Currently, the sentry shell uses the java "user.name" which gives some unexpected behavior if the user is logged in via kerberos (i.e. you get error messages about your OS user when connecting to a secure sentry service).
In addition, the error messages around this are sometimes missing. For example, for a GSS initiate failure, which happens if there is kerberos ticket, you get no error message returned because the top-level exception has no error message. We should follow the exception causes until we find something reasonable to print.