 for CORP.EBAY.COM<http://CORP.EBAY.COM> in the [realms] section.  Or if yo=
u actually have appropriate dns service records for kerberos, you can use "=
dns_lookup_kdc =3D true".

Daryn

On Apr 25, 2013, at 12:36 AM, Jeff Zhang wrote:

Hi all,



I could connect to hadoop cluster by ssh tunnel before when there's no kerb=
eros authentication. Now our cluster need to upgrade to kerberos authentica=
tion. I try to connect to it by ssh tunnel again. But failed.

Could anyone guide me to do that ? Is there any tutorial for this ?

Here's what I did.

  1.  create a forwardable ticket in my client machine.
  2.  edit ~/.ssh/config file

GSSAPIAuthentication yes

GSSAPIDelegateCredentials yes

  3.  execute command "ssh -N -D 3600 gateway_host " to create a ssh connec=
tion to my gateway host

  4.  config my core-site.xml file for ssh tunnel connection

<property>
        <name>hadoophack.tunnel.port</name>
        <value>3600</value>
</property>

<property>
    <description>If users connect through a SOCKS proxy, we don't
      want their SocketFactory settings interfering with the socket
      factory associated with the actual daemons.</description>
    <name>hadoop.rpc.socket.factory.class.default</name>
    <value>org.apache.hadoop.net.SocksSocketFactory</value>
    <final>true</final>
</property>


And there's the error message when I run "hadoop fs -ls /"

13/04/24 22:31:13 ERROR security.UserGroupInformation: PriviledgedActionExc=
eption as:jianfezhang@CORP.EBAY.COM<mailto:as%3Ajianfezhang@CORP.EBAY.COM> =
cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSS=
Exception: No valid credentials provided (Mechanism level: Cannot get kdc f=
or realm CORP.EBAY.COM<http://CORP.EBAY.COM/>)]
13/04/24 22:31:13 INFO security.UserGroupInformation: Initiating logout for=
 jianfezhang@CORP.EBAY.COM<mailto:jianfezhang@CORP.EBAY.COM>
13/04/24 22:31:13 INFO security.UserGroupInformation: Initiating re-login f=
or jianfezhang@CORP.EBAY.COM<mailto:jianfezhang@CORP.EBAY.COM>
13/04/24 22:31:17 ERROR security.UserGroupInformation: PriviledgedActionExc=
eption as:jianfezhang@CORP.EBAY.COM<mailto:as%3Ajianfezhang@CORP.EBAY.COM> =
cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSS=
Exception: No valid credentials provided (Mechanism level: Cannot get kdc f=
or realm CORP.EBAY.COM<http://CORP.EBAY.COM/>)]
13/04/24 22:31:17 WARN security.UserGroupInformation: Not attempting to re-=
login since the last re-login was attempted less than 600 seconds before.
13/04/24 22:31:21 ERROR security.UserGroupInformation: PriviledgedActionExc=
eption as:jianfezhang@CORP.EBAY.COM<mailto:as%3Ajianfezhang@CORP.EBAY.COM> =
cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSS=
Exception: No valid credentials provided (Mechanism level: Cannot get kdc f=
or realm CORP.EBAY.COM<http://CORP.EBAY.COM/>)]

