[
https://issues.apache.org/jira/browse/HADOOP-9969?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14907372#comment-14907372
]
Yu Gao commented on HADOOP-9969:
--------------------------------
This is because IBM JDK behaves differently when initializing SaslClient in
Sasl.createSaslClient, which requires valid kerberos credentials in place, even
before the server and client start the negotiation. While Oracle JDK seems not
checking credentials until evaluateChallenge is called.
> TGT expiration doesn't trigger Kerberos relogin
> -----------------------------------------------
>
> Key: HADOOP-9969
> URL: https://issues.apache.org/jira/browse/HADOOP-9969
> Project: Hadoop Common
> Issue Type: Bug
> Components: ipc, security
> Affects Versions: 2.1.0-beta
> Reporter: Yu Gao
> Attachments: HADOOP-9969.patch, JobTracker.log
>
>
> In HADOOP-9698 & HADOOP-9850, RPC client and Sasl client have been changed to
> respect the auth method advertised from server, instead of blindly attempting
> the configured one at client side. However, when TGT has expired, an
> exception will be thrown from SaslRpcClient#createSaslClient(SaslAuth
> authType), and at this time the authMethod still holds the initial value
> which is SIMPLE and never has a chance to be updated with the expected one
> requested by server, so kerberos relogin will not happen.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
