0

I want to access a service that uses Kerberos authentication. The service admin gave me a spnego.service.keytab file for the correct Kerberos principal and realm. I can run kinit against that keytab file to get a Kerberos ticket successfully. But when I try to access that service using curl in a Windows 7 laptop outside the cluster I get this error:

org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)

The service happens to be Livy but a colleague gets the same error using Oozie on the same cluster so I don't think the details of the service itself matters much.

Here are the full details:

>curl --negotiate -u : http://<livy_server_host>:<port>/sessions/
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
<title>Error 403 </title>
</head>
<body>
<h2>HTTP ERROR: 403</h2>
<p>Problem accessing /sessions/. Reason:
<pre>    org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)</pre></p>
<hr /><i><small>Powered by Jetty://</small></i>
</body>
</html>

What needs to be done to make the curl command work?

snark
  • 2,462
  • 3
  • 32
  • 63

1 Answers1

1

The Windows 7 laptop must be part of the same Kerberos realm in which the keytab was generated from. The encryption used by the keytab and the service must also be supported by the Windows 7 laptop. Curl is not a native Windows command, so you must import the supporting encryption libraries onto the Windows 7 laptop in order to make Curl work.

T-Heron
  • 5,385
  • 7
  • 26
  • 52
  • Thanks for the tip; I'll explore this further. Apparently the Win laptop is in the same kerberos realm and we can access the service via Firefox if we modify some of its security related settings. It turns out the curl I'm using came from Continuum's Anaconda as it's in `C:\Users\\AppData\Local\Continuum\Anaconda2\Library\bin`... – snark Aug 30 '17 at 12:20
  • `curl -V` says: `curl 7.52.1 (x86_64-pc-win32) libcurl/7.52.1 WinSSL zlib/1.2.8 Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s rtsp smb smbs smtp smtps telnet tftp Features: AsynchDNS IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL libz` – snark Aug 30 '17 at 12:20
  • As Kerberos and SPNEGO are listed among the features surely that suggests they are both supported? Ideally I'm not looking for a solution specific to curl as that was only a stepping stone to being able to call the service (Livy) from a Java client. – snark Aug 30 '17 at 12:22
  • Understood. Do you still have the command syntax you used to create the keytab handy? I want to check something out in it. – T-Heron Aug 30 '17 at 12:56
  • Unfortunately I don't. The admin guy who gave me the keytab file said it was not created manually. Instead it was created as part of the Livy install process via Ambari. I'll try to find out more or persuade him to add the relevant details... – snark Aug 30 '17 at 14:10
  • If the keytab was not created manually then we're out of luck chasing down that path. Instead, I'll try to reproduce this by installing CURL on a Windows 7 machine joined to an AD domain, as AD domains are also Kerberos realms. Though I've never installed CURL before. I know it's not the only question here but if we solve the CURL question, fairly sure we'll also solve the Livy question. Where did you get your CURL installer from? – T-Heron Aug 30 '17 at 14:53
  • Thanks for looking at this! In my case curl came as part of Anaconda (specifically I installed Anaconda2-4.3.1-Windows-x86_64.exe). But that's pretty heavyweight if you just want curl; although at least you'll know it will have the same features installed as mine. You can also get curl as part of Git (https://git-scm.com/download/win) or cygwin. Or you can download it directly from https://curl.haxx.se/download.html#Win64. – snark Aug 31 '17 at 08:51
  • In case it helps here is the Python script command used by Ambari to create keytabs: `ktadd '%s %s %s' % (keytab_file, norandkey, principal)`. Ambari picks the principal name based on the component (Livy in this case) as principals are pre-defined for each component. – snark Aug 31 '17 at 11:24
  • Does your AD-domain joined Windows 7 laptop have a correct C:\Windows\krb5.ini configured? If not, you can use the one found on the server where Livy is configured. Just change the file name from krb5.conf to krb5.ini so it will work on Windows. Curl needs that file to find the correct realm and KDC from which to get a ticket. – T-Heron Sep 06 '17 at 00:55
  • 1
    Thanks for the tip but the focus has moved on from curl to getting Java working, for which the example at https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/lab/part6.html was helpful. We also had to use Java's own kinit to create the ticket rather than the kinit than came with MIT's Kerberos, as the latter only 'saw' the ticket associated with my Windows AD login rather than the ticket needed to access Livy. – snark Sep 06 '17 at 09:03
  • 1
    We also had to create a `login.conf` as described in the previous link and copy C:\ProgramData\MIT\Kerberos\krb5.ini to a krb5.conf under Java's own lib\security folder. Then the command equivalent to this one in the article finally worked for accessing Livy: `java -Djava.security.krb5.conf=krb5.conf -Djava.security.auth.login.config=login.conf -Djavax.security.auth.useSubjectCredsOnly=false RunHttpSpnego http://www.ad.local/hello/hello.html` – snark Sep 06 '17 at 09:07
  • You should compile all your comments into one detailed answer which you can then accept. It's OK to do that. – T-Heron Sep 07 '17 at 23:05
  • Thanks for the suggestion. I could do that but then the OP was about curl and we still don't have a solution for that; nor are we so interested in getting a solution for curl right now. Thanks again for your help and support. – snark Sep 08 '17 at 16:29