FAQ
I have configured CDH4 security with Cloudera Manager according to this
instruction
http://www.cloudera.com/content/cloudera-content/cloudera-docs/CM4Ent/latest/Configuring-Hadoop-Security-with-Cloudera-Manager/Configuring-Hadoop-Security-with-Cloudera-Manager.html
, all other services are fine after restart except impala, below is the
impala log files:

8:36:41.795 AM INFO client-cache.cc:98

CreateClient(): adding new client for stagingdb-mt02.intranet.mundomedia.com:24000

  8:36:41.829 AM ERROR authorization.cc:70

Kerberos: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)

  8:36:41.831 AM INFO status.cc:44

Couldn't open transport for stagingdb-mt02.intranet.mundomedia.com:24000(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired))
     @ 0x83af7d (unknown)
     @ 0x818366 (unknown)
     @ 0x7c0acd (unknown)
     @ 0x7c1640 (unknown)
     @ 0x832a89 (unknown)
     @ 0x833ff4 (unknown)
     @ 0x7eac5e (unknown)
     @ 0x68f267 (unknown)
     @ 0x7ffc537d8cdd __libc_start_main
     @ 0x68ee89 (unknown)

  8:36:41.832 AM ERROR impalad-main.cc:90

Impalad services did not start correctly, exiting. Error: Couldn't open transport for stagingdb-mt02.intranet.mundomedia.com:24000(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired))
State Store Subscriber did not start up.

  9:24:59.636 AM ERROR impalad-main.cc:90

Impalad services did not start correctly, exiting. Error: Couldn't open transport for stagingdb-mt02.intranet.mundomedia.com:24000(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired))
State Store Subscriber did not start up.


Any suggestions?

Thanks,

James

To unsubscribe from this group and stop receiving emails from it, send an email to impala-user+unsubscribe@cloudera.org.

Search Discussions

  • Vikas Singh at Oct 11, 2013 at 4:37 pm
    Hi James,

    It seems that the ticket is expired and cannot be renewed. You need to
    configure kerberos to allow renewable tickets. Typically, you can do this
    by adding the max_renewable_life setting to your realm in kdc.conf, and by
    adding the renew_lifetime parameter to the libdefaults section of krb5.conf.

    Vikas

    On Fri, Oct 11, 2013 at 8:58 AM, C James wrote:

    I have configured CDH4 security with Cloudera Manager according to this
    instruction
    http://www.cloudera.com/content/cloudera-content/cloudera-docs/CM4Ent/latest/Configuring-Hadoop-Security-with-Cloudera-Manager/Configuring-Hadoop-Security-with-Cloudera-Manager.html, all other services are fine after restart except impala, below is the
    impala log files:

    8:36:41.795 AM INFO client-cache.cc:98

    CreateClient(): adding new client for stagingdb-mt02.intranet.mundomedia.com:24000

    8:36:41.829 AM ERROR authorization.cc:70

    Kerberos: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)

    8:36:41.831 AM INFO status.cc:44

    Couldn't open transport for stagingdb-mt02.intranet.mundomedia.com:24000(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired))
    @ 0x83af7d (unknown)
    @ 0x818366 (unknown)
    @ 0x7c0acd (unknown)
    @ 0x7c1640 (unknown)
    @ 0x832a89 (unknown)
    @ 0x833ff4 (unknown)
    @ 0x7eac5e (unknown)
    @ 0x68f267 (unknown)
    @ 0x7ffc537d8cdd __libc_start_main
    @ 0x68ee89 (unknown)

    8:36:41.832 AM ERROR impalad-main.cc:90

    Impalad services did not start correctly, exiting. Error: Couldn't open transport for stagingdb-mt02.intranet.mundomedia.com:24000(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired))
    State Store Subscriber did not start up.

    9:24:59.636 AM ERROR impalad-main.cc:90

    Impalad services did not start correctly, exiting. Error: Couldn't open transport for stagingdb-mt02.intranet.mundomedia.com:24000(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired))
    State Store Subscriber did not start up.


