Common Kerberos errors and resolutions on Greenplum
search cancel

Common Kerberos errors and resolutions on Greenplum

book

Article ID: 295832

calendar_today

Updated On:

Products

VMware Tanzu Greenplum Greenplum VMware Tanzu Data Suite VMware Tanzu Data Suite

Issue/Introduction

Symptoms:

The following are common Kerberos errors on GPDB. The corresponding solutions to these issues are in the Resolution section of this article. 
 

1. Ticket granting has expired with the error message, ERROR: psql: GSSAPI continuation error: Unspecified GSS failure. The Minor code may also display the error message, GSSAPI continuation error: Ticket expired.
 

2. The library required to run the kinit command does not exist in the LD_LIBRARY_PATH  set in the Greenplum binaries, producing the following error message: ERROR: kinit: relocation error: kinit: symbol krb5_get_init_creds_opt_set_fast_ccache_name, version krb5_3_MIT not defined in file libkrb5.so.3 with link time reference

3. No principle is created for the Postgres service in the Kerberos database producing the following error message:
 
  • ERROR: pgql: GSSAPI continuation error: Unspecified GSS failure
The Minor code may also produce information about the GSSAPI continuation error, such as, Server not found in Kerberos database

4. There is no valid ticket granting ticket (TGT) for the user. As a result, there is no matching ticket in the local keytab for the user. The following error messages are produced: 
 
  •  ERROR: psql: GSSAPI continuation error: Unspecified GSS failure.  Minor code may provide more information
  • GSSAPI continuation error: No credentials cache found
5. The server name does not match what is in the Kerberos database. The following error message is produced: 
 
  • ERROR: Server has invalid Kerberos principal
6. There is a time skew between the Kerberos server and the Master server producing the following error message: 
 
  • ERROR: psql: FATAL:  accepting GSS security context failed (auth.c:1141)DETAIL:  Unspecified GSS failure. 
The Minor code may provide more information, such as Clock skew too great.
 
7. The encryption type is not supported, producing the following error message: 
 
  • ERROR: KDC has no support for encryption type <number>  

Environment


Resolution

1. Ticket granting has expired with the error message, ERROR: psql: GSSAPI continuation error: Unspecified GSS failure. The Minor code may also display the error message, GSSAPI continuation error: Ticket expired.
 
Create a new ticket on the Master server using the following command:

kinit -k -t /home/gpadmin/gpdb-kerberos.keytab db_user 

Note: -t is the keytab file and db_user is the user.

2. The library required to run the kinit command does not exist in the LD_LIBRARY_PATH  set in the Greenplum binaries, producing the following error message: ERROR: kinit: relocation error: kinit: symbol krb5_get_init_creds_opt_set_fast_ccache_name, version krb5_3_MIT not defined in file libkrb5.so.3 with link time reference

Unset the LD_LIBRARY_PATH.

IMPORTANT NOTE: The above fix will cause the following error when you try to run Postgres commands: 
 

  • ERROR: psql: error while loading shared libraries: libpq.so.5: cannot open shared object file: No such file or directory 

To resolve this issue, source the GPDB binaries.

3. No principle is created for the Postgres service in the Kerberos database producing the following error message:
 

  • ERROR: pgql: GSSAPI continuation error: Unspecified GSS failure

The Minor code may also produce information about the GSSAPI continuation error, such as, Server not found in Kerberos database

This error suggests that there is no service principal for the Postgres server. Create a principle on the Kerberos server for the Postgres service using the following command: 
 

  • kadmin.local -q "addprinc -randkey postgres/mdw@GPDB.KRB"

Note: mdw---- is the Master server hostname and GPDB.KRB is the Kerberos Realm.

IMPORTANT NOTE: Further action is required after you perform the above command. Please refer to Using Kerberos Authentication in the Greenplum documentation.

4. There is no valid ticket granting ticket (TGT) for the user. As a result, there is no matching ticket in the local keytab for the user. The following error messages are produced: 
 

  •  ERROR: psql: GSSAPI continuation error: Unspecified GSS failure.  Minor code may provide more information
  • GSSAPI continuation error: No credentials cache found

Use the kinit command, kinit is used to obtain and cache Kerberos TGT. 
 

  • kinit -k -t /home/gpadmin/gpdb-kerberos.keytab db_user

Note: This is the default ticket cache location and naming convention: /tmp/krb5cc_%{uid}. Use klist command to view the contents of the ticket cache.
 
5. The server name does not match what is in the Kerberos database. The following error message is produced: 
 

  • ERROR: Server has invalid Kerberos principal

Further investigation is required to find out why they don’t match. A name change of the server could be the culprit. 
 
6. There is a time skew between the Kerberos server and the Master server producing the following error message: 
 

  • ERROR: psql: FATAL:  accepting GSS security context failed (auth.c:1141)DETAIL:  Unspecified GSS failure. 

The Minor code may provide more information, such as Clock skew too great.

The time difference between the Kerberos server and the Master server is more than 10 minutes. Set up the Network Time Protocol (NTP) in the Realm.

Powered by Wolken Software