hadoop-common-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michel Segel <michael_se...@hotmail.com>
Subject Re: DN cannot talk to NN using Kerberos on secured hdfs
Date Mon, 17 Sep 2012 03:28:49 GMT
That should be a bug. All host names should be case insensitive. 

Sent from a remote device. Please excuse any typos...

Mike Segel

On Sep 12, 2012, at 12:25 PM, Vinod Kumar Vavilapalli <vinodkv@hortonworks.com> wrote:

> 
> This is because JAVA only supports AES 128 by default. To support AES 256, you will need
to install the unlimited-JCE policy jar from http://www.oracle.com/technetwork/java/javase/downloads/index.html
> 
> Also, there is another case of Kerberos having issues with hostnames with some/all letters
in caps. If that is the case, you should try tweaking your host-names to all lower-case.
> 
> Thanks,
> +Vinod Kumar Vavilapalli
> Hortonworks Inc.
> http://hortonworks.com/
> 
> On Sep 12, 2012, at 9:47 AM, Shumin Wu wrote:
> 
>> Hi,
>> 
>> I am setting up a secured hdfs using Kerberos.  I got NN, 2NN working just
>> fine. However, DN cannot talk to NN and throws the following exception. I
>> disabled the AES256 from keytab, which in theory it should fall back to the
>> AES128, or whatever encryption on the top of the list, but it still
>> complains about the same. Any help, suggestion, comment is highly
>> appreciated.
>> 
>> *Apache Hadoop version: *
>> 2.0.0
>> 
>> *Security configuration Snippet of DN:*
>> ...
>> <property>
>>    <name>dfs.datanode.data.dir.perm</name>
>>    <value>700</value>
>>  </property>
>> 
>>  <property>
>>    <name>dfs.datanode.address</name>
>>    <value>0.0.0.0:1004</value>
>>  </property>
>> 
>>  <property>
>>    <name>dfs.datanode.http.address</name>
>>    <value>0.0.0.0:1006</value>
>>  </property>
>> 
>>  <property>
>>    <name>dfs.datanode.keytab.file</name>
>>    <value>/etc/hadoop/conf/hdfs.keytab</value>
>> 
>>  <property>
>>    <name>dfs.datanode.kerberos.principal</name>
>>    <value>hdfs/_HOST@REALM</value>
>>  </property>
>> ...
>> 
>> *Exceptions in Log:*
>> 
>> javax.security.sasl.
>> SaslException: GSS initiate failed [Caused by GSSException: Failure
>> unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS
>> mode with HMAC SHA1-96 is not supported/enabled)]
>>        at
>> com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:159)
>>        at
>> org.apache.hadoop.ipc.Server$Connection.saslReadAndProcess(Server.java:1199)
>>        at
>> org.apache.hadoop.ipc.Server$Connection.readAndProcess(Server.java:1393)
>>        at org.apache.hadoop.ipc.Server$Listener.doRead(Server.java:710)
>>        at
>> org.apache.hadoop.ipc.Server$Listener$Reader.doRunLoop(Server.java:509)
>>        at org.apache.hadoop.ipc.Server$Listener$Reader.run(Server.java:484)
>> Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism
>> level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not
>> supported/enabled)
>>        at
>> sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
>>        at
>> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
>>        at
>> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
>>        at
>> com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:137)
>>        ... 5 more
>> Caused by: KrbException: Encryption type AES256 CTS mode with HMAC SHA1-96
>> is not supported/enabled
>> 
>> 
>> Thanks,
>> Shumin Wu
> 

Mime
  • Unnamed multipart/alternative (inline, 7-Bit, 0 bytes)
View raw message