Kerberos | Cloudera | KrbException：使用HMAC SHA1-96加密类型AES256 CTS模式 [英] Kerberos | Cloudera | KrbException: Encryption type AES256 CTS mode with HMAC SHA1-96

问题描述

我一直在尝试为使用Cloudera Manager安装程序设置的CDH 4.5安装Kerberos。

I have been trying to setup Kerberos for CDH 4.5 which was setup using the Cloudera Manager Installer.

这些说明来自以下链接：
< a href =http://www.cloudera.com/content/cloudera-content/cloudera-docs/CM4Ent/4.5.2/Configuring-Hadoop-Security-with-Cloudera-Manager/cmeechs_topic_4.html =nofollow > http://www.cloudera.com/content/cloudera-content/cloudera-docs/CM4Ent/4.5.2/Configuring-Hadoop-Security-with-Cloudera-Manager/cmeechs_topic_4.html

The instructions are from the following link: http://www.cloudera.com/content/cloudera-content/cloudera-docs/CM4Ent/4.5.2/Configuring-Hadoop-Security-with-Cloudera-Manager/cmeechs_topic_4.html

设置KDC后，我将JCE策略的Java 6文件复制到以下位置：
/usr/java/jdk1.6.0_31/lib/security/

After setting up and KDC I copied the JCE policy for Java 6 files to the following location: /usr/java/jdk1.6.0_31/lib/security/

以下是我的/var/kerberos/krb5kdc/kdc.conf文件：

Following is my "/var/kerberos/krb5kdc/kdc.conf" file:

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 MYREALM.COM = {
  master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

以下是我的/ etc / krb5.conf文件：

Following is my "/etc/krb5.conf" file:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = MYREALM.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 MYREALM.COM = {
  kdc = node1.hcluster
  admin_server = node1.hcluster
 }

[domain_realm]
 .hcluster = MYREALM.COM
 hcluster = MYREALM.COM

该文件存在于所有节点中。

This file is present in all the nodes.

然而，按照指示完成所有步骤后服务无法相互通信。
以下是来自namenode日志的例外：

However after following all the steps from the instructions all services fail to communicate with each other. Following is the exception from the namenode logs:

2014-02-05 11:42:35,072 INFO org.apache.hadoop.ipc.Server: IPC Server listener on 8022: readAndProcess threw exception javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)] from client 10.1.3.104. Count of bytes read: 0
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)]
        at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:159)
        at org.apache.hadoop.ipc.Server$Connection.saslReadAndProcess(Server.java:1250)
        at org.apache.hadoop.ipc.Server$Connection.readAndProcess(Server.java:1456)
        at org.apache.hadoop.ipc.Server$Listener.doRead(Server.java:759)
        at org.apache.hadoop.ipc.Server$Listener$Reader.doRunLoop(Server.java:557)
        at org.apache.hadoop.ipc.Server$Listener$Reader.run(Server.java:532)
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)
        at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
        at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:137)
        ... 5 more
Caused by: KrbException: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled
        at sun.security.krb5.EncryptionKey.findKey(EncryptionKey.java:481)
        at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:260)
        at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
        at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
        at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
        ... 8 more

任何帮助真的很感谢。

推荐答案

我w能够从Cloudera得到一些帮助，并发现错误在JCE策略罐的位置。

I was able to get some help from Cloudera and figured out that the mistake was in the location for the JCE policy jars.

正确的位置是： / usr / java / jdk1.6.0_31 / jre / lib / security /.

这篇关于Kerberos | Cloudera | KrbException：使用HMAC SHA1-96加密类型AES256 CTS模式的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！