    Any suggestions?

    Thanks,

    James

    To unsubscribe from this group and stop receiving emails from it, send an
    email to impala-user+unsubscribe@cloudera.org.
    To unsubscribe from this group and stop receiving emails from it, send an email to impala-user+unsubscribe@cloudera.org.
  • Raja Thiruvathuru at Oct 11, 2013 at 4:45 pm
    We ran in the same issue. Adding max_renewable_life setting to the
    kerberos configuration fixed the issue.

    On Fri, Oct 11, 2013 at 11:37 AM, Vikas Singh wrote:

    Hi James,

    It seems that the ticket is expired and cannot be renewed. You need to
    configure kerberos to allow renewable tickets. Typically, you can do this
    by adding the max_renewable_life setting to your realm in kdc.conf, and by
    adding the renew_lifetime parameter to the libdefaults section of krb5.conf.

    Vikas

    On Fri, Oct 11, 2013 at 8:58 AM, C James wrote:

    I have configured CDH4 security with Cloudera Manager according to this
    instruction
    http://www.cloudera.com/content/cloudera-content/cloudera-docs/CM4Ent/latest/Configuring-Hadoop-Security-with-Cloudera-Manager/Configuring-Hadoop-Security-with-Cloudera-Manager.html, all other services are fine after restart except impala, below is the
    impala log files:

    8:36:41.795 AM INFO client-cache.cc:98

    CreateClient(): adding new client for stagingdb-mt02.intranet.mundomedia.com:24000

    8:36:41.829 AM ERROR authorization.cc:70

    Kerberos: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)

    8:36:41.831 AM INFO status.cc:44

    Couldn't open transport for stagingdb-mt02.intranet.mundomedia.com:24000(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired))
    @ 0x83af7d (unknown)
    @ 0x818366 (unknown)
    @ 0x7c0acd (unknown)
    @ 0x7c1640 (unknown)
    @ 0x832a89 (unknown)
    @ 0x833ff4 (unknown)
    @ 0x7eac5e (unknown)
    @ 0x68f267 (unknown)
    @ 0x7ffc537d8cdd __libc_start_main
    @ 0x68ee89 (unknown)

    8:36:41.832 AM ERROR impalad-main.cc:90

    Impalad services did not start correctly, exiting. Error: Couldn't open transport for stagingdb-mt02.intranet.mundomedia.com:24000(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired))
    State Store Subscriber did not start up.

    9:24:59.636 AM ERROR impalad-main.cc:90

    Impalad services did not start correctly, exiting. Error: Couldn't open transport for stagingdb-mt02.intranet.mundomedia.com:24000(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired))
    State Store Subscriber did not start up.


    Any suggestions?

    Thanks,

    James

    To unsubscribe from this group and stop receiving emails from it, send an
    email to impala-user+unsubscribe@cloudera.org.
    To unsubscribe from this group and stop receiving emails from it, send an
    email to impala-user+unsubscribe@cloudera.org.


    --
    Regards,

    Raja Thiruvathuru

    To unsubscribe from this group and stop receiving emails from it, send an email to impala-user+unsubscribe@cloudera.org.
  • C James at Oct 11, 2013 at 5:53 pm
    Added, but still doesn't work. the same error.

    Thanks,

    James
    On Friday, October 11, 2013 12:37:09 PM UTC-4, vikas wrote:

    Hi James,

    It seems that the ticket is expired and cannot be renewed. You need to
    configure kerberos to allow renewable tickets. Typically, you can do this
    by adding the max_renewable_life setting to your realm in kdc.conf, and by
    adding the renew_lifetime parameter to the libdefaults section of krb5.conf.

