ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Reopened] (AMBARI-8840) Keytabs need to be created to include the encryption type of AES256 CTS mode with HMAC SHA1-96
Date Tue, 15 Mar 2016 20:09:33 GMT

     [ https://issues.apache.org/jira/browse/AMBARI-8840?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Eric Yang reopened AMBARI-8840:
-------------------------------

This issue only shows up if the Kerberos system is customized to a set of ciphers which excludes
aes256-cts-hmac-sha1-96 cipher.  If the keytabs contains the cipher, but krb5.conf doesn't
support aes256-cts-hmac-sha1-96 cipher.  This error could happen.  The real problem is, if
kerberos server supports limited ciphers, the keytab generation should respect the supported
ciphers only.  This can be an enhancement to keytab generation script to eliminate this problem.
 Hence, this JIRA  can be used to track the required enhancement to make keytab generation
process more refined.

> Keytabs need to be created to include the encryption type of AES256 CTS mode with HMAC
SHA1-96
> ----------------------------------------------------------------------------------------------
>
>                 Key: AMBARI-8840
>                 URL: https://issues.apache.org/jira/browse/AMBARI-8840
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.0.0, 2.1.0
>         Environment: Red Hat Enterprise Linux Server release 6.6 (Santiago)
> [root@hdtest253 etc]# java -version
> java version "1.7.0_79"
> OpenJDK Runtime Environment (rhel-2.5.5.3.el6_6-x86_64 u79-b14)
> OpenJDK 64-Bit Server VM (build 24.79-b02, mixed mode)
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>            Priority: Critical
>              Labels: kerberos, keytabs
>             Fix For: 2.1.0
>
>         Attachments: hadoop-hdfs-journalnode-hdtest253.svl.ibm.com.log
>
>
> During automated keytab generation, an entry  with the following encryption type must
be added else certain services will fail to start up or properly when Kerberos is enabled:
> {code}AES256 CTS mode with HMAC SHA1-96{code}
> For example, NAMENODE will fail with the following errors:
> {code}
> 2014-12-19 21:45:56,101 WARN  server.AuthenticationFilter (AuthenticationFilter.java:doFilter(551))
- Authentication exception: GSSException: Failure unspecified at GSS-API level (Mechanism
level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256
CTS mode with HMAC SHA1-96)
> org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException:
Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find
key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)
> 	at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:399)
> 	at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:507)
> 	at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
> 	at org.apache.hadoop.http.HttpServer2$QuotingInputFilter.doFilter(HttpServer2.java:1224)
> 	at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
> 	at org.apache.hadoop.http.NoCacheFilter.doFilter(NoCacheFilter.java:45)
> 	at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
> 	at org.apache.hadoop.http.NoCacheFilter.doFilter(NoCacheFilter.java:45)
> 	at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
> 	at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:399)
> 	at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
> 	at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182)
> 	at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:766)
> 	at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:450)
> 	at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:230)
> 	at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
> 	at org.mortbay.jetty.Server.handle(Server.java:326)
> 	at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:542)
> 	at org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:928)
> 	at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:549)
> 	at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:212)
> 	at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404)
> 	at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:410)
> 	at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582)
> Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid
argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with
HMAC SHA1-96)
> 	at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:788)
> 	at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
> 	at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
> 	at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:875)
> 	at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:548)
> 	at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
> 	at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
> 	at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:366)
> 	at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:348)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at javax.security.auth.Subject.doAs(Subject.java:415)
> 	at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:348)
> 	... 23 more
> Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type
to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96
> 	at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:273)
> 	at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:144)
> 	at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
> 	at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:771)
> 	... 34 more
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message