Applies to: Centrify DirectControl 5.3.1-398 and below on all supported platforms.
Problem: When using Centrify DirectControl for Kerberos infinite renewal a GSSException is thrown when starting a Hadoop application even though the AD user has a valid TGT.
GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)
As mentioned in the thread, the problem is due to the name-type field not being set in the PA-TGS-REQ, which is a required field for read only domain controller (RODC), without this feild KRB5KRB_AP_ERR_BAD_INTEGRITY will be returned.
After renewing the ticket using "kinit -R", it can be observed in a network trace, KRB5KRB_AP_ERR_BAD_INTEGRITY error is returned when requesting the service ticket.
#14734, TGS-REQ, krbtgt/centrify.com -> krbtgt/centrify.com
#14736, TGS-REP, error-code: eRR-BAD-INTEGRITY (31)
This is fixed with Centrify DirectControl 5.3.1-411 and above.
“Centrify Corporation does not take any responsibility for the content or availability of this link and it was provided as a courtesy. Customers should contact the vendor if there are any further questions”.