hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "liyunzhang (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HDFS-6676) KMS throws AuthenticationException when enabling kerberos authentication
Date Mon, 14 Jul 2014 11:40:05 GMT
liyunzhang created HDFS-6676:
--------------------------------

             Summary: KMS throws AuthenticationException when enabling kerberos authentication

                 Key: HDFS-6676
                 URL: https://issues.apache.org/jira/browse/HDFS-6676
             Project: Hadoop HDFS
          Issue Type: Bug
          Components: security
    Affects Versions: 2.4.0
            Reporter: liyunzhang
            Priority: Minor


When I made a request http://server-1941.novalocal:16000/kms/v1/names in firefox. (before,
i set configs in firefox according https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/sso-config-firefox.html),
following info was found in logs/kms.log.
2014-07-14 19:18:30,461 WARN  AuthenticationFilter - Authentication exception: GSSException:
Failure unspecified at GSS-API level (Mechanism level: EncryptedData is encrypted using keytype
DES CBC mode with CRC-32 but decryption key is of type NULL)
org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: Failure
unspecified at GSS-API level (Mechanism level: EncryptedData is encrypted using keytype DES
CBC mode with CRC-32 but decryption key is of type NULL)
	at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:380)
	at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:357)
	at org.apache.hadoop.crypto.key.kms.server.KMSAuthenticationFilter.doFilter(KMSAuthenticationFilter.java:100)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:606)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
	at java.lang.Thread.run(Thread.java:745)
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: EncryptedData
is encrypted using keytype DES CBC mode with CRC-32 but decryption key is of type NULL)
	at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:788)
	at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
	at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
	at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:875)
	at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:548)
	at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
	at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
	at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:347)
	at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:329)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Subject.java:415)
	at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:329)
	... 14 more
Caused by: KrbException: EncryptedData is encrypted using keytype DES CBC mode with CRC-32
but decryption key is of type NULL
	at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:169)
	at sun.security.krb5.KrbCred.<init>(KrbCred.java:131)
	at sun.security.jgss.krb5.InitialToken$OverloadedChecksum.<init>(InitialToken.java:282)
	at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:130)
	at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:771)
	... 25 more
	
Kerberos is enabled successful in my environment:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/server-1941.novalocal@NOVALOCAL

Valid starting     Expires            Service principal
07/14/14 19:18:10  07/15/14 19:18:09  krbtgt/NOVALOCAL@NOVALOCAL
	renew until 07/14/14 19:18:10
07/14/14 19:18:30  07/15/14 19:18:09  HTTP/server-1941.novalocal@NOVALOCAL
	renew until 07/14/14 19:18:10

Following are kdc configs:
# cat /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = NOVALOCAL
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 udp_preference_limit = 1000000
 default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
 default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
 permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
 allow_weak_crypto = true


[realms]
 NOVALOCAL = {
  kdc = server-355:88
  admin_server = server-355:749
  default_domain=novalocal
 }

[domain_realm]
 .novalocal = NOVALOCAL
 novalocal = NOVALOCAL


# cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
 
[realms]
NOVALOCAL = {
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  master_key_type = des3-hmac-sha1
  supported_enctypes = arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal
des:v4 des:norealm des:onlyrealm des:afs3
}
 
	





--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message