A Job with HDFS source or target fails with a 'GSS initiate failed' error, even though the Kerberos ticket is generated on the JobServer

Problem Description

A Job with HDFS source and target is created. Hadoop is configured with Kerberos authentication, and the JobServer is installed on a Hadoop data node. A kinit command is used to generate the Kerberos ticket. The klist command also lists the valid Kerberos ticket cached on the machine. However, the Talend Job running on JobServer fails, with the following error:

 

[FATAL]: metadata.hdfs_connection_check_0_1.hdfs_connection_check - tHDFSOutput_1 Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]; Host Details : local host is: "us194ap.host.com/135.107.17.66"; destination host is: "us194ap.host.com":8020; 

 

Root Cause

This issue is isolated to the Kerberos ticket cache used during the start of JobServer. The KRB5CCNAME environment variable is configured on JobServer. The kinit command used in this use case did not include the -c option. Thus, the Kereberos ticket cache is created with a new name, and the JobServer picked a different Kerberos ticket from KRB5CCNAME environment variable.

 

Solution

The value for the -c option in kinit command depends on the KRB5CCNAME environment variable. To fix the issue, execute the kinit command with -c option on the JobServer machine, as shown in the example below:

 

kinit -t /etc/krb5-service.keytab -c /var/run/service_krb5_cache service-principal@EXAMPLE.ORG
Version history
Revision #:
7 of 7
Last update:
‎02-24-2019 11:14 PM
Updated by:
 
Comments
Employee

Good one.. please provide the sample kinit command that has the "-c" option. 

Employee

Thanks @rpatel. Added the kinit command and published the article again.