What is the problem you are having with rclone?
When using rclone to connect to an HDFS remote with Kerberos authentication, I get the following error:
rclone -vv ls hdfsremote:/
2021/05/19 16:54:24 DEBUG : Using config file from "/home/<user>/.config/rclone/rclone.conf"
2021/05/19 16:54:24 DEBUG : rclone: Version "v1.55.1" starting with parameters ["rclone" "-vv" "ls" "hdfsremote:/"]
2021/05/19 16:54:24 DEBUG : Creating backend with remote "hdfsremote:/"
2021/05/19 16:54:24 Failed to create file system for "hdfsremote:/": no available namenodes: SASL handshake: [Root cause: KDC_Error] KDC_Error: TGS Exchange Error: kerberos error response from KDC when requesting for hdfs/<namenode>@<realm>>: KRB Error: (7) KDC_ERR_S_PRINCIPAL_UNKNOWN Server not found in Kerberos database - LOOKING_UP_SERVER
I am kinited as the user in the rclone config, and my krb5.conf works for other commands. I have also ensured it is being read by setting the environment variable KRB5_CONFIG=/etc/krb5.conf
. Any ideas what may be causing this?
What is your rclone version (output from rclone version
)
rclone v1.55.1
- os/type: linux
- os/arch: amd64
- go/version: go1.16.3
- go/linking: static
- go/tags: none
Which OS you are using and how many bits (eg Windows 7, 64 bit)
Ubuntu 20.04, 64-bit
Which cloud storage system are you using? (eg Google Drive)
HDFS/Hadoop
The command you were trying to run (eg rclone copy /tmp remote:tmp
)
See above
The rclone config contents with secrets removed.
[hdfsremote]
type = hdfs
namenode = <namenode>:8020
username = <user>
service_principal_name = hdfs/_HOST@<realm>
data_transfer_protection = authentication
A log from the command with the -vv
flag
See above
ncw
(Nick Craig-Wood)
May 21, 2021, 8:22am
2
Take a look at this issue on the library the hdfs backend uses
opened 11:13AM - 08 Feb 20 UTC
Hi
Thanks for the library. I have only a basic understanding of kerberos. I l… ooked all over the examples and issues to make this work. But I could not make it work. I am trying to authenticate to a service using keytab for the host account, not a logged-in user. Basically I am trying the procedure below in golang. Domain names are changed.
```bash
kinit -k -t /etc/krb5.keytab host/`hostname --fqdn`
curl -u : --negotiate https://acxyz.pklngnt-zum.example.com
```
The code that is run is below.
```go
kt, err := keytab.Load(ktPath)
if err != nil {
return nil, fmt.Errorf("Load keytap %s failed: %w", ktPath, err)
}
cfg, err := config.Load(cfgPath)
if err != nil {
return nil, fmt.Errorf("Load config %s failed: %w", cfgPath, err)
}
l := log.New(os.Stderr, "krb5-client", log.Lshortfile)
c := client.NewWithKeytab(
"host/xxxx.ipa.pklcst-zum.example.com",
"IPA.PKLCST-ZUM.EXAMPLE.COM",
kt, cfg, client.DisablePAFXFAST(true), client.Logger(l))
err = c.Login()
if err != nil {
return nil, fmt.Errorf("Login failed: %w", err)
}
defer c.Destroy()
spn := fmt.Sprintf("HTTP/%s", "acxyz.pklngnt-zum.example.com")
spnego.NewClient(k.c, http.DefaultClient, spn).Do(req)
```
I got the below error
```log
could not initialize context: [Root cause: KDC_Error] KDC_Error: TGS Exchange Error: kerberos error response from KDC when requesting for HTTP/acxyz.pklngnt-zum.example.com: KRB Error: (7) KDC_ERR_S_PRINCIPAL_UNKNOWN Server not found in Kerberos database - LOOKING_UP_SERVER
```
Below are the logs from client
```log
krb5-clientsettings.go:67: TGT session added for IPA.PKLCST-ZUM.EXAMPLE.COM (EndTime: 2020-02-08 20:37:43 +0000 UTC)
krb5-clientsettings.go:67: using SPN HTTP/acxyz.pklngnt-zum.example.com
krb5-clientsettings.go:67: client destroyed
```
Below are the klist -k /etc/krb5.keytab
```bash
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 host/xxxx.ipa.pklcst-zum.example.com@IPA.PKLCST-ZUM.EXAMPLE.COM
1 host/xxxx.ipa.pklcst-zum.example.com@IPA.PKLCST-ZUM.EXAMPLE.COM
```
Part of /etc/krb5.conf file is below
```bash
[domain_realm]
.ipa.pklcst-zum.example.com = IPA.PKLCST-ZUM.EXAMPLE.COM
ipa.pklcst-zum.example.com = IPA.PKLCST-ZUM.EXAMPLE.COM
xxxx.ipa.pklcst-zum.example.com = IPA.PKLCST-ZUM.EXAMPLE.COM
[capaths]
IPA.PKLCST-ZUM.EXAMPLE.COM = {
PKLCST-ZUM.EXAMPLE.COM = .
PKLNGNT-ZUM.EXAMPLE.COM = .
}
```
I also checked the DNS resolution of acxyz.pklngnt-zum.example.com, and reverse lookup for the ip and it resolves to the same name. But I am not sure it is related.
go version go1.13
library version github.com/jcmturner/gokrb5/v8 v8.0.1
It has some ideas to try there.
It might be worth asking for help there if you still can't get it going.
system
(system)
Closed
July 21, 2021, 4:23am
3
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.