--
Best Regards

Jeff Zhang


--_000_3AFF04F7584B4F25A0A9E6ECB9EDF895yahooinccom_
Content-Type: text/html; charset="us-ascii"
Content-ID: <644DB805FE32C445AB3161CA50513BAE@yforest.corp.yahoo.com>
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
</head>
<body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-lin=
e-break: after-white-space; ">
<div>The important part of the error is &quot;Cannot get kdc for realm&nbsp=
;<a href=3D"http://CORP.EBAY.COM">CORP.EBAY.COM</a>&quot;. &nbsp;Check if t=
he gateway's /etc/krb5.conf has an entry for
<a href=3D"http://CORP.EBAY.COM">CORP.EBAY.COM</a> in the [realms] section.=
 &nbsp;Or if you actually have appropriate dns service records for kerberos=
, you can use &quot;dns_lookup_kdc =3D true&quot;.</div>
<div><br>
</div>
<div>Daryn<br>
<div><br>
<div>
<div>On Apr 25, 2013, at 12:36 AM, Jeff Zhang wrote:</div>
<br class=3D"Apple-interchange-newline">
<blockquote type=3D"cite">
<div dir=3D"ltr">
<div style=3D"">Hi all,</div>
<div style=3D""><br>
</div>
<div style=3D""><br>
</div>
<p style=3D"margin:0px 0px 1em;padding:0px;border:0px;font-size:14px;vertic=
al-align:baseline;clear:both;word-wrap:break-word;color:rgb(0,0,0);font-fam=
ily:Arial,'Liberation Sans','DejaVu Sans',sans-serif;line-height:18px">
I could connect to hadoop cluster by ssh tunnel before when there's no kerb=
eros authentication. Now our cluster need to upgrade to kerberos authentica=
tion. I try to connect to it by ssh tunnel again. But failed.</p>
<p style=3D"margin:0px 0px 1em;padding:0px;border:0px;font-size:14px;vertic=
al-align:baseline;clear:both;word-wrap:break-word;color:rgb(0,0,0);font-fam=
ily:Arial,'Liberation Sans','DejaVu Sans',sans-serif;line-height:18px">
Could anyone guide me to do that ? Is there any tutorial for this ?</p>
<p style=3D"margin:0px 0px 1em;padding:0px;border:0px;font-size:14px;vertic=
al-align:baseline;clear:both;word-wrap:break-word;color:rgb(0,0,0);font-fam=
ily:Arial,'Liberation Sans','DejaVu Sans',sans-serif;line-height:18px">
Here's what I did.</p>
<ol style=3D"margin:0px 0px 1em 30px;padding:0px;border:0px;font-size:14px;=
vertical-align:baseline;list-style-position:initial;color:rgb(0,0,0);font-f=
amily:Arial,'Liberation Sans','DejaVu Sans',sans-serif;line-height:18px">
<li style=3D"margin:0px;padding:0px;border:0px;vertical-align:baseline;back=
ground-color:transparent;word-wrap:break-word">
create a forwardable ticket in my client machine.</li><li style=3D"margin:0=
px;padding:0px;border:0px;vertical-align:baseline;background-color:transpar=
ent;word-wrap:break-word">
<p style=3D"margin:0px 0px 1em;padding:0px;border:0px;vertical-align:baseli=
ne;background-color:transparent;clear:both;word-wrap:break-word">
edit ~/.ssh/config file</p>
<p style=3D"margin:0px 0px 1em;padding:0px;border:0px;vertical-align:baseli=
ne;background-color:transparent;clear:both;word-wrap:break-word">
GSSAPIAuthentication yes</p>
<p style=3D"margin:0px 0px 1em;padding:0px;border:0px;vertical-align:baseli=
ne;background-color:transparent;clear:both;word-wrap:break-word">
GSSAPIDelegateCredentials yes</p>
</li><li style=3D"margin:0px;padding:0px;border:0px;vertical-align:baseline=
;background-color:transparent;word-wrap:break-word">
<p style=3D"margin:0px 0px 1em;padding:0px;border:0px;vertical-align:baseli=
