GP - Kerberos errors and resolutions
Issue:1. Ticket granting has expired with the error message,
ERROR: psql: GSSAPI continuation error: Unspecified GSS failure. The Minor code may also display the error message, GSSAPI continuation error: Ticket expired.
Solution:
Create a new ticket on the Master server using the following command:
kinit -k -t /home/gpadmin/gpdb-kerberos.keytab db_user
Note: -t is the keytab file and db_user is the user.
Issue:2. The library required to run the kinit command does not exist in the LD_LIBRARY_PATH set in the Greenplum binaries, producing the following error message:
ERROR: kinit: relocation error: kinit: symbol krb5_get_init_creds_opt_set_fast_ccache_name, version krb5_3_MIT not defined in file libkrb5.so.3 with link time reference
Solution:
Unset the LD_LIBRARY_PATH.
IMPORTANT NOTE: The above fix will cause the following error when you try to run Postgres commands:
ERROR: psql: error while loading shared libraries: libpq.so.5: cannot open shared object file: No such file or directory
To resolve this issue, source the GPDB binaries.
Issue:3. No principle is created for the Postgres service in the Kerberos database producing the following error message:
ERROR: pgql: GSSAPI continuation error: Unspecified GSS failure
The Minor code may also produce information about the GSSAPI continuation error, such as, Server not found in Kerberos database.
Solution:
This error suggests that there is no service principal for the Postgres server. Create a principle on the Kerberos server for the Postgres service using the following command:
kadmin.local -q "addprinc -randkey postgres/mdw@GPDB.KRB"
Note: mdw---- is the Master server hostname and GPDB.KRB is the Kerberos Realm.
Issue:4. There is no valid ticket granting ticket (TGT) for the user. As a result, there is no matching ticket in the local keytab for the user. The following error messages are produced:
ERROR: psql: GSSAPI continuation error: Unspecified GSS failure. Minor code may provide more information
GSSAPI continuation error: No credentials cache found
Solution:
Use the kinit command, kinit is used to obtain and cache Kerberos TGT.
kinit -k -t /home/gpadmin/gpdb-kerberos.keytab db_user
Note: This is the default ticket cache location and naming convention: /tmp/krb5cc_%{uid}.
Use klist command to view the contents of the ticket cache.
Issue:5. The server name does not match what is in the Kerberos database. The following error message is produced:
ERROR: Server has invalid Kerberos principal
Solution:
Further investigation is required to find out why they don’t match. A name change of the server could be the culprit.
Issue:6. There is a time skew between the Kerberos server and the Master server producing the following error message:
ERROR: psql: FATAL: accepting GSS security context failed (auth.c:1141)DETAIL: Unspecified GSS failure.
The Minor code may provide more information, such as Clock skew too great.
Solution:
The time difference between the Kerberos server and the Master server is more than 10 minutes. Set up the Network Time Protocol (NTP) in the Realm.
7. The encryption type is not supported, producing the following error message:
ERROR: KDC has no support for encryption type <number>
Solution:
Refer to the Pivotal Knowledge Base article, gphdfs error on Kerboros "KDC has no support for encryption type <number>" for instructions on how to resolve this issue.
ERROR: psql: GSSAPI continuation error: Unspecified GSS failure. The Minor code may also display the error message, GSSAPI continuation error: Ticket expired.
Solution:
Create a new ticket on the Master server using the following command:
kinit -k -t /home/gpadmin/gpdb-kerberos.keytab db_user
Note: -t is the keytab file and db_user is the user.
Issue:2. The library required to run the kinit command does not exist in the LD_LIBRARY_PATH set in the Greenplum binaries, producing the following error message:
ERROR: kinit: relocation error: kinit: symbol krb5_get_init_creds_opt_set_fast_ccache_name, version krb5_3_MIT not defined in file libkrb5.so.3 with link time reference
Solution:
Unset the LD_LIBRARY_PATH.
IMPORTANT NOTE: The above fix will cause the following error when you try to run Postgres commands:
ERROR: psql: error while loading shared libraries: libpq.so.5: cannot open shared object file: No such file or directory
To resolve this issue, source the GPDB binaries.
Issue:3. No principle is created for the Postgres service in the Kerberos database producing the following error message:
ERROR: pgql: GSSAPI continuation error: Unspecified GSS failure
The Minor code may also produce information about the GSSAPI continuation error, such as, Server not found in Kerberos database.
Solution:
This error suggests that there is no service principal for the Postgres server. Create a principle on the Kerberos server for the Postgres service using the following command:
kadmin.local -q "addprinc -randkey postgres/mdw@GPDB.KRB"
Note: mdw---- is the Master server hostname and GPDB.KRB is the Kerberos Realm.
Issue:4. There is no valid ticket granting ticket (TGT) for the user. As a result, there is no matching ticket in the local keytab for the user. The following error messages are produced:
ERROR: psql: GSSAPI continuation error: Unspecified GSS failure. Minor code may provide more information
GSSAPI continuation error: No credentials cache found
Solution:
Use the kinit command, kinit is used to obtain and cache Kerberos TGT.
kinit -k -t /home/gpadmin/gpdb-kerberos.keytab db_user
Note: This is the default ticket cache location and naming convention: /tmp/krb5cc_%{uid}.
Use klist command to view the contents of the ticket cache.
Issue:5. The server name does not match what is in the Kerberos database. The following error message is produced:
ERROR: Server has invalid Kerberos principal
Solution:
Further investigation is required to find out why they don’t match. A name change of the server could be the culprit.
Issue:6. There is a time skew between the Kerberos server and the Master server producing the following error message:
ERROR: psql: FATAL: accepting GSS security context failed (auth.c:1141)DETAIL: Unspecified GSS failure.
The Minor code may provide more information, such as Clock skew too great.
Solution:
The time difference between the Kerberos server and the Master server is more than 10 minutes. Set up the Network Time Protocol (NTP) in the Realm.
7. The encryption type is not supported, producing the following error message:
ERROR: KDC has no support for encryption type <number>
Solution:
Refer to the Pivotal Knowledge Base article, gphdfs error on Kerboros "KDC has no support for encryption type <number>" for instructions on how to resolve this issue.
Comments
Post a Comment