Ask Your Question
0

Enabling Kerberos: javax.security.auth.login.LoginException: Unable to obtain password from user

asked 2018-10-16 05:47:08 -0600

Hassan gravatar image

updated 2018-10-16 05:56:11 -0600

Hello,

I'm trying to enable Kerberos for my rpm-installation. I followed the instructions in the [documentation] but without success. What I did so far:

  • Created sdc user
  • Created principal (sdc@MYCOMPANY.REALM) and headless keytab for StreamSets
  • Changed permission to sdc for the generated keytab file
  • Stopped sdc with systemctl and configured the Kerberos properties under $SDC_CONF/sdc.properties
  • My Kerberos properties under $SDC_CONF/sdc.properties are: .)kerberos.client.enabled=true .)kerberos.client.principal=sdc@MYCOM... .)kerberos.client.keytab=/etc/security/keytabs/sdc.keytab

With the created sdc user I'm able to get a valid ticket from Kerberos but when I want to start sdc I get following exception: (part of the log from journalctl)

java.lang.RuntimeException: Could not get Kerberos credentials: javax.security.auth.login.LoginEx Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:897) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:760) at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498)

I don't understand the issue beacuse I'm able to retrieve a valid ticket from my host and with the sdc user klist

I'm also pretty sure that I'm using the correct principal image descriptionAny ideas? (https://streamsets.com/documentation/...)

edit retag flag offensive close merge delete

Comments

Please enable Kerberos debug logging at the JVM level via JVM property. https://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/Troubleshooting.html <-- info here

jeff gravatar imagejeff ( 2018-10-16 10:24:41 -0600 )edit

2 Answers

Sort by ยป oldest newest most voted
1

answered 2018-10-17 03:44:40 -0600

Hassan gravatar image

updated 2018-10-17 03:47:22 -0600

Thanks everyone for responding! I could solve the problem. The problem was the headless keytab file. The steps that I did to solve my problem:

  • Created two principals on my Kerberos host in this scheme:

1)Headless principle (sdc@MYCOMPANY.REALM)

2) Service principle (sdc/HOSTNAME.FQDN@MYCOMPANY.REALM)

  • Created keytab file just for the service principle and changed permission to sdc user with chown
  • Deployed keytab to StreamSets Host under /etc/security/keytabs/
  • Stopped sdc with systemctl and configured the Kerberos properties under $SDC_CONF/sdc.properties:

1) kerberos.client.enabled=true

2) kerberos.client.principal=sdc/HOSTNAM...

3) kerberos.client.keytab=/etc/security/keytabs/myService.keytab

  • Started sdc with systemctl again and it worked as expected

Inside $SDC_CONF/sdc.properties it is declared that the principal should be a service principal! Since my old keytab file was headless and the given principal name in sdc.properties was without FQDN, sdc replaced the principal name with the FQDN. Therefore the declared principal name was different to my old keytab file and it didn't work.

Thanks everyone.

edit flag offensive delete link more

Comments

Awesome !! Thanks for posting the solution that worked for you.

kirti gravatar imagekirti ( 2018-10-17 10:01:34 -0600 )edit
0

answered 2018-10-16 13:36:40 -0600

kirti gravatar image

1) Also, can you please double check if you did the following step: Copy the Kerberos configuration file, krb5.conf, to the Data Collector machine. The default location is /etc/krb5.conf.

2)Is my assumption right that in sdc.keytab, you specified principal same as that appearing in that keytab file? e.g. looking at the keytab file example, in sdc.properites, you have principle like sdc@HADOOP.....

edit flag offensive delete link more
Login/Signup to Answer

Question Tools

2 followers

Stats

Asked: 2018-10-16 05:47:08 -0600

Seen: 46 times

Last updated: Oct 17