I want to access a service that uses Kerberos authentication. The service admin gave me a spnego.service.keytab
file for the correct Kerberos principal and realm. I can run kinit
against that keytab file to get a Kerberos ticket successfully. But when I try to access that service using curl in a Windows 7 laptop outside the cluster I get this error:
org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
The service happens to be Livy but a colleague gets the same error using Oozie on the same cluster so I don't think the details of the service itself matters much.
Here are the full details:
>curl --negotiate -u : http://<livy_server_host>:<port>/sessions/
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
<title>Error 403 </title>
</head>
<body>
<h2>HTTP ERROR: 403</h2>
<p>Problem accessing /sessions/. Reason:
<pre> org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)</pre></p>
<hr /><i><small>Powered by Jetty://</small></i>
</body>
</html>
What needs to be done to make the curl command work?
The Windows 7 laptop must be part of the same Kerberos realm in which the keytab was generated from. The encryption used by the keytab and the service must also be supported by the Windows 7 laptop. Curl is not a native Windows command, so you must import the supporting encryption libraries onto the Windows 7 laptop in order to make Curl work.