Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-8303: Kerberos throws GSSException when starting Hadoop application

Authentication Service ,  

7 March,17 at 05:51 PM

Applies to: Centrify DirectControl 5.3.1-398 and below on all supported platforms.

Problem: When using Centrify DirectControl for Kerberos infinite renewal a GSSException is thrown when starting a Hadoop application even though the AD user has a valid TGT.

Error: 
GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)

Cause: 

Reference link:

https://social.technet.microsoft.com/Forums/office/en-US/9e133251-f347-43b0-b432-8d0e722d47e3/linuxrodc-kerberos-authentication-fails?forum=winserverDS)

As mentioned in the thread, the problem is due to the name-type field not being set in the PA-TGS-REQ, which is a required field for read only domain controller (RODC), without this feild KRB5KRB_AP_ERR_BAD_INTEGRITY will be returned.

After renewing the ticket using "kinit -R", it can be observed in a network trace, KRB5KRB_AP_ERR_BAD_INTEGRITY error is returned when requesting the service ticket.
=========
#14734, TGS-REQ, krbtgt/centrify.com -> krbtgt/centrify.com
#14736, TGS-REP, error-code: eRR-BAD-INTEGRITY (31)
========

Resolution:
This is fixed with Centrify DirectControl 5.3.1-411 and above.

Centrify Corporation does not take any responsibility for the content or availability of this link and it was provided as a courtesy.  Customers should contact the vendor if there are any further questions”.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-6050: How to configure a group for automatic Kerberos Credentials for infinite renewal? articleKB-6044: How to configure users for automatic Kerberos Credentials for infinite renewal even after users have logged out? articleCentrify's Privileged Identity Management Solution for Big Data articleIdentity and Access Management for Hortonworks Data Platform articleIdentity and Access Management for MapR Distribution for Hadoop articleKB-5163: "GSSHeader did not find the right tag" error when connecting via Kerberos SSO using Cloudera articleKB-4699: How does Centrify manage Kerberos in Unix/Linux environment? article[HOWTO] Use Centrify in Mixed Kerberos Environments articleKB-6351: How to Configure adclient To Create A Kerberos Ticket Using Lower Case Letters For the Default Principal In Hierarchical and Classic Zones?