Details
-
Sub-task
-
Status: Resolved
-
Critical
-
Resolution: Fixed
-
Impala 3.0, Impala 2.12.0
-
None
-
None
-
ghx-label-1
Description
The Kerberos version used in SLES 11 seems to have quite a few undocumented bugs. They have krb5-1.6 (krb5-client-1.6.3-133.49.112.1.x86_64).
With KRPC we see a new error "GSSAPI Error: A required input parameter could not be read", which we've never seen before.
I looked into the krb5 codebase and between krb5-1.6 and krb5-1.7, the code causing the above error (GSSAPI Error: A required input parameter could not be read) has changed subtly without any explanation as to why.
That error string corresponds to GSS_S_CALL_INACCESSIBLE_READ.
In 1.6, it returns an error if the 'input_token_buffer' string is empty:
krb5-1.6:
https://github.com/krb5/krb5/blob/krb5-1.6/src/lib/gssapi/mechglue/g_accept_sec_context.c#L149-L150
In 1.7, it returns an error only if the 'input_token_buffer' string is NULL:
krb5-1.7:
https://github.com/krb5/krb5/blob/krb5-1.7/src/lib/gssapi/mechglue/g_accept_sec_context.c#L149-L150
With KRPC, we test if Kerberos works by passing an empty string to SASL:
https://github.com/apache/impala/blob/master/be/src/kudu/rpc/server_negotiation.cc#L289
In 1.6, this is counted as an error, but in 1.7, this is completely fine. I'm not sure why since they haven't documented it.
We can attempt to get KRPC working for SLES11 by removing the PreflightGSSAPI() check.
(However there may be more issues on SLES11 that we're not yet aware of)