hadoop-common-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shumin Wu <shumin...@gmail.com>
Subject DN cannot talk to NN using Kerberos on secured hdfs
Date Wed, 12 Sep 2012 16:47:56 GMT
Hi,

I am setting up a secured hdfs using Kerberos.  I got NN, 2NN working just
fine. However, DN cannot talk to NN and throws the following exception. I
disabled the AES256 from keytab, which in theory it should fall back to the
AES128, or whatever encryption on the top of the list, but it still
complains about the same. Any help, suggestion, comment is highly
appreciated.

*Apache Hadoop version: *
2.0.0

*Security configuration Snippet of DN:*
...
 <property>
    <name>dfs.datanode.data.dir.perm</name>
    <value>700</value>
  </property>

  <property>
    <name>dfs.datanode.address</name>
    <value>0.0.0.0:1004</value>
  </property>

  <property>
    <name>dfs.datanode.http.address</name>
    <value>0.0.0.0:1006</value>
  </property>

  <property>
    <name>dfs.datanode.keytab.file</name>
    <value>/etc/hadoop/conf/hdfs.keytab</value>

  <property>
    <name>dfs.datanode.kerberos.principal</name>
    <value>hdfs/_HOST@REALM</value>
  </property>
...

*Exceptions in Log:*

javax.security.sasl.
SaslException: GSS initiate failed [Caused by GSSException: Failure
unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS
mode with HMAC SHA1-96 is not supported/enabled)]
        at
com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:159)
        at
org.apache.hadoop.ipc.Server$Connection.saslReadAndProcess(Server.java:1199)
        at
org.apache.hadoop.ipc.Server$Connection.readAndProcess(Server.java:1393)
        at org.apache.hadoop.ipc.Server$Listener.doRead(Server.java:710)
        at
org.apache.hadoop.ipc.Server$Listener$Reader.doRunLoop(Server.java:509)
        at org.apache.hadoop.ipc.Server$Listener$Reader.run(Server.java:484)
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism
level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not
supported/enabled)
        at
sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
        at
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
        at
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
        at
com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:137)
        ... 5 more
Caused by: KrbException: Encryption type AES256 CTS mode with HMAC SHA1-96
is not supported/enabled


Thanks,
Shumin Wu

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message