[ https://issues.apache.org/jira/browse/SOLR-7297?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Erick Erickson resolved SOLR-7297. ---------------------------------- Resolution: Invalid CDH is a Cloudera product, please raise this issue with Cloudera support rather than raise a Solr JIRA. > GSSException in SolrCloud / Kerberos > ------------------------------------ > > Key: SOLR-7297 > URL: https://issues.apache.org/jira/browse/SOLR-7297 > Project: Solr > Issue Type: Bug > Components: SolrCloud > Environment: CDH 5.3.2 + Kerberos > Reporter: Andrejs Dubovskis > > Some problem with Kerberos authentications in SolrCloud in CDH 5.3.2. > The problem was appearing after upgrade from CDH 5.3.1 > Error easy to reproduce by curl (DO NOT ADD DOMAIN to solr host name) > {code} > kinit username > curl --negotiate -u : http://solrhostnameonly:8983/solr/collection/select?q=x > {code} > We have 2 Solr instances and the same error happens even when one instance > communicates with another. > Possible, the error is in a way, how Solr saves names of live nodes in > zookeeper (it saves only host names with no domain). > After upgrade short names (with no domain) are used with Kerberos > authentication and no according entry can be found in Kerberos DC. > Solr server logs are full with following errors > {code} > 2015-03-23 05:50:19,885 WARN > org.apache.hadoop.security.authentication.server.AuthenticationFilter: > Authentication exception: GSSException: Failure unspecified > at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key > of appropriate type to decrypt AP REP - RC4 with HMAC) > org.apache.hadoop.security.authentication.client.AuthenticationException: > GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid > argument > (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC) > at > org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:399) > at > org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler.authenticate(DelegationTokenAuthenticationHandler.java:348) > at > org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:520) > at > org.apache.solr.servlet.SolrHadoopAuthenticationFilter.doFilter(SolrHadoopAuthenticationFilter.java:277) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > org.apache.solr.servlet.HostnameFilter.doFilter(HostnameFilter.java:86) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) > at > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861) > at > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:606) > at > org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) > at java.lang.Thread.run(Thread.java:745) > Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism > level: Invalid argument (400) - Cannot find key of appropriate type to > decrypt AP REP - > RC4 with HMAC) > at > sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:856) > at > sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342) > at > sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) > at > sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:899) > at > sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:550) > at > sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342) > at > sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) > at > org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:366) > at > org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:348) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:422) > at > org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:348) > ... 18 more > Caused by: KrbException: Invalid argument (400) - Cannot find key of > appropriate type to decrypt AP REP - RC4 with HMAC > at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:288) > at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:159) > at > sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108) > at > sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829) > ... 29 more > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org