{question}
How can one address the error encountered while attempting to log in with a GSSAPI user?
Client GSSAPI error (major 851968, minor 0) : gss_init_sec_context - Unspecified GSS failure. Minor code may provide more information.
{question}
{answer}
In this article, we are going to discuss the steps that need to be followed to fix the above-mentioned error while authenticating via Kerberos,
Client GSSAPI error (major 851968, minor 0) : gss_init_sec_context - Unspecified GSS failure. Minor code may provide more information.
This is because SingleStore DB is unable to get a ticket from the Kerberos server using the Keytab file.
Let's assume the following:
userPrincipalName | HTTP/memsql.domain.local@DOMAIN.LOCAL |
servicePrincipalName | HTTP/memsql.domain.local |
Domain | DOMAIN.LOCAL |
Keytab File | /etc/memsql/memsql.keytab |
On the Master Aggregator perform the following commands:
$ sudo -u memsql kdestroy $ sudo -u memsql kinit -kt /etc/memsql/memsql.keytab -S HTTP/memsql.domain.local HTTP/memsql.domain.local@DOMAIN.LOCAL
The output of the kinit should display the actual error that SingleStore is receiving, we are impersonating the user `memsql` to confirm that the permissions and some other details are correct.
Like this example:
$ sudo -u memsql kinit -kt /etc/memsql/memsql.keytab -S HTTP/memsql.domain.local HTTP/memsql.domain.local@DOMAIN.LOCAL
kinit: Cannot contact any KDC for realm 'DOMAIN.LOCAL' while getting initial credentials
Fix any of the possible issues and retry the operation. Once you can retrieve a service ticket the authentication should work.
$ sudo -u memsql kinit -kt /etc/memsql/memsql.keytab -S HTTP/memsql.domain.local HTTP/memsql.domain.local@DOMAIN.LOCAL
$ sudo -u memsql klist
Ticket cache: FILE:/tmp/krb5cc_114
Default principal: HTTP/memsql.domain.local@DOMAIN.LOCAL
Valid starting Expires Service principal
10/03/22 08:54:51 10/03/22 18:54:51 HTTP/memsql.domain.local@DOMAIN.LOCAL
renew until 10/04/22 08:54:51
If there are any issues, please reach out to SingleStore Support.
Reference
{answer}