From dev-return-14283-archive-asf-public=cust-asf.ponee.io@impala.apache.org Tue Jan 9 00:41:27 2018 Return-Path: X-Original-To: archive-asf-public@eu.ponee.io Delivered-To: archive-asf-public@eu.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by mx-eu-01.ponee.io (Postfix) with ESMTP id 9012E180607 for ; Tue, 9 Jan 2018 00:41:27 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 7F874160C3E; Mon, 8 Jan 2018 23:41:27 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 9D9AE160C2C for ; Tue, 9 Jan 2018 00:41:26 +0100 (CET) Received: (qmail 13044 invoked by uid 500); 8 Jan 2018 23:41:25 -0000 Mailing-List: contact dev-help@impala.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@impala.apache.org Delivered-To: mailing list dev@impala.apache.org Received: (qmail 13027 invoked by uid 99); 8 Jan 2018 23:41:25 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 08 Jan 2018 23:41:25 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 0EE9FC404F for ; Mon, 8 Jan 2018 23:41:25 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 3.88 X-Spam-Level: *** X-Spam-Status: No, score=3.88 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=2, KAM_BADIPHTTP=2, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, WEIRD_PORT=0.001] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=cloudera.com Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id anKPp6-wHszL for ; Mon, 8 Jan 2018 23:41:23 +0000 (UTC) Received: from mail-qk0-f169.google.com (mail-qk0-f169.google.com [209.85.220.169]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 5E9D55FAC9 for ; Mon, 8 Jan 2018 23:41:22 +0000 (UTC) Received: by mail-qk0-f169.google.com with SMTP id o126so16393353qke.12 for ; Mon, 08 Jan 2018 15:41:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudera.com; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=3Yq/oNSDqmSA9wynqKyXYTJr6rsTZQQkXRkbJi8O3Jo=; b=EklbGz347MoHy7SgzeEshN4fZh42JRS8p+5mLoJr/8Ufq/UcckyAJaYigyho2OR+uv 4aq/Xjk2SskkMKACVs3y4ikVnewDAmCDE4vKfISyTTm71TF3T5bG1+tSAVggqxbSN/gk DfNLBSJIga45/P9llUiC/Jpc7WmVZFruqoTvaxeKUcfJfGO8iwMdDp7BRZCYh68YdFE6 Uc95gRPGiGt9Ha2+ySo6PLZBx7YknrGKOhJhhkEbtsxTfKi+PXX0XvXoY+gIpVP6JMXh is1HJBTWwDidEl6nRlVJYa58iDVCCFgfZxxPbLrZ1hR7N+H8Nh1kXODJG+2avTBkcTeL o+ng== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=3Yq/oNSDqmSA9wynqKyXYTJr6rsTZQQkXRkbJi8O3Jo=; b=goXmy8feBEcyQpgjDc23r/kEExaJnkxrFuqEO2OAMZQSS+vVJUb/y7VyLFcyzKSJ4J IhnmUgVuE2kErcgOdBwQ18Yif+wG/AJA5jo6C7Ubnz/EI6nWMxhZln/mn9Zdwh+/sm5e fIqVVqx/M33R+Uf4OZoP8rAcdqDGuW/lCKWXghvKSQc5cFXCnzaYPlyhfdjjZpMlP32D wZvXWPO36Duo1fc34Tv/zNttcwPk1tHJRwslmnZUk2udpIbP58+WhortbRkRslOBoE/d SAUaxaE1eLW3H7FI4rRnmOIA92dH++BZ/yleqfFGc75JLncHp7RJy/KPT5nrcM1memqr vzlg== X-Gm-Message-State: AKwxytepE5WEhqA5ONQksgmR9NxvxVa0wn4PnKHZJ76anrtqkxLyMRrv 2/Jb9ylXeVBmwFNEV1HMUxXvENp03VWOt0Gv2dLMIc0T X-Google-Smtp-Source: ACJfBovvSb+RJ5RYqdQ2LnwwrXx3QGog7qCtMkpSeDfCrymFg2++MN8TC1KWtbZburw5j4lXQduJ3pushxz+9gBqdcw= X-Received: by 10.233.237.71 with SMTP id c68mr652863qkg.289.1515454879934; Mon, 08 Jan 2018 15:41:19 -0800 (PST) MIME-Version: 1.0 Received: by 10.140.104.37 with HTTP; Mon, 8 Jan 2018 15:40:58 -0800 (PST) In-Reply-To: References: <5a306f9e.c4141c0a.5f33d.93be@mx.google.com> From: Philip Zeyliger Date: Mon, 8 Jan 2018 15:40:58 -0800 Message-ID: Subject: Re: thrift-server-test To: dev@impala.apache.org Content-Type: multipart/alternative; boundary="94eb2c0c0cb8cad20f05624c5564" --94eb2c0c0cb8cad20f05624c5564 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Sailiesh, Is this what you'd expect? $klist /tmp/krb5cc_impala_internal Ticket cache: FILE:/tmp/krb5cc_impala_internal Default principal: impala/localhost@KRBTEST.COM Valid starting Expires Service principal 01/08/2018 15:39:23 01/09/2018 15:39:23 krbtgt/KRBTEST.COM@KRBTEST.COM renew until 01/15/2018 15:39:23 Thanks! On Mon, Jan 8, 2018 at 12:20 PM, Sailesh Mukil wrote= : > Can you run the test again, and klist the contents of the credential cach= e > and post the error logs