    Vikas


    On Fri, Oct 11, 2013 at 8:58 AM, C James <huan...@gmail.com <javascript:>>wrote:
    I have configured CDH4 security with Cloudera Manager according to this
    instruction
    http://www.cloudera.com/content/cloudera-content/cloudera-docs/CM4Ent/latest/Configuring-Hadoop-Security-with-Cloudera-Manager/Configuring-Hadoop-Security-with-Cloudera-Manager.html, all other services are fine after restart except impala, below is the
    impala log files:

    8:36:41.795 AM INFO client-cache.cc:98

    CreateClient(): adding new client for stagingdb-mt02.intranet.mundomedia.com:24000

    8:36:41.829 AM ERROR authorization.cc:70

    Kerberos: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)

    8:36:41.831 AM INFO status.cc:44

    Couldn't open transport for stagingdb-mt02.intranet.mundomedia.com:24000(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired))
    @ 0x83af7d (unknown)
    @ 0x818366 (unknown)
    @ 0x7c0acd (unknown)
    @ 0x7c1640 (unknown)
    @ 0x832a89 (unknown)
    @ 0x833ff4 (unknown)
    @ 0x7eac5e (unknown)
    @ 0x68f267 (unknown)
    @ 0x7ffc537d8cdd __libc_start_main
    @ 0x68ee89 (unknown)

    8:36:41.832 AM ERROR impalad-main.cc:90

    Impalad services did not start correctly, exiting. Error: Couldn't open transport for stagingdb-mt02.intranet.mundomedia.com:24000(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired))
    State Store Subscriber did not start up.

    9:24:59.636 AM ERROR impalad-main.cc:90

    Impalad services did not start correctly, exiting. Error: Couldn't open transport for stagingdb-mt02.intranet.mundomedia.com:24000(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired))
    State Store Subscriber did not start up.


    Any suggestions?

    Thanks,

    James

    To unsubscribe from this group and stop receiving emails from it, send an
    email to impala-user...@cloudera.org <javascript:>.
    To unsubscribe from this group and stop receiving emails from it, send an email to impala-user+unsubscribe@cloudera.org.
  • Vikas Singh at Oct 11, 2013 at 7:16 pm
    Hi James,

    You may need to regenerate the credentials for the setting to pick up. In
    Cloudera Manager got to "Administration->Kerberos" and then select CM
    services and click over Regenerate. You may have to restart the affected
    services to pick up the new keytabs.

    - Vikas

    P.S. I am assuming you already took care of restarting KDC to pick up new
    renew* settings.


    On Fri, Oct 11, 2013 at 10:53 AM, C James wrote:

    Added, but still doesn't work. the same error.

    Thanks,

    James

    On Friday, October 11, 2013 12:37:09 PM UTC-4, vikas wrote:

    Hi James,

    It seems that the ticket is expired and cannot be renewed. You need to
    configure kerberos to allow renewable tickets. Typically, you can do this
    by adding the max_renewable_life setting to your realm in kdc.conf, and by
    adding the renew_lifetime parameter to the libdefaults section of krb5.conf.

    Vikas

    On Fri, Oct 11, 2013 at 8:58 AM, C James wrote:

    I have configured CDH4 security with Cloudera Manager according to this
    instruction http://www.cloudera.com/**content/cloudera-content/**
    cloudera-docs/CM4Ent/latest/**Configuring-Hadoop-Security-**
    with-Cloudera-Manager/**Configuring-Hadoop-Security-**
    with-Cloudera-Manager.html<http://www.cloudera.com/content/cloudera-content/cloudera-docs/CM4Ent/latest/Configuring-Hadoop-Security-with-Cloudera-Manager/Configuring-Hadoop-Security-with-Cloudera-Manager.html>, all other services are fine after restart except impala, below is the
    impala log files:

    8:36:41.795 AM INFO client-cache.cc:98

    CreateClient(): adding new client for stagingdb-mt02.intranet.**mundomedia.com:24000 <http://stagingdb-mt02.intranet.mundomedia.com:24000>

    8:36:41.829 AM ERROR authorization.cc:70

    Kerberos: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)

