ambari-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Levas <rle...@hortonworks.com>
Subject Re: Kerberos - Algorithme AES256 not enabled
Date Wed, 06 May 2015 12:25:19 GMT
Hi Loïc,

It appears you were heading in the correct direction. The issue is related to the lack of
JCE. Once you install the JCE policy jars, you need to restart Ambari.  If you have already
generated the keytabs for the cluster, you can tell Ambari to regenerate the keytabs and the
correct entries should be created.  To view the contents of your keytab file, use klist -kte
<path to keytab file>. With the -e option you will see the encryption algorithms used
to generate the keytab entry.

For example:

# klist  -kte /etc/security/keytabs/hdfs.headless.keytab
Keytab name: FILE:/etc/security/keytabs/hdfs.headless.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   1 04/30/15 15:20:14 hdfs@EXAMPLE.COM (des-cbc-md5)
   1 04/30/15 15:20:14 hdfs@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
   1 04/30/15 15:20:14 hdfs@EXAMPLE.COM (arcfour-hmac)
   1 04/30/15 15:20:14 hdfs@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
   1 04/30/15 15:20:14 hdfs@EXAMPLE.COM (des3-cbc-sha1)

You also need to make sure all of the hosts have the JCE policy jars installed.  After they
are installed, you should restart all of the services.

I hope this helps,

Rob


From: Chanel Loïc <loic.chanel@worldline.com<mailto:loic.chanel@worldline.com>>
Reply-To: "user@ambari.apache.org<mailto:user@ambari.apache.org>" <user@ambari.apache.org<mailto:user@ambari.apache.org>>
Date: Wednesday, May 6, 2015 at 8:12 AM
To: "user@ambari.apache.org<mailto:user@ambari.apache.org>" <user@ambari.apache.org<mailto:user@ambari.apache.org>>
Subject: Kerberos - Algorithme AES256 not enabled

Hi,

Trying to Kerberize my cluster, I encoutered some troubles. When I start to configure security
with Ambari wizard, it seems the Ambari server cannot connect to the KDC, while it is on the
same network.
Therefore I took a closer look to the corresponding logs, and the main issue seems to be related
to the Algorithm AES256, as the main error return "Algorithm AES256 not enabled". As I was
a little surprised, I tried to reproduce the bug using a personal minimalistic implementation
using the same library that is used by Ambari (org.apache.directory.kerberos.client), but
I still get the error "Algorithm AES256 not enable" .

Searching on Google, I saw that this problem could be related to the installation of JCE,
so I re-installed it with the proper parameters from Oracle website ( http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html
), but it did not change a thing.

Does someone know where this might come from, or how to avoid this issue ?
Thanks,


Loïc

________________________________

Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de
ses destinataires. Il peut également être protégé par le secret professionnel. Si vous
recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire.
L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline
ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts
soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne
aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout
dommage résultant d'un virus transmis.

This e-mail and the documents attached are confidential and intended solely for the addressee;
it may also be privileged. If you receive this e-mail in error, please notify the sender immediately
and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability
cannot be triggered for the message content. Although the sender endeavours to maintain a
computer virus-free network, the sender does not warrant that this transmission is virus-free
and will not be liable for any damages resulting from any virus transmitted.

Mime
View raw message