Forum Stats

  • 3,767,816 Users
  • 2,252,720 Discussions
  • 7,874,335 Comments

Discussions

Hadoop authentication using kerberos

1941478
1941478 Member Posts: 4
edited Oct 13, 2016 2:48PM in Kerberos & Java GSS (JGSS)

I'm very new at kerberos, so the question may not be expressed in the best way...

I have a Solaris 10 system that connects with a Hadoop cluster.

The Solaris system is a non-global zone on a global system that is hosting a number of other zones,  so backing out the patch would be difficult because I would need to get down time on all of the zones running there.

Authentication for Hadoop was set up using Kerberos. 

When we applied the latest Solaris 10 patch bundle (Sept 2016),  our authentication using a keytab file quit working.

Authentication for a user still seems to work.

The only patch I see that mentions Kerberos is:  147793.   This patch bundle went from the -17 to the -20.

When doing a kinit -k -t xform.keytab   I get the following...

kinit(v5): Key table entry not found while getting initial credentials

Results from a klist -ket xform.keytab

klist -ket xform.keytab

Keytab name: FILE: /xform.keytab

KVNO Timestamp              Principal

---- ---------------- ----------------------------------------------------------

   0 27/09/2016 11:43 [email protected] (AES-128 CTS mode with 96-bit SHA-1 HMAC)

   0 27/09/2016 11:43 [email protected] (ArcFour with HMAC/md5)

The krb5.conf file is fairly large, so I did not post it here.

The kinit worked before we applied the Sept 2016 Recommended patch bundle.  It is an assumption on my part that the 147793 patch is the one that impacted this.

Does anyone have any hints as to how to go about troubleshooting this, or what needs to be done to fix it?

This is in our development environment, and I need to get this resolved before we patch production next week.

Answers

  • 1941478
    1941478 Member Posts: 4
    edited Oct 13, 2016 6:55AM

    UPDATE:  Last night I removed the Kerberos patch:  147793-20 from the system, but that did NOT resolve the issue.

  • 1941478
    1941478 Member Posts: 4
    edited Oct 13, 2016 8:08AM

    Here is a list of all of the patches that were applied to that system and what “product” they changed…

    Applying 121118-21 ( 29 of 407) ... success -   Patching software

    Applying 119757-37 ( 71 of 407) ... success -   Samba

    Applying 151912-06 ( 92 of 407) ... success -   OpenSSL

    Applying 119900-18 ( 96 of 407) ... success -   GNOME

    Applying 123893-79 (154 of 407) ... success -   Cacao Common Agent Container

    Applying 125215-07 (165 of 407) ... success -   wget

    Applying 126546-10 (180 of 407) ... success -   bash

    Applying 126868-05 (181 of 407) ... success -   bzip2 patch

    Applying 136882-04 (188 of 407) ... success -   ImageMagick

    Applying 147793-20 (300 of 407) ... success -   Kerberos  - backed out

    Applying 148104-23 (310 of 407) ... success -   ssh/sshd

    Applying 148561-11 (324 of 407) ... success -   Perl

    Applying 150435-04 (332 of 407) ... success -   placeholder patch to require patch behavior patch

    Applying 150400-40 (344 of 407) ... success -   Kernel Patch

    Applying 149173-07 (346 of 407) ... success -   emlxs driver patch

    Applying 149175-10 (347 of 407) ... success -   qlc

    Applying 149496-02 (352 of 407) ... success -   pppd

    Applying 149638-05 (353 of 407) ... success -   USB

    Applying 150311-09 (367 of 407) ... success -   md

    Applying 150383-15 (369 of 407) ... success -   wanboot

    Applying 151914-07 (392 of 407) ... success -   OpenSSL

    Applying 150121-01 (401 of 407) ... success -   audit_event

      Applying 152506-01 (407 of 407) ... success   -   elfexec

  • 1941478
    1941478 Member Posts: 4
    edited Oct 13, 2016 2:48PM

    I went through the patch bundle logs and found all of the patches that got applied when I installed the patchset.

    Then, I took a system we just retired (so not yet patched to this patchset) and started applying the patches one at a time, and testing kerberos after each patch was applied.  After applying the Kerberos patch (147793-20)  everything still worked, so I continued on.

    When a patch said the system needed a reboot after applying the patch,  I would bring the system to single user mode, apply the patch and reboot.  Then test Kerberos again.   When I got to the Kernel patch (150400-40), after I applied the patch and rebooted the system, Kerberos FAILED.

    Here are the patches that I applied (in the order based on the patch_order file).

    Applying 121118-21 ( 29 of 407) ... success -   Patching software - OK

    Applying 119757-37 ( 71 of 407) ... success -   Samba - OK

    Applying 151912-06 ( 92 of 407) ... success -   OpenSSL - OK

    Applying 119900-18 ( 96 of 407) ... success -   GNOME - OK

    Applying 123893-79 (154 of 407) ... success -   Cacao Common Agent Container -OK

    Applying 125215-07 (165 of 407) ... success -   wget -OK

    Applying 126546-10 (180 of 407) ... success -   bash - OK

    Applying 126868-05 (181 of 407) ... success -   bzip2 patch - OK

    Applying 136882-04 (188 of 407) ... success -   ImageMagick - OK

    Applying 147793-20 (300 of 407) ... success -   Kerberos  -  OK

    Applying 148104-23 (310 of 407) ... success -   ssh/sshd  -  OK

    Applying 148561-11 (324 of 407) ... success -   Perl - OK

    Applying 150435-04 (332 of 407) ... success -   placeholder patch to require patch behavior patch - OK

    Applying 150400-40 (344 of 407) ... success -   Kernel Patch - Failed

    -------- Patches below this line were not applied to my test system because I have not say of testing any farther  -------------------

    Applying 149173-07 (346 of 407) ... success -   emlxs driver patch

    Applying 149175-10 (347 of 407) ... success -   qlc

    Applying 149496-02 (352 of 407) ... success -   pppd

    Applying 149638-05 (353 of 407) ... success -   USB

    Applying 150311-09 (367 of 407) ... success -   md

    Applying 150383-15 (369 of 407) ... success -   wanboot

    Applying 151914-07 (392 of 407) ... success -   OpenSSL

    Applying 150121-01 (401 of 407) ... success   - audit_event

    Applying 152506-01 (407 of 407) ... success -   elfexec

This discussion has been closed.