    8:36:41.831 AM INFO status.cc:44

    Couldn't open transport for stagingdb-mt02.intranet.**mundomedia.com:24000(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired))
    @ 0x83af7d (unknown)
    @ 0x818366 (unknown)
    @ 0x7c0acd (unknown)
    @ 0x7c1640 (unknown)
    @ 0x832a89 (unknown)
    @ 0x833ff4 (unknown)
    @ 0x7eac5e (unknown)
    @ 0x68f267 (unknown)
    @ 0x7ffc537d8cdd __libc_start_main
    @ 0x68ee89 (unknown)

    8:36:41.832 AM ERROR impalad-main.cc:90

    Impalad services did not start correctly, exiting. Error: Couldn't open transport for stagingdb-mt02.intranet.**mundomedia.com:24000(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired))
    State Store Subscriber did not start up.

    9:24:59.636 AM ERROR impalad-main.cc:90

    Impalad services did not start correctly, exiting. Error: Couldn't open transport for stagingdb-mt02.intranet.**mundomedia.com:24000(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired))
    State Store Subscriber did not start up.


    Any suggestions?

    Thanks,

    James

    To unsubscribe from this group and stop receiving emails from it, send
    an email to impala-user...@**cloudera.org.
    To unsubscribe from this group and stop receiving emails from it, send
    an email to impala-user+unsubscribe@cloudera.org.
    To unsubscribe from this group and stop receiving emails from it, send an email to impala-user+unsubscribe@cloudera.org.
  • C James at Oct 11, 2013 at 7:57 pm
    I already restart the KDC service.

    I regenerated the credentials this time, still no hope, the same error. I
    try to enable debug and find this information:

    Client Principal = impala/XXXX.intranet.mundomedia.com@HADOOP.MUNDOMEDIA.COM
    Server Principal = krbtgt/HADOOP.MUNDOMEDIA.COM@HADOOP.MUNDOMEDIA.COM
    Session Key = EncryptionKey: keyType=18 keyBytes (hex dump)=
    0000: C9 54 1F 9B 24 9D 52 4E 3F 0A 2E B4 85 72 65 55 .T..$.RN?....reU
    0010: E2 53 C6 95 E1 2B 58 6B 81 22 C3 37 6F 44 D1 E3 .S...+Xk.".7oD..


    Forwardable Ticket true
    Forwarded Ticket false
    Proxiable Ticket false
    Proxy Ticket false
    Postdated Ticket false
    Renewable Ticket true
    Initial Ticket true
    Auth Time = Fri Oct 11 15:45:53 EDT 2013
    Start Time = Fri Oct 11 15:45:53 EDT 2013
    End Time = Fri Oct 11 15:45:53 EDT 2013
    Renew Till = Fri Oct 11 15:45:53 EDT 2013

    The ticket end time is the same as the start time, does this cause the ticket expire? if so how to correct it?

    Thanks,

    James


    On Friday, October 11, 2013 3:16:12 PM UTC-4, vikas wrote:

    Hi James,

    You may need to regenerate the credentials for the setting to pick up. In
    Cloudera Manager got to "Administration->Kerberos" and then select CM
    services and click over Regenerate. You may have to restart the affected
    services to pick up the new keytabs.

    - Vikas

    P.S. I am assuming you already took care of restarting KDC to pick up new
    renew* settings.



    On Fri, Oct 11, 2013 at 10:53 AM, C James <huan...@gmail.com <javascript:>
    wrote:
    Added, but still doesn't work. the same error.

    Thanks,

    James

    On Friday, October 11, 2013 12:37:09 PM UTC-4, vikas wrote:

    Hi James,

    It seems that the ticket is expired and cannot be renewed. You need to
    configure kerberos to allow renewable tickets. Typically, you can do this
    by adding the max_renewable_life setting to your realm in kdc.conf, and by
    adding the renew_lifetime parameter to the libdefaults section of krb5.conf.

