Hi Roman,
Accumulo services (TabletServer, Master, etc) all use a keytab to
automatically obtain a ticket from the KDC when they start up. You do
not need to do anything with kinit when starting Accumulo.
One worry is ACCUMULO-4069[1] with all presently released versions (most
notably 1.7.0 which you are using). This is a bug in which services did
not automatically renew their ticket. We're working on a 1.7.1, but it's
not out yet.
As for debugging your issue, take a look at the Kerberos section on
debugging in the user manual [2]. Take a very close look at the
principal the service is using to obtain the ticket and what the
principal is for your keytab. A good sanity check is to make sure you
can `kinit` in the shell using the keytab and the correct principal
(rule out the keytab being incorrect).
If you still get stuck, collect the output specifying
-Dsun.security.krb5.debug=true in accumulo-env.sh (per the instructions)
and try enabling log4j DEBUG on
org.apache.hadoop.security.UserGroupInformation.
- Josh
[1] https://issues.apache.org/jira/browse/ACCUMULO-4069
[2] http://accumulo.apache.org/1.7/accumulo_user_manual.html#_debugging
[email protected] wrote:
Hi there,
Trying to setup Accumulo 1.7 on Kerberized cluster. Only interested in
master/tablets to be kerberized (not end-users). Configured everything
as per manual:
1)Created principals
2)Generated glob keytab
3)Modified accumulo-site.xml providing general.kerberos.keytab and
general.kerberos.principal
If I start as accumulo user I get: Caused by: GSSException: No valid
credentials provided (Mechanism level: Failed to find any Kerberos tgt)
However, if I give explicitly a token with kinit and keytab generated
above in the shell – it works as expected. To my understanding Accumulo
has to obtain tickets automatically? Or the idea is to write a cron job
and apply kinit to every tablet server per day?
Regards,
Roman
Please consider the environment before printing this email. This message
should be regarded as confidential. If you have received this email in
error please notify the sender and destroy it immediately. Statements of
intent shall only become binding when confirmed in hard copy by an
authorised signatory. The contents of this email may relate to dealings
with other companies under the control of BAE Systems Applied
Intelligence Limited, details of which can be found at
http://www.baesystems.com/Businesses/index.htm.
