Discussions
Categories
- 197K All Categories
- 2.5K Data
- 546 Big Data Appliance
- 1.9K Data Science
- 450.8K Databases
- 221.9K General Database Discussions
- 3.8K Java and JavaScript in the Database
- 31 Multilingual Engine
- 552 MySQL Community Space
- 479 NoSQL Database
- 7.9K Oracle Database Express Edition (XE)
- 3.1K ORDS, SODA & JSON in the Database
- 556 SQLcl
- 4K SQL Developer Data Modeler
- 187.2K SQL & PL/SQL
- 21.4K SQL Developer
- 296.3K Development
- 17 Developer Projects
- 139 Programming Languages
- 293K Development Tools
- 110 DevOps
- 3.1K QA/Testing
- 646.1K Java
- 28 Java Learning Subscription
- 37K Database Connectivity
- 158 Java Community Process
- 105 Java 25
- 22.1K Java APIs
- 138.2K Java Development Tools
- 165.3K Java EE (Java Enterprise Edition)
- 19 Java Essentials
- 162 Java 8 Questions
- 86K Java Programming
- 81 Java Puzzle Ball
- 65.1K New To Java
- 1.7K Training / Learning / Certification
- 13.8K Java HotSpot Virtual Machine
- 94.3K Java SE
- 13.8K Java Security
- 205 Java User Groups
- 24 JavaScript - Nashorn
- Programs
- 468 LiveLabs
- 39 Workshops
- 10.2K Software
- 6.7K Berkeley DB Family
- 3.5K JHeadstart
- 5.7K Other Languages
- 2.3K Chinese
- 175 Deutsche Oracle Community
- 1.1K Español
- 1.9K Japanese
- 233 Portuguese
Hadoop authentication using kerberos
I'm very new at kerberos, so the question may not be expressed in the best way...
I have a Solaris 10 system that connects with a Hadoop cluster.
The Solaris system is a non-global zone on a global system that is hosting a number of other zones, so backing out the patch would be difficult because I would need to get down time on all of the zones running there.
Authentication for Hadoop was set up using Kerberos.
When we applied the latest Solaris 10 patch bundle (Sept 2016), our authentication using a keytab file quit working.
Authentication for a user still seems to work.
The only patch I see that mentions Kerberos is: 147793. This patch bundle went from the -17 to the -20.
When doing a kinit -k -t xform.keytab I get the following...
kinit(v5): Key table entry not found while getting initial credentials
Results from a klist -ket xform.keytab
klist -ket xform.keytab
Keytab name: FILE: /xform.keytab
KVNO Timestamp Principal
---- ---------------- ----------------------------------------------------------
0 27/09/2016 11:43 [email protected] (AES-128 CTS mode with 96-bit SHA-1 HMAC)
0 27/09/2016 11:43 [email protected] (ArcFour with HMAC/md5)
The krb5.conf file is fairly large, so I did not post it here.
The kinit worked before we applied the Sept 2016 Recommended patch bundle. It is an assumption on my part that the 147793 patch is the one that impacted this.
Does anyone have any hints as to how to go about troubleshooting this, or what needs to be done to fix it?
This is in our development environment, and I need to get this resolved before we patch production next week.
Answers
-
UPDATE: Last night I removed the Kerberos patch: 147793-20 from the system, but that did NOT resolve the issue.
-
Here is a list of all of the patches that were applied to that system and what “product” they changed…
Applying 121118-21 ( 29 of 407) ... success - Patching software
Applying 119757-37 ( 71 of 407) ... success - Samba
Applying 151912-06 ( 92 of 407) ... success - OpenSSL
Applying 119900-18 ( 96 of 407) ... success - GNOME
Applying 123893-79 (154 of 407) ... success - Cacao Common Agent Container
Applying 125215-07 (165 of 407) ... success - wget
Applying 126546-10 (180 of 407) ... success - bash
Applying 126868-05 (181 of 407) ... success - bzip2 patch
Applying 136882-04 (188 of 407) ... success - ImageMagick
Applying 147793-20 (300 of 407) ... success - Kerberos - backed out
Applying 148104-23 (310 of 407) ... success - ssh/sshd
Applying 148561-11 (324 of 407) ... success - Perl
Applying 150435-04 (332 of 407) ... success - placeholder patch to require patch behavior patch
Applying 150400-40 (344 of 407) ... success - Kernel Patch
Applying 149173-07 (346 of 407) ... success - emlxs driver patch
Applying 149175-10 (347 of 407) ... success - qlc
Applying 149496-02 (352 of 407) ... success - pppd
Applying 149638-05 (353 of 407) ... success - USB
Applying 150311-09 (367 of 407) ... success - md
Applying 150383-15 (369 of 407) ... success - wanboot
Applying 151914-07 (392 of 407) ... success - OpenSSL
Applying 150121-01 (401 of 407) ... success - audit_event
Applying 152506-01 (407 of 407) ... success - elfexec
-
I went through the patch bundle logs and found all of the patches that got applied when I installed the patchset.
Then, I took a system we just retired (so not yet patched to this patchset) and started applying the patches one at a time, and testing kerberos after each patch was applied. After applying the Kerberos patch (147793-20) everything still worked, so I continued on.
When a patch said the system needed a reboot after applying the patch, I would bring the system to single user mode, apply the patch and reboot. Then test Kerberos again. When I got to the Kernel patch (150400-40), after I applied the patch and rebooted the system, Kerberos FAILED.
Here are the patches that I applied (in the order based on the patch_order file).
Applying 121118-21 ( 29 of 407) ... success - Patching software - OK
Applying 119757-37 ( 71 of 407) ... success - Samba - OK
Applying 151912-06 ( 92 of 407) ... success - OpenSSL - OK
Applying 119900-18 ( 96 of 407) ... success - GNOME - OK
Applying 123893-79 (154 of 407) ... success - Cacao Common Agent Container -OK
Applying 125215-07 (165 of 407) ... success - wget -OK
Applying 126546-10 (180 of 407) ... success - bash - OK
Applying 126868-05 (181 of 407) ... success - bzip2 patch - OK
Applying 136882-04 (188 of 407) ... success - ImageMagick - OK
Applying 147793-20 (300 of 407) ... success - Kerberos - OK
Applying 148104-23 (310 of 407) ... success - ssh/sshd - OK
Applying 148561-11 (324 of 407) ... success - Perl - OK
Applying 150435-04 (332 of 407) ... success - placeholder patch to require patch behavior patch - OK
Applying 150400-40 (344 of 407) ... success - Kernel Patch - Failed
-------- Patches below this line were not applied to my test system because I have not say of testing any farther -------------------
Applying 149173-07 (346 of 407) ... success - emlxs driver patch
Applying 149175-10 (347 of 407) ... success - qlc
Applying 149496-02 (352 of 407) ... success - pppd
Applying 149638-05 (353 of 407) ... success - USB
Applying 150311-09 (367 of 407) ... success - md
Applying 150383-15 (369 of 407) ... success - wanboot
Applying 151914-07 (392 of 407) ... success - OpenSSL
Applying 150121-01 (401 of 407) ... success - audit_event
Applying 152506-01 (407 of 407) ... success - elfexec