Skip to content

Margus Roo –

If you're inventing and pioneering, you have to be willing to be misunderstood for long periods of time

  • Cloudbreak Autoscale fix
  • Endast

GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)

Posted on May 23, 2019 - May 23, 2019 by margusja

Software: Hortonworks HDF

OS: RHEL 7.x

Set up two Schema Registries. Modified schema registries configuration in a way that Kerberos SPN are similar. Defaul Ambari set up SPN as SERVICE/FQDN@REALM.

Set up AWS ELB.

When requesting a resource I got on success response and one Error 403 GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)

After shut down one schema registry turned out all request were ok, so second schema registry responded every time GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)

Used kvno for debugging

In first server:

[root@ip-10-113-86-26 ~]# kvno -k /etc/security/keytabs/spnego.service.keytab HTTP/registry.dp.example.net
HTTP/registry.dp.example.net@DP.EXAMPLE.NET: kvno = 3, keytab entry valid

In second server:

[root@ip-10-113-86-4 ~]# kvno -k /etc/security/keytabs/spnego.service.keytab HTTP/registry.dp.example.net
HTTP/registry.dp.example.net@DP.EXAMPLE.NET: kvno = 3, keytab entry invalid

[root@ip-10-113-86-4 ~]# klist -kte /etc/security/keytabs/spnego.service.keytab
Keytab name: FILE:/etc/security/keytabs/spnego.service.keytab
KVNO Timestamp Principal
—- ——————- ——————————————————
2 05/22/2019 13:56:14 HTTP/ip-10-113-86-4.eu-central-1.compute.internal@DP.EXAMPLE.NET (aes128-cts-hmac-sha1-96)
2 05/22/2019 13:56:14 HTTP/ip-10-113-86-4.eu-central-1.compute.internal@DP.EXAMPLE.NET (aes256-cts-hmac-sha1-96)
2 05/22/2019 13:56:14 HTTP/ip-10-113-86-4.eu-central-1.compute.internal@DP.EXAMPLE.NET (arcfour-hmac)
2 05/22/2019 13:56:14 HTTP/ip-10-113-86-4.eu-central-1.compute.internal@DP.EXAMPLE.NET (des3-cbc-sha1)
2 05/22/2019 13:56:14 HTTP/ip-10-113-86-4.eu-central-1.compute.internal@DP.EXAMPLE.NET (des-cbc-md5)
2 05/22/2019 14:16:11 HTTP/registry.dp.example.net@DP.EXAMPLE.NET (aes256-cts-hmac-sha1-96)
2 05/22/2019 14:16:11 HTTP/registry.dp.example.net@DP.EXAMPLE.NET (aes128-cts-hmac-sha1-96)

[root@ip-10-113-86-4 ~]# kadmin -s 10.113.86.28 -p admin/admin
Authenticating as principal admin/admin with password.
Password for admin/admin@DP.EXAMPLE.NET:
kadmin: getprinc HTTP/registry.dp.example.net@DP.EXAMPLE.NET
Principal: HTTP/registry.dp.example.net@DP.EXAMPLE.NET
Expiration date: [never]
Last password change: Wed May 22 14:16:48 UTC 2019
Password expiration date: [never]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Wed May 22 14:16:48 UTC 2019 (admin/admin@DP.EXAMPLE.NET)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 3, aes256-cts-hmac-sha1-96
Key: vno 3, aes128-cts-hmac-sha1-96
MKey: vno 1
Attributes:
Policy: [none]
kadmin:

The problem is that in case you use kadmin ktadd it will increase printcipal KVO

Posted in Linux

Post navigation

{{ variable }} in Ambari
Skydiving exit point equation

The Master

Categories

  • Apache
  • Apple
  • Assembler
  • Audi
  • BigData
  • BMW
  • C
  • Elektroonika
  • Fun
  • Hadoop
  • help
  • Infotehnoloogia koolis
  • IOT
  • IT
  • IT eetilised
  • Java
  • Langevarjundus
  • Lapsed
  • lastekodu
  • Linux
  • M-401
  • Mac
  • Machine Learning
  • Matemaatika
  • Math
  • MSP430
  • Muusika
  • neo4j
  • openCL
  • Õpetaja identiteet ja tegevusvõimekus
  • oracle
  • PHP
  • PostgreSql
  • ProM
  • R
  • Turvalisus
  • Varia
  • Windows
Proudly powered by WordPress | Theme: micro, developed by DevriX.