1. Forum
  2. Usenet
  3. COMP.PROTOCOLS.KERBEROS

  • Internal credentials cache error for server principal - 1765328188

    From Vato Kvantaliani@21:1/5 to All on Wed Jan 5 16:52:42 2022
    Hello,
    PowerBI Report Server->odbc->hive integration with kerberos authentication. client MIT Kerberos Version 4.1

    SSRS reports (api/v2.0 Reports) with Kerberos authentication throwing
    error:

    ERROR [28000] [Cloudera][ThriftExtension] (9) Error occurred while authenticating via SASL. Error details: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Internal credentials cache error)

    at Powerbi report server, kerberos client gets -

    [6452] 1641381483.67003: ccselect module realm yielded error -1765328188/Internal credentials cache error for server principal hive/ bda1node01.bog.ge@BDA1.BOG.GE

    however hive/bda1node01.bog.ge@BDA1.BOG.GE is cached

    Another report type (api/v2.0 PowerBIReports) works and connection is ok
    but in client kb log we get:

    [10708] 1641384364.890004: ccselect can't find appropriate cache for server principal hive/bda1node01.bog.ge@BDA1.BOG.GE
    though service principal is in cache

    Any help or advice will be much appreciable as we were not able to get more details on these errors.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Greg Hudson@21:1/5 to Vato Kvantaliani on Thu Jan 6 11:34:03 2022
    To: kerberos@mit.edu

    On 1/5/22 7:52 AM, Vato Kvantaliani wrote:
    Error: Unspecified GSS failure. Minor code may provide more information (Internal credentials cache error)

    This error message came up in April:

    https://mailman.mit.edu/pipermail/kerberos/2021-April/022630.html

    It's hard to be sure that the cause is the same without knowing more
    about the setup. In that case the cause was multiple threads or
    processes trying to refresh the ccache from a client keytab at the same
    time.

    To address this issue, I implemented atomic replacement for most
    credential cache types:

    https://github.com/krb5/krb5/commit/371f09d4bf4ca0c7ba15c5ef909bc35307ed9cc3

    However, it will be some time before this works its way into a Kerberos
    for Windows release. I'm not sure I can offer concrete advice since I
    am not familiar with PowerBI.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Vato Kvantaliani@21:1/5 to Greg Hudson on Thu Jan 6 21:45:53 2022
    Copy: kerberos@mit.edu

    thanks Greg, In our case it is a single process as we are just testing connection. No concurrency there. Very simple setup, PowerBI Report server connects to Hive(Cloudera) with Cloudera's native odbc driver. For some
    types of reports it works and we authenticate without problems but the most important report(which is kind of legacy type) throws that GSS error.

    Any advice with another message:

    ccselect can't find appropriate cache for server principal hive/bda1node01.bog.ge at BDA1.BOG.GE <https://mailman.mit.edu/mailman/listinfo/kerberos>

    log says client getting and creating authenticator, though klist shows
    server credential is in client's cache

    [10708] 1641384364.890004: ccselect can't find appropriate cache for
    server principal hive/bda1node01.bog.ge@BDA1.BOG.GE

    [10708] 1641384364.906000: Getting credentials vkvantaliani@BOG.GE -> hive/bda1node01.bog.ge@BDA1.BOG.GE using ccache API:krb5cc
    [10708] 1641384364.906001: Retrieving vkvantaliani@BOG.GE -> hive/bda1node01.bog.ge@BDA1.BOG.GE from API:krb5cc with result:
    0/Success
    [10708] 1641384364.906003: Creating authenticator for
    vkvantaliani@BOG.GE -> hive/bda1node01.bog.ge@BDA1.BOG.GE, seqnum
    229919889, subkey

    And in this case client authenticates and connection is good.

    Could it be somehow related with kerberos pre authentication at AD?

    Another questions is if there is any sense of playing with different
    type of caches, like DIR, MEMORY etc.

    Thank you,



    On Thu, Jan 6, 2022 at 8:34 PM Greg Hudson <ghudson@mit.edu> wrote:

    On 1/5/22 7:52 AM, Vato Kvantaliani wrote:
    Error: Unspecified GSS failure. Minor code may provide more information (Internal credentials cache error)

    This error message came up in April:

    https://mailman.mit.edu/pipermail/kerberos/2021-April/022630.html

    It's hard to be sure that the cause is the same without knowing more
    about the setup. In that case the cause was multiple threads or
    processes trying to refresh the ccache from a client keytab at the same
    time.

    To address this issue, I implemented atomic replacement for most
    credential cache types:


    https://github.com/krb5/krb5/commit/371f09d4bf4ca0c7ba15c5ef909bc35307ed9cc3

    However, it will be some time before this works its way into a Kerberos
    for Windows release. I'm not sure I can offer concrete advice since I
    am not familiar with PowerBI.


    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)