[Cloudera][Hardy] (34) Error from server: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty).OR
[Cloudera][ImpalaODBC] (100) Error from the Impala Thrift API: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)To help CDH users to get it working without much hassle, I would like to compile a list of steps below for reference. I have tested this in my VM Windows 10. 1. For Kerberos authentication to work, you need to get a valid Kerberos ticket on your client machine, which is Windows 10. Hence, you will need to download and install MIT Kerberos client tool so that you can authenticate yourself against the remote cluster, much like running “kinit” on Linux. To get the tool, please visit http://web.mit.edu/kerberos/dist and follow the links 2. In order for client machine to talk to remote KDC server that contains principal database, we need a valid krb5 configuration file on client side. This file normally sits under /etc/krb5.conf on Linux. On Windows 10, it should be under C:\ProgramData\MIT\Kerberos5\krb5.ini. Please copy the krb5.conf file in your cluster and then copy to this location on your Windows machine. Please be aware that the file name in Windows should be krb5.ini, not krb5.conf. Also note that C:\ProgramData is a hidden directory, so you will need to unhide it first from File Explorer before you can access the files underneath it. 3. Make sure that you connect to correct port number, for Hive, it is normally 10000 by default. For Impala, it should be 21050, NOT 21000, which is used by impala-shell. If you have Load Balancer setup for either Hive or Impala, then the port number could also be different, please consult with your system admin to get the correct port number if this is the case. 4. Add Windows system variable KRB5CCNAME with value of “C:\krb5\krb5cc”, where “krb5cc” is a file name for the kerberos ticket cache, it can be anything, but we commonly use krb5cc or krb5cache. To do so, please follow steps below: a. open “File Explorer” b. right click on “This PC” c. select “Properties” d. next to “Computer name”, click on “Change settings” e. click on “Advanced” tab and then “Environment Variables” f. under “System Variables”, click on “New” g. enter “KRB5CCNAME” in “Variable name” and “C:\krb5\krb5cc” in “Variable value” (without double quotes) h. click on “OK” and then “OK” again i. restart Windows 5. If you have SSL enabled for either Hive or Impala, you will also need to “Enable SSL” for ODBC driver. This can be found under “SSL Options” popup window, see below screenshot for details:


Hello,
I configured an odbc dsn with the same configuration and it works fine.
But when I have 2 or more batchs triggered at the same time I have the error message credential cache error.
Could you help?
Best regards
Hi Sidi,
Firstly, thanks for visiting my blog and posting questions.
Can you please share the exact error you got so that I can research it from my end?
Cheers
Eric
Hi Eric,
I configured an odbc dsn with the same configuration like yours. but I still get following error.
Do you know what could cause this issue? Kerberos is also correctly setup.
FAILED!
[Cloudera][ThriftExtension] (9) Error occurred while authenticating via SASL. Error details: SASL(-1): generic failure: Failed to initialize security context: The specified target is unknown or unreachable
Hi Yunce,
Sorry about the delay in replying your question.
Can you check what is the “Service Name” in the ODBC DSN Configuration? It should be hive/[email protected], if not hive, it might report this kind of error.
Cheers
Eric
Hello,
I am having problems to find the kerberos ticket cache in my computer. Is it created automatically in my computer?
Hi John,
Sorry about the delay in getting back to you.
I am not sure the default location on Windows, but you can set environment variables via KRB5CCNAME in Windows to change the location. For example, you can set to C:\temp\kr5ccache.
Go to Windows Explorer, right click on This PC > Properties > Advanced System settings > Advanced tab > Environment Variables, then add KRB5CCNAME either for your user or under System Variables.
Hope that helps.
Cheers
Eric
Hi Eric,
I tried all the above mentioned steps and it is working fine. The only issue I am facing is that tickets are not getting renewed automatically even after the Automatic Ticket Renewal box is checked. When it expires after the lifetime of 10 hours, I have to destroy and recreate. Please help on this.
Sorry Gagandeep,
I am not working with Cloudera anymore and I have no tools to test it. Sorry, I can’t help on this anymore.
Regards
Eric