hadoop-common-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shumin Wu <shumin...@gmail.com>
Subject Re: DN cannot talk to NN using Kerberos on secured hdfs
Date Wed, 12 Sep 2012 22:06:41 GMT
Thanks for the tip, Evert! Something new that I learnt today. Will post
more info once I get there.

P.S. I am using jpwd to debug. I wanted to fish a quick answer or two
instead of painful debugging, but looks like I just cannot avoid this
route. :-(

- Shumin

On Wed, Sep 12, 2012 at 1:56 PM, Evert Lammerts <Evert.Lammerts@sara.nl>wrote:

> Hi Shumin,
>
> Setting up Kerberos can be a pain, but debug output gets you a long way.
> I'm not sure whether these semantics still work in 2.0, but something like
> this used to give lots of output in 0.20.205:
>
> $ HADOOP_OPTS='-Dsun.security.krb5.debug=true -Djavax.net.debug=all'
> HADOOP_NAMENODE_USER=hdfs sudo -E hadoop namenode
>
> Then start a single datanode:
>
> $ HADOOP_OPTS='-Dsun.security.krb5.debug=true -Djavax.net.debug=all'
> HADOOP_NAMENODE_USER=hdfs sudo -E hadoop datanode
>
> Evert
>
> ________________________________________
> From: Shumin Wu [shumin.wu@gmail.com]
> Sent: Wednesday, September 12, 2012 7:40 PM
> To: common-user@hadoop.apache.org
> Subject: Re: DN cannot talk to NN using Kerberos on secured hdfs
>
> Vinod,
>
> Thanks for your reply. I forgot to mention that I have already installed
> the JCE policy jar on each node, so that possibility could be ruled out. On
> the same token, one of my attempts was removing the AES 256 from the
> keytab, but I saw the same error info. I assume AES 128 should be the one
> that Kerberos is looking for in this case.
>
> The hostnames are all in lower cases and realm names are in upper cases.
> The principal names are hdfs, mapred, etc. all convention binding.
>
> Shumin
>
> On Wed, Sep 12, 2012 at 10:25 AM, Vinod Kumar Vavilapalli <
> vinodkv@hortonworks.com> wrote:
>
> >
> > This is because JAVA only supports AES 128 by default. To support AES
> 256,
> > you will need to install the unlimited-JCE policy jar from
> > http://www.oracle.com/technetwork/java/javase/downloads/index.html
> >
> > Also, there is another case of Kerberos having issues with hostnames with
> > some/all letters in caps. If that is the case, you should try tweaking
> your
> > host-names to all lower-case.
> >
> > Thanks,
> > +Vinod Kumar Vavilapalli
> > Hortonworks Inc.
> > http://hortonworks.com/
> >
> > On Sep 12, 2012, at 9:47 AM, Shumin Wu wrote:
> >
> > Hi,
> >
> > I am setting up a secured hdfs using Kerberos.  I got NN, 2NN working
> just
> > fine. However, DN cannot talk to NN and throws the following exception. I
> > disabled the AES256 from keytab, which in theory it should fall back to
> the
> > AES128, or whatever encryption on the top of the list, but it still
> > complains about the same. Any help, suggestion, comment is highly
> > appreciated.
> >
> > *Apache Hadoop version: *
> > 2.0.0
> >
> > *Security configuration Snippet of DN:*
> >
> > ...
> > <property>
> >    <name>dfs.datanode.data.dir.perm</name>
> >    <value>700</value>
> >  </property>
> >
> >  <property>
> >    <name>dfs.datanode.address</name>
> >    <value>0.0.0.0:1004</value>
> >  </property>
> >
> >  <property>
> >    <name>dfs.datanode.http.address</name>
> >    <value>0.0.0.0:1006</value>
> >  </property>
> >
> >  <property>
> >    <name>dfs.datanode.keytab.file</name>
> >    <value>/etc/hadoop/conf/hdfs.keytab</value>
> >
> >  <property>
> >    <name>dfs.datanode.kerberos.principal</name>
> >    <value>hdfs/_HOST@REALM</value>
> >  </property>
> > ...
> >
> > *Exceptions in Log:*
> >
> >
> > javax.security.sasl.
> > SaslException: GSS initiate failed [Caused by GSSException: Failure
> > unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS
> > mode with HMAC SHA1-96 is not supported/enabled)]
> >        at
> >
> >
> com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:159)
> >        at
> >
> >
> org.apache.hadoop.ipc.Server$Connection.saslReadAndProcess(Server.java:1199)
> >        at
> > org.apache.hadoop.ipc.Server$Connection.readAndProcess(Server.java:1393)
> >        at org.apache.hadoop.ipc.Server$Listener.doRead(Server.java:710)
> >        at
> > org.apache.hadoop.ipc.Server$Listener$Reader.doRunLoop(Server.java:509)
> >        at
> org.apache.hadoop.ipc.Server$Listener$Reader.run(Server.java:484)
> > Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism
> > level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not
> > supported/enabled)
> >        at
> > sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
> >        at
> >
> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
> >        at
> >
> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
> >        at
> >
> >
> com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:137)
> >        ... 5 more
> > Caused by: KrbException: Encryption type AES256 CTS mode with HMAC
> SHA1-96
> > is not supported/enabled
> >
> >
> > Thanks,
> > Shumin Wu
> >
> >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message