Kerberos | Cloudera | KrbException: Encryption type AES256 CTS mode with HMAC SHA1-96

Deadly 提交于 2019-12-24 12:22:53

问题


I have been trying to setup Kerberos for CDH 4.5 which was setup using the Cloudera Manager Installer.

The instructions are from the following link: http://www.cloudera.com/content/cloudera-content/cloudera-docs/CM4Ent/4.5.2/Configuring-Hadoop-Security-with-Cloudera-Manager/cmeechs_topic_4.html

After setting up and KDC I copied the JCE policy for Java 6 files to the following location: /usr/java/jdk1.6.0_31/lib/security/

Following is my "/var/kerberos/krb5kdc/kdc.conf" file:

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 MYREALM.COM = {
  master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

Following is my "/etc/krb5.conf" file:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = MYREALM.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 MYREALM.COM = {
  kdc = node1.hcluster
  admin_server = node1.hcluster
 }

[domain_realm]
 .hcluster = MYREALM.COM
 hcluster = MYREALM.COM

This file is present in all the nodes.

However after following all the steps from the instructions all services fail to communicate with each other. Following is the exception from the namenode logs:

2014-02-05 11:42:35,072 INFO org.apache.hadoop.ipc.Server: IPC Server listener on 8022: readAndProcess threw exception javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)] from client 10.1.3.104. Count of bytes read: 0
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)]
        at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:159)
        at org.apache.hadoop.ipc.Server$Connection.saslReadAndProcess(Server.java:1250)
        at org.apache.hadoop.ipc.Server$Connection.readAndProcess(Server.java:1456)
        at org.apache.hadoop.ipc.Server$Listener.doRead(Server.java:759)
        at org.apache.hadoop.ipc.Server$Listener$Reader.doRunLoop(Server.java:557)
        at org.apache.hadoop.ipc.Server$Listener$Reader.run(Server.java:532)
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)
        at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
        at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:137)
        ... 5 more
Caused by: KrbException: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled
        at sun.security.krb5.EncryptionKey.findKey(EncryptionKey.java:481)
        at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:260)
        at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
        at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
        at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
        ... 8 more

Any help is really appreciated.


回答1:


I was able to get some help from Cloudera and figured out that the mistake was in the location for the JCE policy jars.

The correct location is : /usr/java/jdk1.6.0_31/jre/lib/security/.



来源:https://stackoverflow.com/questions/21586132/kerberos-cloudera-krbexception-encryption-type-aes256-cts-mode-with-hmac-sh

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!