GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)

Software: Hortonworks HDF

OS: RHEL 7.x

Set up two Schema Registries. Modified schema registries configuration in a way that Kerberos SPN are similar. Defaul Ambari set up SPN as SERVICE/FQDN@REALM.

Set up AWS ELB.

When requesting a resource I got on success response and one Error 403 GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)

After shut down one schema registry turned out all request were ok, so second schema registry responded every time GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)

Used kvno for debugging

In first server:

[root@ip-10-113-86-26 ~]# kvno -k /etc/security/keytabs/spnego.service.keytab HTTP/registry.dp.example.net
HTTP/registry.dp.example.net@DP.EXAMPLE.NET: kvno = 3, keytab entry valid

In second server:

[root@ip-10-113-86-4 ~]# kvno -k /etc/security/keytabs/spnego.service.keytab HTTP/registry.dp.example.net
HTTP/registry.dp.example.net@DP.EXAMPLE.NET: kvno = 3, keytab entry invalid

[root@ip-10-113-86-4 ~]# klist -kte /etc/security/keytabs/spnego.service.keytab
Keytab name: FILE:/etc/security/keytabs/spnego.service.keytab
KVNO Timestamp Principal
—- ——————- ——————————————————
2 05/22/2019 13:56:14 HTTP/ip-10-113-86-4.eu-central-1.compute.internal@DP.EXAMPLE.NET (aes128-cts-hmac-sha1-96)
2 05/22/2019 13:56:14 HTTP/ip-10-113-86-4.eu-central-1.compute.internal@DP.EXAMPLE.NET (aes256-cts-hmac-sha1-96)
2 05/22/2019 13:56:14 HTTP/ip-10-113-86-4.eu-central-1.compute.internal@DP.EXAMPLE.NET (arcfour-hmac)
2 05/22/2019 13:56:14 HTTP/ip-10-113-86-4.eu-central-1.compute.internal@DP.EXAMPLE.NET (des3-cbc-sha1)
2 05/22/2019 13:56:14 HTTP/ip-10-113-86-4.eu-central-1.compute.internal@DP.EXAMPLE.NET (des-cbc-md5)
2 05/22/2019 14:16:11 HTTP/registry.dp.example.net@DP.EXAMPLE.NET (aes256-cts-hmac-sha1-96)
2 05/22/2019 14:16:11 HTTP/registry.dp.example.net@DP.EXAMPLE.NET (aes128-cts-hmac-sha1-96)

[root@ip-10-113-86-4 ~]# kadmin -s 10.113.86.28 -p admin/admin
Authenticating as principal admin/admin with password.
Password for admin/admin@DP.EXAMPLE.NET:
kadmin: getprinc HTTP/registry.dp.example.net@DP.EXAMPLE.NET
Principal: HTTP/registry.dp.example.net@DP.EXAMPLE.NET
Expiration date: [never]
Last password change: Wed May 22 14:16:48 UTC 2019
Password expiration date: [never]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Wed May 22 14:16:48 UTC 2019 (admin/admin@DP.EXAMPLE.NET)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 3, aes256-cts-hmac-sha1-96
Key: vno 3, aes128-cts-hmac-sha1-96
MKey: vno 1
Attributes:
Policy: [none]
kadmin:

The problem is that in case you use kadmin ktadd it will increase printcipal KVO