again? Looks like "impala/localhost" might not be > stored as expected in the cache on your machine. > > On Wed, Dec 13, 2017 at 2:47 PM, Philip Zeyliger > wrote: > > > The KDC in this case is the "minikdc" from > > https://github.com/apache/impala/blob/master/be/src/ > > kudu/security/test/mini_kdc.cc. > > I see evidence of it, and have been able to look at its configuration b= y, > > um, adding --gtest_break_on_failure. (The feature actually doesn't work= , > > presumably because of an interaction with breakpad, but a temporary > > directory is left on my filesystem, so that's nice.) > > > > -- Philip > > > > On Tue, Dec 12, 2017 at 4:08 PM, Evo Eftimov > > wrote: > > > > > Is your cluster Kerberized at all, especially the Impala daemon - it > > > doesn=E2=80=99t seem to be enrolled in the KDC at all > > > > > > You / your personal account/principal is definitely enrolled though > > > > > > And there is definetly a KDC in your environment > > > > > > -----Original Message----- > > > From: Philip Zeyliger [mailto:philip@cloudera.com] > > > Sent: Tuesday, December 12, 2017 11:26 PM > > > To: dev@impala.apache.org > > > Subject: thrift-server-test > > > > > > Hi folks, > > > > > > I've been running into issues with thrift-server-test and Kerberos. > Below > > > is an excerpt of "KRB5_TRACE=3D/dev/stderr be/build/debug/rpc/thrift- > > server-test"; > > > both SslConnectivity/1 and > > > SslConnectivity/2 fail the same way. > > > > > > I'm running Ubuntu16.04. I've seen this both on my host, as well as > > inside > > > of an Ubuntu 16.04 Docker container. > > > > > > Does this ring any bells? > > > > > > Thanks! > > > > > > -- Philip > > > > > > > > > [ RUN ] KerberosOnAndOff/ThriftKerberizedParamsTest. > > SslConnectivity/2 > > > Loading random data > > > Initializing database '7abf-cef9-113e-eae3/krb5kdc/principal' for > realm > > ' > > > KRBTEST.COM', > > > master key name 'K/M@KRBTEST.COM' > > > [31585] 1513120922.459517: Retrieving K/M@KRBTEST.COM from > > > FILE:7abf-cef9-113e-eae3/krb5kdc/.k5.KRBTEST.COM (vno 0, enctype 0) > with > > > result: 0/Success > > > [31586] 1513120922.472314: Retrieving K/M@KRBTEST.COM from > > > FILE:7abf-cef9-113e-eae3/krb5kdc/.k5.KRBTEST.COM (vno 0, enctype 0) > with > > > result: 0/Success > > > Dec 12 15:22:02 philip-dev.gce.cloudera.com krb5kdc[31586](info): > > setting > > > up network... > > > Dec 12 15:22:02 philip-dev.gce.cloudera.com krb5kdc[31586](info): > > > listening on fd 11: udp 0.0.0.0.51781 (pktinfo) > > > krb5kdc: setsockopt(12,IPV6_V6ONLY,1) worked Dec 12 15:22:02 > > > philip-dev.gce.cloudera.com krb5kdc[31586](info): listening on fd 12: > > udp > > > ::.51781 (pktinfo) Dec 12 15:22:02 philip-dev.gce.cloudera.com > > > krb5kdc[31586](info): set up 2 sockets Dec 12 15:22:02 > > > philip-dev.gce.cloudera.com krb5kdc[31586](info): > > > commencing operation > > > krb5kdc: starting... > > > Authenticating as principal philip/admin@KRBTEST.COM with password. > > > [31589] 1513120922.498913: Retrieving K/M@KRBTEST.COM from > > > FILE:7abf-cef9-113e-eae3/krb5kdc/.k5.KRBTEST.COM (vno 0, enctype 0) > with > > > result: 0/Success > > > WARNING: no policy specified for impala/localhost@KRBTEST.COM; > > defaulting > > > to no policy Principal "impala/localhost@KRBTEST.COM" created. > > > Authenticating as principal philip/admin@KRBTEST.COM with password. > > > [31590] 1513120922.508777: Retrieving K/M@KRBTEST.COM from > > > FILE:7abf-cef9-113e-eae3/krb5kdc/.k5.KRBTEST.COM (vno 0, enctype 0) > with > > > result: 0/Success > > > Entry for principal impala/localhost with kvno 2, encryption type > > > aes256-cts-hmac-sha1-96 added to keytab > > > WRFILE:7abf-cef9-113e-eae3/krb5kdc/impala_localhost.keytab. > > > Entry for principal impala/localhost with kvno 2, encryption type > > > aes128-cts-hmac-sha1-96 added to keytab > > > WRFILE:7abf-cef9-113e-eae3/krb5kdc/impala_localhost.keytab. > > > Entry for principal impala/localhost with kvno 2, encryption type > > > des3-cbc-sha1 