Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-8303: Kerberos throws GSSException when starting Hadoop application

Authentication Service ,  

7 March,17 at 05:51 PM

Applies to: Centrify DirectControl 5.3.1-398 and below on all supported platforms.

Problem: When using Centrify DirectControl for Kerberos infinite renewal a GSSException is thrown when starting a Hadoop application even though the AD user has a valid TGT.

Error: 
GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)

Cause: 

Reference link:

https://social.technet.microsoft.com/Forums/office/en-US/9e133251-f347-43b0-b432-8d0e722d47e3/linuxrodc-kerberos-authentication-fails?forum=winserverDS)

As mentioned in the thread, the problem is due to the name-type field not being set in the PA-TGS-REQ, which is a required field for read only domain controller (RODC), without this feild KRB5KRB_AP_ERR_BAD_INTEGRITY will be returned.

After renewing the ticket using "kinit -R", it can be observed in a network trace, KRB5KRB_AP_ERR_BAD_INTEGRITY error is returned when requesting the service ticket.
=========
#14734, TGS-REQ, krbtgt/centrify.com -> krbtgt/centrify.com
#14736, TGS-REP, error-code: eRR-BAD-INTEGRITY (31)
========

Resolution:
This is fixed with Centrify DirectControl 5.3.1-411 and above.

Centrify Corporation does not take any responsibility for the content or availability of this link and it was provided as a courtesy.  Customers should contact the vendor if there are any further questions”.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-6044: How to configure users for automatic Kerberos Credentials for infinite renewal even after users have logged out? articleKB-6050: How to configure a group for automatic Kerberos Credentials for infinite renewal? articleCentrify's Privileged Identity Management Solution for Big Data articleIdentity and Access Management for Hortonworks Data Platform articleKB-5163: "GSSHeader did not find the right tag" error when connecting via Kerberos SSO using Cloudera articleKB-4699: How does Centrify manage Kerberos in Unix/Linux environment? articleIdentity and Access Management for MapR Distribution for Hadoop article[HOWTO] Use Centrify in Mixed Kerberos Environments articleKB-6351: How to Configure adclient To Create A Kerberos Ticket Using Lower Case Letters For the Default Principal In Hierarchical and Classic Zones?