You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: sections/errors.md
+16-4Lines changed: 16 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -40,7 +40,7 @@ for health checking this. Volunteers to implement welcome.
40
40
Some of these are covered in Oracle's Troubleshooting Kerberos docs.
41
41
This section just highlights some of the common causes, other causes that Oracle don't mention —and messages they haven't covered.
42
42
43
-
## Server not found in Kerberos database (7)
43
+
## Server not found in Kerberos database (7) / service ticket not found in the subject
44
44
45
45
* DNS is a mess and your machine does not know its own name.
46
46
* Your machine has a hostname, but the service principal is a `/_HOST` wildcard and the hostname
@@ -69,6 +69,16 @@ Possible causes:
69
69
1. You did specify a keytab but it isn't there or is somehow otherwise invalid
70
70
1. You don't have the Java Cryptography Extensions installed.
71
71
72
+
73
+
## failure to login using ticket cache file
74
+
75
+
You aren't logged via `kinit`, the application isn't configured to use a keytab. So: no ticket,
76
+
no authentication, no access to cluster services.
77
+
78
+
you can use `klist -v` to show your current ticket cache
79
+
80
+
fix: log in with `kinit`
81
+
72
82
## Clock skew too great
73
83
74
84
```
@@ -86,6 +96,8 @@ they've lost track of when they are. Reboot them.
86
96
87
97
If it's a physical cluster, make sure that your NTP daemons are pointing at the same NTP server, one that is actually reachable from the Hadoop cluster. And that the timezone settings of all the hosts are consistent.
88
98
99
+
100
+
89
101
## KDC has no support for encryption type
90
102
91
103
This crops up on the MiniKDC if you are trying to be clever about encryption types. It doesn't support many.
@@ -134,15 +146,15 @@ GSSException: Defective token detected (Mechanism level: GSSHeader did not find
134
146
135
147
The token supplied by the client is not accepted by the server.
136
148
137
-
This apparently surfaces in [Java 8 after 8u40](http://sourceforge.net/p/spnego/discussion/1003769/thread/700b6941/#cb84);
149
+
This apparently surfaces in [Java 8 version 8u40](http://sourceforge.net/p/spnego/discussion/1003769/thread/700b6941/#cb84);
138
150
if Kerberos server doesn't support the first authentication mechanism which the client
139
151
offers, then the client fails. Workaround: don't use those versions of Java.
140
152
141
153
This is [now acknowledged by Oracle](http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8080129) and
142
154
has been fixed in 8u60.
143
155
144
156
145
-
## `Specified version of key is not available (44)`
157
+
## Specified version of key is not available (44)
146
158
147
159
```
148
160
Client failed to SASL authenticate: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))]
@@ -190,7 +202,7 @@ Rebuild your keytabs.
190
202
1. Restart everything.
191
203
192
204
193
-
## `javax.security.auth.login.LoginException: No password provided`
205
+
## javax.security.auth.login.LoginException: No password provided
194
206
195
207
When this surfaces in a server log, it means the server couldn't log in as the user. That is,
196
208
there isn't an entry in the supplied keytab for that user and the system (obviously) doesn't
0 commit comments