    Vikas

    On Fri, Oct 11, 2013 at 8:58 AM, C James wrote:

    I have configured CDH4 security with Cloudera Manager according to this
    instruction http://www.cloudera.com/**content/cloudera-content/**
    cloudera-docs/CM4Ent/latest/**Configuring-Hadoop-Security-**
    with-Cloudera-Manager/**Configuring-Hadoop-Security-**
    with-Cloudera-Manager.html<http://www.cloudera.com/content/cloudera-content/cloudera-docs/CM4Ent/latest/Configuring-Hadoop-Security-with-Cloudera-Manager/Configuring-Hadoop-Security-with-Cloudera-Manager.html>, all other services are fine after restart except impala, below is the
    impala log files:

    8:36:41.795 AM INFO client-cache.cc:98

    CreateClient(): adding new client for stagingdb-mt02.intranet.**mundomedia.com:24000 <http://stagingdb-mt02.intranet.mundomedia.com:24000>

    8:36:41.829 AM ERROR authorization.cc:70

    Kerberos: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)

    8:36:41.831 AM INFO status.cc:44

    Couldn't open transport for stagingdb-mt02.intranet.**mundomedia.com:24000(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired))
    @ 0x83af7d (unknown)
    @ 0x818366 (unknown)
    @ 0x7c0acd (unknown)
    @ 0x7c1640 (unknown)
    @ 0x832a89 (unknown)
    @ 0x833ff4 (unknown)
    @ 0x7eac5e (unknown)
    @ 0x68f267 (unknown)
    @ 0x7ffc537d8cdd __libc_start_main
    @ 0x68ee89 (unknown)

    8:36:41.832 AM ERROR impalad-main.cc:90

    Impalad services did not start correctly, exiting. Error: Couldn't open transport for stagingdb-mt02.intranet.**mundomedia.com:24000(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired))
    State Store Subscriber did not start up.

    9:24:59.636 AM ERROR impalad-main.cc:90

    Impalad services did not start correctly, exiting. Error: Couldn't open transport for stagingdb-mt02.intranet.**mundomedia.com:24000(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired))
    State Store Subscriber did not start up.


    Any suggestions?

    Thanks,

    James

    To unsubscribe from this group and stop receiving emails from it, send
    an email to impala-user...@**cloudera.org.
    To unsubscribe from this group and stop receiving emails from it, send
    an email to impala-user...@cloudera.org <javascript:>.
    To unsubscribe from this group and stop receiving emails from it, send an email to impala-user+unsubscribe@cloudera.org.
  • Raja Thiruvathuru at Oct 11, 2013 at 7:59 pm
    If you haven't done that, just doing the following command on

    the kerberors kdc server will fix the principals

    for p in `kadmin.local -q listprincs`; do kadmin.local -q "modprinc
    -maxrenewlife 7days $p"; done

    On Fri, Oct 11, 2013 at 2:16 PM, Vikas Singh wrote:

    Hi James,

    You may need to regenerate the credentials for the setting to pick up. In
    Cloudera Manager got to "Administration->Kerberos" and then select CM
    services and click over Regenerate. You may have to restart the affected
    services to pick up the new keytabs.

    - Vikas

    P.S. I am assuming you already took care of restarting KDC to pick up new
    renew* settings.


    On Fri, Oct 11, 2013 at 10:53 AM, C James wrote:

    Added, but still doesn't work. the same error.

    Thanks,

    James

    On Friday, October 11, 2013 12:37:09 PM UTC-4, vikas wrote:

    Hi James,

    It seems that the ticket is expired and cannot be renewed. You need to
    configure kerberos to allow renewable tickets. Typically, you can do this
    by adding the max_renewable_life setting to your realm in kdc.conf, and by
    adding the renew_lifetime parameter to the libdefaults section of krb5.conf.

