{question}
Why am receiving the following error while trying to login with a GSSAPI user?
ERROR 1045 (28000): GSS Major Error: Unspecified GSS failure. Minor code may provide more information. GSS Minor Error: Cannot find key for HTTP/memsql.s2.local@S2.LOCAL kvno 14 in keytab.
{question}
{answer}
While trying to connect to the database using a GSSAPI user, the server is returning the following error:
ERROR 1045 (28000): GSS Major Error: Unspecified GSS failure. Minor code may provide more information. GSS Minor Error: Cannot find key for HTTP/memsql.s2.local@S2.LOCAL kvno 14 in keytab
This happens because the kvno
that is specified in the Kerberos server is not the same as that is on the keytab file, and the Kerberos ticket for the user was created before the kvno
change.
Let's assume the following:
{userPrincipalName} |
HTTP/memsql.domain.local@DOMAIN.LOCAL |
{servicePrincipalName} |
HTTP/memsql.domain.local |
{Domain} |
DOMAIN.LOCAL |
{Keytab File} |
/etc/memsql/memsql.keytab |
{currentUser} |
rsantos@DOMAIN.LOCAL |
To resolve the issue you will need to login into the Master Aggregator.
1) Destroy all the Kerberos tickets for the current user:
$ kdestroy
2) Generate a new ticket for the current user
$ kinit {currentUser}
Password for {currentUser}:
3) Verify that the ticket is properly created
$ klist
Ticket cache: FILE:/tmp/krb5cc_1001
Default principal: {currentUser}
Valid starting Expires Service principal
10/04/22 09:23:41 10/04/22 19:23:41 krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
renew until 10/05/22 09:23:36
4) Verify the kvno
from the database
$ kvno {userPrincipalName}
{userPrincipalName}: kvno = 15
5) Verify the kvno
for the keytab
file:
$ klist -kt {Keytab File}
Keytab name: FILE:{Keytab File}
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
13 09/28/22 11:25:24 {userPrincipalName}
13 09/28/22 11:28:16 {userPrincipalName}
We need to replace the current keytab
file since it doesn't have the most recent kvno
.
6) Copy the new keytab
file to the location specified in the memsql.cnf
file
$ sudo cp {Keytab File} /etc/memsql/
7) Change the owner of the copied file
$ sudo chown memsql: /etc/memsql/{Keytab File}
8) You can try to login
$ memsql -h127.0.0.1 --plugin-dir=/usr/lib/singlestore-client/plugin/ -ursantos
9) If it doesn't work you can try to retrieve a service ticket to verify if you have further issues with the keytab
file
$ sudo -u memsql kdestroy
$ sudo -u memsql kinit -kt /etc/memsql/{Keytab File} -S {servicePrincipalName} {userPrincipalName}
$ sudo -u memsql klist
Ticket cache: FILE:/tmp/krb5cc_114
Default principal: {userPrincipalName}
Valid starting Expires Service principal
10/04/22 09:31:52 10/04/22 19:31:52 {userPrincipalName}
renew until 10/05/22 09:31:52
{answer}