Ask Your Question

Enabling Kerberos: Unable to obtain password from user

asked 2018-10-16 05:47:08 -0500

Hassan gravatar image

updated 2018-10-16 05:56:11 -0500


I'm trying to enable Kerberos for my rpm-installation. I followed the instructions in the [documentation] but without success. What I did so far:

  • Created sdc user
  • Created principal (sdc@MYCOMPANY.REALM) and headless keytab for StreamSets
  • Changed permission to sdc for the generated keytab file
  • Stopped sdc with systemctl and configured the Kerberos properties under $SDC_CONF/
  • My Kerberos properties under $SDC_CONF/ are: .)kerberos.client.enabled=true .)kerberos.client.principal=sdc@MYCOM... .)kerberos.client.keytab=/etc/security/keytabs/sdc.keytab

With the created sdc user I'm able to get a valid ticket from Kerberos but when I want to start sdc I get following exception: (part of the log from journalctl)

java.lang.RuntimeException: Could not get Kerberos credentials: Caused by: Unable to obtain password from user at at at at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke( at sun.reflect.DelegatingMethodAccessorImpl.invoke( at java.lang.reflect.Method.invoke(

I don't understand the issue beacuse I'm able to retrieve a valid ticket from my host and with the sdc user klist

I'm also pretty sure that I'm using the correct principal image descriptionAny ideas? (

edit retag flag offensive close merge delete


Please enable Kerberos debug logging at the JVM level via JVM property. <-- info here

jeff gravatar imagejeff ( 2018-10-16 10:24:41 -0500 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2018-10-17 03:44:40 -0500

Hassan gravatar image

updated 2020-01-07 11:34:18 -0500

metadaddy gravatar image

Thanks everyone for responding! I could solve the problem. The problem was the headless keytab file. The steps that I did to solve my problem:

  • Created two principals on my Kerberos host in this scheme:
  1. Headless principle (sdc@MYCOMPANY.REALM)

  2. Service principle (sdc/HOSTNAME.FQDN@MYCOMPANY.REALM)

    • Created keytab file just for the service principle and changed permission to sdc user with chown
    • Deployed keytab to StreamSets Host under /etc/security/keytabs/
    • Stopped sdc with systemctl and configured the Kerberos properties under $SDC_CONF/
  3. kerberos.client.enabled=true

  4. kerberos.client.principal=sdc/HOSTNAME.FQDN@MYCOMPANY.REALM

  5. kerberos.client.keytab=/etc/security/keytabs/myService.keytab

    • Started sdc with systemctl again and it worked as expected

Inside $SDC_CONF/ it is declared that the principal should be a service principal! Since my old keytab file was headless and the given principal name in was without FQDN, sdc replaced the principal name with the FQDN. Therefore the declared principal name was different to my old keytab file and it didn't work.

Thanks everyone.

edit flag offensive delete link more


Awesome !! Thanks for posting the solution that worked for you.

kirti gravatar imagekirti ( 2018-10-17 10:01:34 -0500 )edit
Login/Signup to Answer

Question Tools



Asked: 2018-10-16 05:47:08 -0500

Seen: 15,270 times

Last updated: Jan 07 '20