Phoenix ODBC client on Windows connecting to Kerberos Hadoop Phoenix is throwing error “GSSException: Defective token detected”

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Phoenix ODBC client on Windows connecting to Kerberos Hadoop Phoenix is throwing error “GSSException: Defective token detected”

ANILESH_TENNETI
Hi,Hello MIT team, I'm Anil working for IBM and implemented Kebreros for a customer. Kerberos – AD is implemented on Hadoop environment. Phoenix is enabled to open JDBC / ODBC connection to Hadoop HBase. Hadoop is setup on RHEL 7.2Windows client machines connecting to Hadoop Phoenix using Hortonworks Phoenix ODBC driver (64 bit). As connection should be established to Kerberos Phoenix, the Windows ODBC client machine also must be setup with Kerberos.Windows odbc client machine has been setup with MIT Kerberos as per the documentation link https://community.hortonworks.com/articles/28537/user-authentication-from-windows-workstation-to-hd.htmlCopied the krb5.conf file to windows machine as krb5.ini. Using MIT Kerberos key tool, get new Kerberos ticket say for user ‘kpiuser’ as shown below;On establishing connection from ODBC client, phoenix connection fails with log message “GSSException: Defective token detected (Mechanism level: GSS!
 Header did not find the right tag)”.Refer to Error-in-phoenix-log.txtThis implies, the Kerberos ticket format is different or corrupted.The phoenix ODBC client logs shows connection errors.Refer to HortonworksPhoenixODBCDriver_connection_1.log and phoenix_driver.logOn windows client machine, doing kinit for a user does not show the cached ticket when run klist command.Refer to klist-on-windows-odbc-client.txtThanks,Anil 
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos

Error-in-phoenix-log.txt (5K) Download Attachment
klist-on-windows-odbc-client.txt (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Phoenix ODBC client on Windows connecting to Kerberos Hadoop Phoenix is throwing error “GSSException: Defective token detected”

ANILESH_TENNETI
HiCan you please respond to my email?Thanks,AnilFrom: "ANILESH_TENNETI"<[hidden email]>Sent: Wed, 08 Aug 2018 14:49:27To: <[hidden email]>Subject: Phoenix ODBC client on Windows connecting to Kerberos Hadoop Phoenix is throwing error “GSSException: Defective token detected”Hi,Hello MIT team, I'm Anil working for IBM and implemented Kebreros for a customer. Kerberos – AD is implemented on Hadoop environment. Phoenix is enabled to open JDBC / ODBC connection to Hadoop HBase. Hadoop is setup on RHEL 7.2Windows client machines connecting to Hadoop Phoenix using Hortonworks Phoenix ODBC driver (64 bit). As connection should be established to Kerberos Phoenix, the Windows ODBC client machine also must be setup with Kerberos.Windows odbc client machine has been setup with MIT Kerberos as per the documentation link https://community.hortonworks.com/articles/28537/user-authentication-from-windows-workstation-to-hd.h!
 tmlCopied the krb5.conf file to windows machine as krb5.ini. Using MIT Kerberos key tool, get new Kerberos ticket say for user ‘kpiuser’ as shown below;On establishing connection from ODBC client, phoenix connection fails with log message “GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)”.Refer to Error-in-phoenix-log.txtThis implies, the Kerberos ticket format is different or corrupted.The phoenix ODBC client logs shows connection errors.Refer to HortonworksPhoenixODBCDriver_connection_1.log and phoenix_driver.logOn windows client machine, doing kinit for a user does not show the cached ticket when run klist command.Refer to klist-on-windows-odbc-client.txtThanks,Anil 
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Phoenix ODBC client on Windows connecting to Kerberos Hadoop Phoenix is throwing error “GSSException: Defective token detected”

Ben Gooley
A couple things:

(1)

You are using kfw to kinit but using the Windows "klist" to look at
tickets.  Windows has a native klist command of its own that pulls from its
memory-based credentials cache.
Make sure to use the MIT "klist" from the command line tool or the KFW UI

(2)

The ODBC client uses SPNEGO and the exception is saying "GSSHeader did not
find the right tag".
The error is pretty generic, but usually indicates that there was something
wrong getting a Service Ticket on the client side.

 - Use MIT KFW klist or KFW UI to make sure you obtain the HTTP principal
service ticket for your connection to the server.
 - set KRB5_TRACE environment variable in order to get tracing to determine
if there are any problems obtaining the service ticket
 - Verify your krb5.ini configuration and that KRB5_CONFIG and KRB5CCNAME
are set appropriately for your configuration.

Bottom line is that the situation you see can be caused by a lot of
different things, so making sure you can obtain a service ticket and tat it
appears in your credentials cache is the first step.


On Wed, Sep 5, 2018 at 4:22 AM ANILESH_TENNETI <[hidden email]>
wrote:

> HiCan you please respond to my email?Thanks,AnilFrom: &
> quot;ANILESH_TENNETI&quot;&lt;[hidden email]&gt;Sent: Wed,
> 08 Aug 2018 14:49:27To: &lt;[hidden email]&gt;Subject: Phoenix ODBC
> client on Windows connecting to Kerberos Hadoop Phoenix is throwing error
> &ldquo;GSSException: Defective token detected&rdquo;Hi,Hello MIT
> team,&nbsp;I&#39;m Anil working for IBM and implemented Kebreros for a
> customer.&nbsp;Kerberos &ndash; AD is implemented on Hadoop environment.
> Phoenix is enabled to open JDBC / ODBC connection to Hadoop HBase. Hadoop
> is setup on RHEL 7.2Windows client machines connecting to Hadoop Phoenix
> using Hortonworks Phoenix ODBC driver (64 bit). As connection should be
> established to Kerberos Phoenix, the Windows ODBC client machine also must
> be setup with Kerberos.Windows odbc client machine has been setup with MIT
> Kerberos as per the documentation link
> https://community.hortonworks.com/articles/28537/user-authentication-from-windows-workstation-to-hd.h
> !
>  tmlCopied the krb5.conf file to windows machine as krb5.ini.&nbsp;Using
> MIT Kerberos key tool, get new Kerberos ticket say for user
> &lsquo;kpiuser&rsquo; as shown below;On establishing connection from ODBC
> client, phoenix connection fails with log message &ldquo;GSSException:
> Defective token detected (Mechanism level: GSSHeader did not find the right
> tag)&rdquo;.Refer to Error-in-phoenix-log.txtThis implies, the Kerberos
> ticket format is different or corrupted.The phoenix ODBC client logs shows
> connection errors.Refer to HortonworksPhoenixODBCDriver_connection_1.log
> and phoenix_driver.logOn windows client machine, doing kinit for a user
> does not show the cached ticket when run klist command.Refer to
> klist-on-windows-odbc-client.txtThanks,Anil&nbsp;
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>


--
Ben Gooley
*Customer Operations Engineer*


* <http://www.cloudera.com>*
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos