Kerberos | Cloudera | KrbException:使用HMAC SHA1-96加密类型AES256 CTS模式 [英] Kerberos | Cloudera | KrbException: Encryption type AES256 CTS mode with HMAC SHA1-96
问题描述
我一直在尝试为使用Cloudera Manager安装程序设置的CDH 4.5安装Kerberos。
I have been trying to setup Kerberos for CDH 4.5 which was setup using the Cloudera Manager Installer.
这些说明来自以下链接:
< a href =http://www.cloudera.com/content/cloudera-content/cloudera-docs/CM4Ent/4.5.2/Configuring-Hadoop-Security-with-Cloudera-Manager/cmeechs_topic_4.html =nofollow > http://www.cloudera.com/content/cloudera-content/cloudera-docs/CM4Ent/4.5.2/Configuring-Hadoop-Security-with-Cloudera-Manager/cmeechs_topic_4.html
The instructions are from the following link: http://www.cloudera.com/content/cloudera-content/cloudera-docs/CM4Ent/4.5.2/Configuring-Hadoop-Security-with-Cloudera-Manager/cmeechs_topic_4.html
设置KDC后,我将JCE策略的Java 6文件复制到以下位置:
/usr/java/jdk1.6.0_31/lib/security/
After setting up and KDC I copied the JCE policy for Java 6 files to the following location: /usr/java/jdk1.6.0_31/lib/security/
以下是我的/var/kerberos/krb5kdc/kdc.conf文件:
Following is my "/var/kerberos/krb5kdc/kdc.conf" file:
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
MYREALM.COM = {
master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
以下是我的/ etc / krb5.conf文件:
Following is my "/etc/krb5.conf" file:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYREALM.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
MYREALM.COM = {
kdc = node1.hcluster
admin_server = node1.hcluster
}
[domain_realm]
.hcluster = MYREALM.COM
hcluster = MYREALM.COM
该文件存在于所有节点中。
This file is present in all the nodes.
然而,按照指示完成所有步骤后服务无法相互通信。
以下是来自namenode日志的例外:
However after following all the steps from the instructions all services fail to communicate with each other. Following is the exception from the namenode logs:
2014-02-05 11:42:35,072 INFO org.apache.hadoop.ipc.Server: IPC Server listener on 8022: readAndProcess threw exception javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)] from client 10.1.3.104. Count of bytes read: 0
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)]
at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:159)
at org.apache.hadoop.ipc.Server$Connection.saslReadAndProcess(Server.java:1250)
at org.apache.hadoop.ipc.Server$Connection.readAndProcess(Server.java:1456)
at org.apache.hadoop.ipc.Server$Listener.doRead(Server.java:759)
at org.apache.hadoop.ipc.Server$Listener$Reader.doRunLoop(Server.java:557)
at org.apache.hadoop.ipc.Server$Listener$Reader.run(Server.java:532)
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:137)
... 5 more
Caused by: KrbException: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled
at sun.security.krb5.EncryptionKey.findKey(EncryptionKey.java:481)
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:260)
at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
... 8 more
任何帮助真的很感谢。
推荐答案
我w能够从Cloudera得到一些帮助,并发现错误在JCE策略罐的位置。
I was able to get some help from Cloudera and figured out that the mistake was in the location for the JCE policy jars.
正确的位置是: / usr / java / jdk1.6.0_31 / jre / lib / security /.
这篇关于Kerberos | Cloudera | KrbException:使用HMAC SHA1-96加密类型AES256 CTS模式的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!