    Vikas

    On Fri, Oct 11, 2013 at 8:58 AM, C James wrote:

    I have configured CDH4 security with Cloudera Manager according to this
    instruction http://www.cloudera.com/**content/cloudera-content/**
    cloudera-docs/CM4Ent/latest/**Configuring-Hadoop-Security-**
    with-Cloudera-Manager/**Configuring-Hadoop-Security-**
    with-Cloudera-Manager.html<http://www.cloudera.com/content/cloudera-content/cloudera-docs/CM4Ent/latest/Configuring-Hadoop-Security-with-Cloudera-Manager/Configuring-Hadoop-Security-with-Cloudera-Manager.html>, all other services are fine after restart except impala, below is the
    impala log files:

    8:36:41.795 AM INFO client-cache.cc:98

    CreateClient(): adding new client for stagingdb-mt02.intranet.**mundomedia.com:24000 <http://stagingdb-mt02.intranet.mundomedia.com:24000>

    8:36:41.829 AM ERROR authorization.cc:70

    Kerberos: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)

    8:36:41.831 AM INFO status.cc:44

    Couldn't open transport for stagingdb-mt02.intranet.**mundomedia.com:24000(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired))
    @ 0x83af7d (unknown)
    @ 0x818366 (unknown)
    @ 0x7c0acd (unknown)
    @ 0x7c1640 (unknown)
    @ 0x832a89 (unknown)
    @ 0x833ff4 (unknown)
    @ 0x7eac5e (unknown)
    @ 0x68f267 (unknown)
    @ 0x7ffc537d8cdd __libc_start_main
    @ 0x68ee89 (unknown)

    8:36:41.832 AM ERROR impalad-main.cc:90

    Impalad services did not start correctly, exiting. Error: Couldn't open transport for stagingdb-mt02.intranet.**mundomedia.com:24000(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired))
    State Store Subscriber did not start up.

    9:24:59.636 AM ERROR impalad-main.cc:90

    Impalad services did not start correctly, exiting. Error: Couldn't open transport for stagingdb-mt02.intranet.**mundomedia.com:24000(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired))
    State Store Subscriber did not start up.


    Any suggestions?

    Thanks,

    James

    To unsubscribe from this group and stop receiving emails from it, send
    an email to impala-user...@**cloudera.org.
    To unsubscribe from this group and stop receiving emails from it, send
    an email to impala-user+unsubscribe@cloudera.org.
    To unsubscribe from this group and stop receiving emails from it, send an
    email to impala-user+unsubscribe@cloudera.org.


    --
    Regards,

    Raja Thiruvathuru

    To unsubscribe from this group and stop receiving emails from it, send an email to impala-user+unsubscribe@cloudera.org.
  • Vikas Singh at Oct 12, 2013 at 12:12 am
    Hi James,

    It doesn't seem either of two Kerberos settings have taken effect (as seen
    by "End Time" and "Renew Till" values). I think it will be simpler to set
    this up and verify it is working and then look into CDH/CM part.

    Here is how the properties looks like in a setup where it works:

    kdc.conf
    ------------
    [realms]
      HADOOP.MUNDOMEDIA.COM = {
       master_key_type = des3-hmac-sha1
       acl_file = /var/kerberos/krb5kdc/kadm5.acl
       dict_file = /usr/share/dict/words
       admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
       max_life = 30d
       max_renewable_life = 30d
       #removed supported_enctypes aes256-cts:normal and aes128-cts:normal
       supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
    des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4
    des-cbc-crc:afs3
      }

    krb5.conf
    -------------
    [libdefaults]
      renew_lifetime = 15m # default is 0
      default_realm = HADOOP.MUNDOMEDIA.COM
      dns_lookup_realm = false
      dns_lookup_kdc = false
      ticket_lifetime = 15m
      forwardable = yes
      allow_weak_crypto = true


    For krb5.conf, please update it at all the nodes in the cluster.

    - Vikas


    On Fri, Oct 11, 2013 at 12:59 PM, Raja Thiruvathuru
    wrote:
    If you haven't done that, just doing the following command on

    the kerberors kdc server will fix the principals

    for p in `kadmin.local -q listprincs`; do kadmin.local -q "modprinc
    -maxrenewlife 7days $p"; done

    On Fri, Oct 11, 2013 at 2:16 PM, Vikas Singh wrote:

    Hi James,

    You may need to regenerate the credentials for the setting to pick up. In
    Cloudera Manager got to "Administration->Kerberos" and then select CM
    services and click over Regenerate. You may have to restart the affected
    services to pick up the new keytabs.

