My Oracle Support Banner

Submitting A Command Line Oozie Job With Kerberos Fails With SPENGO Error (Doc ID 1932192.1)

Last updated on NOVEMBER 08, 2022

Applies to:

Big Data Appliance Integrated Software - Version 3.0.1 and later
Linux x86-64

Symptoms

NOTE: In the examples that follow, user details, cluster names, hostnames, directory paths, filenames, etc. represent a fictitious sample (and are used to provide an illustrative example only). Any similarity to actual persons, or entities, living or dead, is purely coincidental and not intended in any manner.

 

Submitting an oozie job in the kerberos enabled environment fails with following SPENGO Errors.

$ klist
Ticket cache: FILE:/tmp/krb5cc_<#>_<#>
Default principal: <user>@EXAMPLE.COM

Valid starting Expires Service principal
09/18/14 14:45:23 09/19/14 00:45:23 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 09/25/14 14:45:23


$ oozie job -oozie http://node04:11000/oozie -config job.properties -run

Error: AUTHENTICATION : Could not authenticate, org.apache.hadoop.security.authentication.client.AuthenticationException: Invalid SPNEGO sequence, 'WWW-Authenticate' header incorrect: null

 

Destroying the user authentication and reinitiating it still fails with same error:

$ kdestroy
$ kinit <user>
Password for <user>@EXAMPLE.COM:


$ oozie job -oozie http://node04:11000/oozie -config job.properties -run

Error: AUTHENTICATION : Could not authenticate, org.apache.hadoop.security.authentication.client.AuthenticationException: Invalid SPNEGO sequence, 'WWW-Authenticate' header incorrect: null

 

Oozie log shows the following error:

014-09-18 14:46:07,866 WARN org.apache.hadoop.security.authentication.server.AuthenticationFilter: SERVER[node04.example.com] Authentication exception: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)

org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
Symptoms
Cause
Solution


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.