ne;background-color:transparent;clear:both;word-wrap:break-word">
execute command &quot;ssh -N -D 3600 gateway_host &quot; to create a ssh co=
nnection to my gateway host</p>
</li><li style=3D"margin:0px;padding:0px;border:0px;vertical-align:baseline=
;background-color:transparent;word-wrap:break-word">
config my core-site.xml file for ssh tunnel connection</li></ol>
<blockquote style=3D"margin:0px 0px 10px;padding:10px 10px 1px;border:0px;f=
ont-size:14px;vertical-align:baseline;background-color:rgb(238,238,238);quo=
tes:none;color:rgb(0,0,0);font-family:Arial,'Liberation Sans','DejaVu Sans'=
,sans-serif;line-height:18px">
<pre class=3D"" style=3D"margin-top:0px;margin-bottom:10px;padding:5px;bord=
er:0px;vertical-align:baseline;font-family:Consolas,Menlo,Monaco,'Lucida Co=
nsole','Liberation Mono','DejaVu Sans Mono','Bitstream Vera Sans Mono','Cou=
rier New',monospace,serif;overflow:auto;width:auto;max-height:600px"><code =
class=3D"" style=3D"margin:0px;padding:0px 0px 0px 5px;border:0px;vertical-=
align:baseline;font-family:Consolas,Menlo,Monaco,'Lucida Console','Liberati=
on Mono','DejaVu Sans Mono','Bitstream Vera Sans Mono','Courier New',monosp=
ace,serif;display:block;color:rgb(208,208,208);background-color:rgb(32,32,3=
2)!important"><span class=3D"" style=3D"margin:0px;padding:0px;border:0px;v=
ertical-align:baseline;background-color:transparent;color:rgb(106,184,37);f=
ont-weight:bold">&lt;<span class=3D"" style=3D"margin:0px;padding:0px;borde=
r:0px;vertical-align:baseline;background-color:transparent;color:rgb(68,127=
,207)">property</span>&gt;</span>
        <span class=3D"" style=3D"margin:0px;padding:0px;border:0px;vertica=
l-align:baseline;background-color:transparent;color:rgb(106,184,37);font-we=
ight:bold">&lt;<span class=3D"" style=3D"margin:0px;padding:0px;border:0px;=
vertical-align:baseline;background-color:transparent;color:rgb(68,127,207)"=
>name</span>&gt;</span>hadoophack.tunnel.port<span class=3D"" style=3D"marg=
in:0px;padding:0px;border:0px;vertical-align:baseline;background-color:tran=
sparent;color:rgb(106,184,37);font-weight:bold">&lt;/<span class=3D"" style=
=3D"margin:0px;padding:0px;border:0px;vertical-align:baseline;background-co=
lor:transparent;color:rgb(68,127,207)">name</span>&gt;</span>
        <span class=3D"" style=3D"margin:0px;padding:0px;border:0px;vertica=
l-align:baseline;background-color:transparent;color:rgb(106,184,37);font-we=
ight:bold">&lt;<span class=3D"" style=3D"margin:0px;padding:0px;border:0px;=
vertical-align:baseline;background-color:transparent;color:rgb(68,127,207)"=
>value</span>&gt;</span>3600<span class=3D"" style=3D"margin:0px;padding:0p=
x;border:0px;vertical-align:baseline;background-color:transparent;color:rgb=
(106,184,37);font-weight:bold">&lt;/<span class=3D"" style=3D"margin:0px;pa=
dding:0px;border:0px;vertical-align:baseline;background-color:transparent;c=
olor:rgb(68,127,207)">value</span>&gt;</span>
<span class=3D"" style=3D"margin:0px;padding:0px;border:0px;vertical-align:=
baseline;background-color:transparent;color:rgb(106,184,37);font-weight:bol=
d">&lt;/<span class=3D"" style=3D"margin:0px;padding:0px;border:0px;vertica=
l-align:baseline;background-color:transparent;color:rgb(68,127,207)">proper=
ty</span>&gt;</span>