added to keytab > > > WRFILE:7abf-cef9-113e-eae3/krb5kdc/impala_localhost.keytab. > > > Entry for principal impala/localhost with kvno 2, encryption type > > > arcfour-hmac added to keytab WRFILE:7abf-cef9-113e-eae3/ > > > krb5kdc/impala_localhost.keytab. > > > Dec 12 15:22:02 philip-dev.gce.cloudera.com krb5kdc[31586](info): > AS_REQ > > > (6 etypes {18 17 16 23 25 26}) 127.0.0.1: ISSUE: authtime 1513120922, > > > etypes > > > {rep=3D18 tkt=3D18 ses=3D18}, impala/localhost@KRBTEST.COM for krbtgt= / > > > KRBTEST.COM@KRBTEST.COM [31476] 1513120922.532304: ccselect can't fin= d > > > appropriate cache for server principal impala@localhost [31476] > > > 1513120922.532347: Getting credentials impala/localhost@KRBTEST.COM > > > -> impala@localhost using ccache FILE:/tmp/krb5cc_impala_internal > > > [31476] 1513120922.532382: Retrieving impala/localhost@KRBTEST.COM -> > > > impala@localhost from FILE:/tmp/krb5cc_impala_internal with result: > > > -1765328243/Matching credential not found [31476] 1513120922.532407: > > > Retrieving impala/localhost@KRBTEST.COM -> krbtgt/localhost@localhost > > > from FILE:/tmp/krb5cc_impala_internal with > > > result: -1765328243/Matching credential not found [31476] > > > 1513120922.532433: Retrieving impala/localhost@KRBTEST.COM -> krbtgt/ > > > KRBTEST.COM@KRBTEST.COM from FILE:/tmp/krb5cc_impala_internal with > > > result: 0/Success > > > [31476] 1513120922.532441: Starting with TGT for client realm: impala= / > > > localhost@KRBTEST.COM -> krbtgt/KRBTEST.COM@KRBTEST.COM [31476] > > > 1513120922.532467: Retrieving impala/localhost@KRBTEST.COM -> > > > krbtgt/localhost@localhost from FILE:/tmp/krb5cc_impala_internal with > > > result: -1765328243/Matching credential not found [31476] > > > 1513120922.532475: Requesting TGT krbtgt/localhost@KRBTEST.COM using > TGT > > > krbtgt/KRBTEST.COM@KRBTEST.COM [31476] 1513120922.532491: Generated > > > subkey for TGS request: aes256-cts/005D [31476] 1513120922.532524: > etypes > > > requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, > > rc4-hmac, > > > camellia128-cts, camellia256-cts [31476] 1513120922.532574: Encoding > > > request body and padata into FAST request [31476] 1513120922.532616: > > > Sending request (951 bytes) to KRBTEST.COM [31476] 1513120922.532630: > > > Resolving hostname 127.0.0.1 [31476] 1513120922.532648: Sending initi= al > > UDP > > > request to dgram > > > 127.0.0.1:51781 > > > [31586] 1513120922.532790: AP-REQ ticket: impala/localhost@KRBTEST.CO= M > > -> > > > krbtgt/KRBTEST.COM@KRBTEST.COM, session key aes256-cts/580F [31586] > > > 1513120922.532814: Negotiated enctype based on authenticator: > > > aes256-cts > > > [31586] 1513120922.532820: Authenticator contains subkey: > aes256-cts/005D > > > Dec 12 15:22:02 philip-dev.gce.cloudera.com krb5kdc[31586](info): > > TGS_REQ > > > (6 etypes {18 17 16 23 25 26}) 127.0.0.1: UNKNOWN_SERVER: authtime 0, > > > impala/localhost@KRBTEST.COM for krbtgt/localhost@KRBTEST.COM, Server > > not > > > found in Kerberos database [31476] 1513120922.533028: Received answer > > (491 > > > bytes) from dgram > > > 127.0.0.1:51781 > > > [31476] 1513120922.533044: Response was not from master KDC [31476] > > > 1513120922.533053: Decoding FAST response [31476] 1513120922.533081: > TGS > > > request result: -1765328377/Server krbtgt/ localhost@KRBTEST.COM not > > > found in Kerberos database > > > /home/philip/src/impala/be/src/rpc/thrift-server-test.cc:153: Failure > > > Value of: status_.ok() > > > Actual: false > > > Expected: true > > > Error: Couldn't open transport for localhost:62119 (SASL(-1): generic > > > failure: GSSAPI Error: Unspecified GSS failure. Minor code may provi= de > > > more information (Server krbtgt/localhost@KRBTEST.COM not found in > > > Kerberos > > > database)) > > > > > > [ FAILED ] KerberosOnAndOff/ThriftKerberizedParamsTest. > > > SslConnectivity/2, > > > where GetParam() =3D 2 (100 ms) > > > > > > > > > --94eb2c0c0cb8cad20f05624c5564--