    - Vikas

    P.S. I am assuming you already took care of restarting KDC to pick up new
    renew* settings.


    On Fri, Oct 11, 2013 at 10:53 AM, C James wrote:

    Added, but still doesn't work. the same error.

    Thanks,

    James

    On Friday, October 11, 2013 12:37:09 PM UTC-4, vikas wrote:

    Hi James,

    It seems that the ticket is expired and cannot be renewed. You need to
    configure kerberos to allow renewable tickets. Typically, you can do this
    by adding the max_renewable_life setting to your realm in kdc.conf, and by
    adding the renew_lifetime parameter to the libdefaults section of krb5.conf.

    Vikas

    On Fri, Oct 11, 2013 at 8:58 AM, C James wrote:

    I have configured CDH4 security with Cloudera Manager according to
    this instruction http://www.cloudera.com/**content/cloudera-content/**
    cloudera-docs/CM4Ent/latest/**Configuring-Hadoop-Security-**
    with-Cloudera-Manager/**Configuring-Hadoop-Security-**
    with-Cloudera-Manager.html<http://www.cloudera.com/content/cloudera-content/cloudera-docs/CM4Ent/latest/Configuring-Hadoop-Security-with-Cloudera-Manager/Configuring-Hadoop-Security-with-Cloudera-Manager.html>, all other services are fine after restart except impala, below is the
    impala log files:

    8:36:41.795 AM INFO client-cache.cc:98

    CreateClient(): adding new client for stagingdb-mt02.intranet.**mundomedia.com:24000 <http://stagingdb-mt02.intranet.mundomedia.com:24000>

    8:36:41.829 AM ERROR authorization.cc:70

    Kerberos: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)

    8:36:41.831 AM INFO status.cc:44

    Couldn't open transport for stagingdb-mt02.intranet.**mundomedia.com:24000(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired))
    @ 0x83af7d (unknown)
    @ 0x818366 (unknown)
    @ 0x7c0acd (unknown)
    @ 0x7c1640 (unknown)
    @ 0x832a89 (unknown)
    @ 0x833ff4 (unknown)
    @ 0x7eac5e (unknown)
    @ 0x68f267 (unknown)
    @ 0x7ffc537d8cdd __libc_start_main
    @ 0x68ee89 (unknown)

    8:36:41.832 AM ERROR impalad-main.cc:90

    Impalad services did not start correctly, exiting. Error: Couldn't open transport for stagingdb-mt02.intranet.**mundomedia.com:24000(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired))
    State Store Subscriber did not start up.

    9:24:59.636 AM ERROR impalad-main.cc:90

    Impalad services did not start correctly, exiting. Error: Couldn't open transport for stagingdb-mt02.intranet.**mundomedia.com:24000(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired))
    State Store Subscriber did not start up.


    Any suggestions?

    Thanks,

    James

    To unsubscribe from this group and stop receiving emails from it, send
    an email to impala-user...@**cloudera.org.
    To unsubscribe from this group and stop receiving emails from it,
    send an email to impala-user+unsubscribe@cloudera.org.
    To unsubscribe from this group and stop receiving emails from it, send
    an email to impala-user+unsubscribe@cloudera.org.


    --
    Regards,

    Raja Thiruvathuru

    To unsubscribe from this group and stop receiving emails from it, send an
    email to impala-user+unsubscribe@cloudera.org.
    To unsubscribe from this group and stop receiving emails from it, send an email to impala-user+unsubscribe@cloudera.org.
  • C James at Oct 15, 2013 at 1:32 pm
    It works, Thanks

    James
    On Friday, October 11, 2013 3:59:20 PM UTC-4, Raja Thiruvathuru wrote:

    If you haven't done that, just doing the following command on

    the kerberors kdc server will fix the principals

    for p in `kadmin.local -q listprincs`; do kadmin.local -q "modprinc
    -maxrenewlife 7days $p"; done


    On Fri, Oct 11, 2013 at 2:16 PM, Vikas Singh <vi...@cloudera.com<javascript:>
    wrote:
    Hi James,

    You may need to regenerate the credentials for the setting to pick up. In
    Cloudera Manager got to "Administration->Kerberos" and then select CM
    services and click over Regenerate. You may have to restart the affected
    services to pick up the new keytabs.

