The content of this article has been updated and moved to Looker’s technical documentation here.
Notes on configuring Kerberos with delegation on Impala
Configuring Delegation on Impala using User Attributes
Depending how Kerberos is set up, it may default to authentication algorithms that are not supported by Java. I have found that arcfour-hmac/rc4-hmac seems to work reliably, and aes(256|128)-cts* does not work reliably. In the debugging messages you’ll see things like “unsupported keytype (18)” in the error output.
You may want to add the following to you krb5.conf file to use appropriate algorithms…
[libdefaults] default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
Keep in mind that you can override the system krb5.conf by setting the environment variable KRB5_CONFIG to point to the local copy, and also point to the local copy using -Djava.security.krb5.conf=… in the JAVAARGS.
After changing the settings, use kdestroy to destroy the old ticket and get a new ticket with kinit, then test again.
There is more information about encryption types here… http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.2/doc/krb5-admin/Supported-Encryption-Types.html
Note the info at the bottom of the page: “Sites wishing to use AES encryption types on their KDCs need to be careful not to give GSSAPI services AES keys…” The Java Virtual Machine interfaces with Kerberos through the GSSAPI. The JAAS-GSS subsystem is the java interface to the GSSAPI. The AES encryption types should be disabled when using Java, particularly Java 7.