<span class=3D"" style=3D"margin:0px;padding:0px;border:0px;vertical-align:=
baseline;background-color:transparent;color:rgb(106,184,37);font-weight:bol=
d">&lt;<span class=3D"" style=3D"margin:0px;padding:0px;border:0px;vertical=
-align:baseline;background-color:transparent;color:rgb(68,127,207)">propert=
y</span>&gt;</span>
    <span class=3D"" style=3D"margin:0px;padding:0px;border:0px;vertical-al=
ign:baseline;background-color:transparent;color:rgb(106,184,37);font-weight=
:bold">&lt;<span class=3D"" style=3D"margin:0px;padding:0px;border:0px;vert=
ical-align:baseline;background-color:transparent;color:rgb(68,127,207)">des=
cription</span>&gt;</span>If users connect through a SOCKS proxy, we don't
      want their SocketFactory settings interfering with the socket
      factory associated with the actual daemons.<span class=3D"" style=3D"=
margin:0px;padding:0px;border:0px;vertical-align:baseline;background-color:=
transparent;color:rgb(106,184,37);font-weight:bold">&lt;/<span class=3D"" s=
tyle=3D"margin:0px;padding:0px;border:0px;vertical-align:baseline;backgroun=
d-color:transparent;color:rgb(68,127,207)">description</span>&gt;</span>
    <span class=3D"" style=3D"margin:0px;padding:0px;border:0px;vertical-al=
ign:baseline;background-color:transparent;color:rgb(106,184,37);font-weight=
:bold">&lt;<span class=3D"" style=3D"margin:0px;padding:0px;border:0px;vert=
ical-align:baseline;background-color:transparent;color:rgb(68,127,207)">nam=
e</span>&gt;</span>hadoop.rpc.socket.factory.class.default<span class=3D"" =
style=3D"margin:0px;padding:0px;border:0px;vertical-align:baseline;backgrou=
nd-color:transparent;color:rgb(106,184,37);font-weight:bold">&lt;/<span cla=
ss=3D"" style=3D"margin:0px;padding:0px;border:0px;vertical-align:baseline;=
background-color:transparent;color:rgb(68,127,207)">name</span>&gt;</span>
    <span class=3D"" style=3D"margin:0px;padding:0px;border:0px;vertical-al=
ign:baseline;background-color:transparent;color:rgb(106,184,37);font-weight=
:bold">&lt;<span class=3D"" style=3D"margin:0px;padding:0px;border:0px;vert=
ical-align:baseline;background-color:transparent;color:rgb(68,127,207)">val=
ue</span>&gt;</span>org.apache.hadoop.net.SocksSocketFactory<span class=3D"=
" style=3D"margin:0px;padding:0px;border:0px;vertical-align:baseline;backgr=
ound-color:transparent;color:rgb(106,184,37);font-weight:bold">&lt;/<span c=
lass=3D"" style=3D"margin:0px;padding:0px;border:0px;vertical-align:baselin=
e;background-color:transparent;color:rgb(68,127,207)">value</span>&gt;</spa=
n>
    <span class=3D"" style=3D"margin:0px;padding:0px;border:0px;vertical-al=
ign:baseline;background-color:transparent;color:rgb(106,184,37);font-weight=
:bold">&lt;<span class=3D"" style=3D"margin:0px;padding:0px;border:0px;vert=
ical-align:baseline;background-color:transparent;color:rgb(68,127,207)">fin=
al</span>&gt;</span>true<span class=3D"" style=3D"margin:0px;padding:0px;bo=
rder:0px;vertical-align:baseline;background-color:transparent;color:rgb(106=
,184,37);font-weight:bold">&lt;/<span class=3D"" style=3D"margin:0px;paddin=
g:0px;border:0px;vertical-align:baseline;background-color:transparent;color=
:rgb(68,127,207)">final</span>&gt;</span>
<span class=3D"" style=3D"margin:0px;padding:0px;border:0px;vertical-align:=
baseline;background-color:transparent;color:rgb(106,184,37);font-weight:bol=
d">&lt;/<span class=3D"" style=3D"margin:0px;padding:0px;border:0px;vertica=
l-align:baseline;background-color:transparent;color:rgb(68,127,207)">proper=
ty</span>&gt;</span>
</code></pre>
</blockquote>
<p style=3D"margin:0px 0px 1em;padding:0px;border:0px;font-size:14px;vertic=
al-align:baseline;clear:both;word-wrap:break-word;color:rgb(0,0,0);font-fam=
ily:Arial,'Liberation Sans','DejaVu Sans',sans-serif;line-height:18px">
And there's the error message when I run &quot;hadoop fs -ls /&quot;</p>
<div>
<div>13/04/24 22:31:13 ERROR security.UserGroupInformation: PriviledgedActi=
onException
<a href=3D"mailto:as%3Ajianfezhang@CORP.EBAY.COM">as:jianfezhang@CORP.EBAY.=
COM</a> cause:javax.security.sasl.SaslException: GSS initiate failed [Cause=
d by GSSException: No valid credentials provided (Mechanism level: Cannot g=
et kdc for realm
<a href=3D"http://CORP.EBAY.COM/">CORP.EBAY.COM</a>)]</div>
<div>13/04/24 22:31:13 INFO security.UserGroupInformation: Initiating logou=
t for <a href=3D"mailto:jianfezhang@CORP.EBAY.COM">
jianfezhang@CORP.EBAY.COM</a></div>
<div>13/04/24 22:31:13 INFO security.UserGroupInformation: Initiating re-lo=
gin for
<a href=3D"mailto:jianfezhang@CORP.EBAY.COM">jianfezhang@CORP.EBAY.COM</a><=
/div>
<div>13/04/24 22:31:17 ERROR security.UserGroupInformation: PriviledgedActi=
onException
<a href=3D"mailto:as%3Ajianfezhang@CORP.EBAY.COM">as:jianfezhang@CORP.EBAY.=
COM</a> cause:javax.security.sasl.SaslException: GSS initiate failed [Cause=
d by GSSException: No valid credentials provided (Mechanism level: Cannot g=
et kdc for realm
<a href=3D"http://CORP.EBAY.COM/">CORP.EBAY.COM</a>)]</div>
<div>13/04/24 22:31:17 WARN security.UserGroupInformation: Not attempting t=
o re-login since the last re-login was attempted less than 600 seconds befo=
re.</div>
<div>13/04/24 22:31:21 ERROR security.UserGroupInformation: PriviledgedActi=
onException
<a href=3D"mailto:as%3Ajianfezhang@CORP.EBAY.COM">as:jianfezhang@CORP.EBAY.=
COM</a> cause:javax.security.sasl.SaslException: GSS initiate failed [Cause=
d by GSSException: No valid credentials provided (Mechanism level: Cannot g=
et kdc for realm
<a href=3D"http://CORP.EBAY.COM/">CORP.EBAY.COM</a>)]</div>
<div><br>
</div>
-- <br>
Best Regards<br>
<br>
Jeff Zhang </div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</body>
</html>

--_000_3AFF04F7584B4F25A0A9E6ECB9EDF895yahooinccom_--