Kerberos authentication fails, and my log lists the reason as 'Key for the principal testuser1@MYHADOOP.NET not available in September.keytab'
Article ID: KB0080704
Updated On:
| Products | Versions |
|---|---|
| TIBCO Data Virtualization | v7.0.0 and higher |
Description
Kerberos authentication fails, and the log contains an error 'Key for the principal testuser1@MYHADOOP.NET not available in September.keytab'
Issue/Introduction
Kerberos authentication fails, and the log contains an error 'Key for the principal testuser1@MYHADOOP.NET not available in September.keytab'
Resolution
This error is thrown by Oracle JDK's Krb5LoginModule function. It is an environmental issue, and not a problem with TDV. The most common reasons for this error are:
(1) The path to the keytab file is incorrect. Therefore, the keytab could not be found.
(2) The keytab file was found but the file has insufficient read/access privileges. Consequently, it could not be read.
(3) The principal name (or the realm name) in the krb5.conf file contains a syntax error. Typically, the syntax error is a blank space (i.e. a whitespace character) occurring at the end of the principal name or the realm name.
A blank space at the end of a name is difficult to spot visually, and so you will need to open krb5.conf with a text editor and examine the contents very carefully. Also: if the principal name has a blank space attached, you will see it in the log message.
Example:
Key for the principal testuser1@MYHADOOP.NET not available in September.keytab
Notice the extra space between the words 'testuser1@MYHADOOP.NET' and 'not'. Were it not for this space, the message would have been:
Key for the principal testuser1@MYHADOOP.NET not available in September.keytab
Krb5LoginModule believes that the space is a part of the name, and so it is looking for 'testuser1@MYHADOOP.NET ' in the keytab instead of looking for 'testuser1@MYHADOOP.NET'. As a result, it is unable to find the principal when it looks for it in the keytab.
(1) The path to the keytab file is incorrect. Therefore, the keytab could not be found.
(2) The keytab file was found but the file has insufficient read/access privileges. Consequently, it could not be read.
(3) The principal name (or the realm name) in the krb5.conf file contains a syntax error. Typically, the syntax error is a blank space (i.e. a whitespace character) occurring at the end of the principal name or the realm name.
A blank space at the end of a name is difficult to spot visually, and so you will need to open krb5.conf with a text editor and examine the contents very carefully. Also: if the principal name has a blank space attached, you will see it in the log message.
Example:
Key for the principal testuser1@MYHADOOP.NET not available in September.keytab
Notice the extra space between the words 'testuser1@MYHADOOP.NET' and 'not'. Were it not for this space, the message would have been:
Key for the principal testuser1@MYHADOOP.NET not available in September.keytab
Krb5LoginModule believes that the space is a part of the name, and so it is looking for 'testuser1@MYHADOOP.NET ' in the keytab instead of looking for 'testuser1@MYHADOOP.NET'. As a result, it is unable to find the principal when it looks for it in the keytab.
Feedback
Yes
No
Powered by