    - Vikas

    P.S. I am assuming you already took care of restarting KDC to pick up new
    renew* settings.



    On Fri, Oct 11, 2013 at 10:53 AM, C James <huan...@gmail.com<javascript:>
    wrote:
    Added, but still doesn't work. the same error.

    Thanks,

    James

    On Friday, October 11, 2013 12:37:09 PM UTC-4, vikas wrote:

    Hi James,

    It seems that the ticket is expired and cannot be renewed. You need to
    configure kerberos to allow renewable tickets. Typically, you can do this
    by adding the max_renewable_life setting to your realm in kdc.conf, and by
    adding the renew_lifetime parameter to the libdefaults section of krb5.conf.

    Vikas

    On Fri, Oct 11, 2013 at 8:58 AM, C James wrote:

    I have configured CDH4 security with Cloudera Manager according to
    this instruction http://www.cloudera.com/**content/cloudera-content/**
    cloudera-docs/CM4Ent/latest/**Configuring-Hadoop-Security-**
    with-Cloudera-Manager/**Configuring-Hadoop-Security-**
    with-Cloudera-Manager.html<http://www.cloudera.com/content/cloudera-content/cloudera-docs/CM4Ent/latest/Configuring-Hadoop-Security-with-Cloudera-Manager/Configuring-Hadoop-Security-with-Cloudera-Manager.html>, all other services are fine after restart except impala, below is the
    impala log files:

    8:36:41.795 AM INFO client-cache.cc:98

    CreateClient(): adding new client for stagingdb-mt02.intranet.**mundomedia.com:24000 <http://stagingdb-mt02.intranet.mundomedia.com:24000>

    8:36:41.829 AM ERROR authorization.cc:70

    Kerberos: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)

    8:36:41.831 AM INFO status.cc:44

    Couldn't open transport for stagingdb-mt02.intranet.**mundomedia.com:24000(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired))
    @ 0x83af7d (unknown)
    @ 0x818366 (unknown)
    @ 0x7c0acd (unknown)
    @ 0x7c1640 (unknown)
    @ 0x832a89 (unknown)
    @ 0x833ff4 (unknown)
    @ 0x7eac5e (unknown)
    @ 0x68f267 (unknown)
    @ 0x7ffc537d8cdd __libc_start_main
    @ 0x68ee89 (unknown)

    8:36:41.832 AM ERROR impalad-main.cc:90

    Impalad services did not start correctly, exiting. Error: Couldn't open transport for stagingdb-mt02.intranet.**mundomedia.com:24000(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired))
    State Store Subscriber did not start up.

    9:24:59.636 AM ERROR impalad-main.cc:90

    Impalad services did not start correctly, exiting. Error: Couldn't open transport for stagingdb-mt02.intranet.**mundomedia.com:24000(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired))
    State Store Subscriber did not start up.


    Any suggestions?

    Thanks,

    James

    To unsubscribe from this group and stop receiving emails from it, send
    an email to impala-user...@**cloudera.org.
    To unsubscribe from this group and stop receiving emails from it,
    send an email to impala-user...@cloudera.org <javascript:>.
    To unsubscribe from this group and stop receiving emails from it, send
    an email to impala-user...@cloudera.org <javascript:>.


    --
    Regards,

    Raja Thiruvathuru
    To unsubscribe from this group and stop receiving emails from it, send an email to impala-user+unsubscribe@cloudera.org.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupimpala-user @
categorieshadoop
postedOct 11, '13 at 3:58p
activeOct 15, '13 at 1:32p
posts9
users3
websitecloudera.com
irc#hadoop

People

Translate

site design / logo © 2022 Grokbase