You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@impala.apache.org by "Sailesh Mukil (JIRA)" <ji...@apache.org> on 2018/03/16 21:51:00 UTC
[jira] [Created] (IMPALA-6691) KRPC w/ kerberos fails on SLES11
Sailesh Mukil created IMPALA-6691:
-------------------------------------
Summary: KRPC w/ kerberos fails on SLES11
Key: IMPALA-6691
URL: https://issues.apache.org/jira/browse/IMPALA-6691
Project: IMPALA
Issue Type: Bug
Reporter: Sailesh Mukil
Assignee: Sailesh Mukil
The Kerberos version used in SLES 11 seems to have quite a few undocumented bugs. They have krb5-1.6 (krb5-client-1.6.3-133.49.112.1.x86_64).
With KRPC we see a new error "GSSAPI Error: A required input parameter could not be read", which we've never seen before. With Thrift, it just fails with no proper error messages.
I looked into the krb5 codebase and between krb5-1.6 and krb5-1.7, the code causing the above error (GSSAPI Error: A required input parameter could not be read) has changed subtly without any explanation as to why.
That error string corresponds to GSS_S_CALL_INACCESSIBLE_READ.
In 1.6, it returns an error if the 'input_token_buffer' string is empty:
krb5-1.6:
https://github.com/krb5/krb5/blob/krb5-1.6/src/lib/gssapi/mechglue/g_accept_sec_context.c#L149-L150
In 1.7, it returns an error only if the 'input_token_buffer' string is NULL:
krb5-1.7:
https://github.com/krb5/krb5/blob/krb5-1.7/src/lib/gssapi/mechglue/g_accept_sec_context.c#L149-L150
With KRPC, we test if Kerberos works by passing an empty string to SASL:
https://github.com/apache/impala/blob/master/be/src/kudu/rpc/server_negotiation.cc#L289
In 1.6, this is counted as an error, but in 1.7, this is completely fine. I'm not sure why since they haven't documented it.
We can attempt to get KRPC working for SLES11 by removing the PreflightGSSAPI() check.
(However there may be more issues on SLES11 that we're not yet aware of)
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)