Home | About | Sematext search-lucene.com search-hadoop.com
NEW: Monitor These Apps!
elasticsearch, apache solr, apache hbase, hadoop, redis, casssandra, amazon cloudwatch, mysql, memcached, apache kafka, apache zookeeper, apache storm, ubuntu, centOS, red hat, debian, puppet labs, java, senseiDB
 Search Hadoop and all its subprojects:

Switch to Threaded View
Hadoop >> mail # user >> DN cannot talk to NN using Kerberos on secured hdfs


Copy link to this message
-
Re: DN cannot talk to NN using Kerberos on secured hdfs

This is because JAVA only supports AES 128 by default. To support AES 256, you will need to install the unlimited-JCE policy jar from http://www.oracle.com/technetwork/java/javase/downloads/index.html

Also, there is another case of Kerberos having issues with hostnames with some/all letters in caps. If that is the case, you should try tweaking your host-names to all lower-case.

Thanks,
+Vinod Kumar Vavilapalli
Hortonworks Inc.
http://hortonworks.com/

On Sep 12, 2012, at 9:47 AM, Shumin Wu wrote:

> Hi,
>
> I am setting up a secured hdfs using Kerberos.  I got NN, 2NN working just
> fine. However, DN cannot talk to NN and throws the following exception. I
> disabled the AES256 from keytab, which in theory it should fall back to the
> AES128, or whatever encryption on the top of the list, but it still
> complains about the same. Any help, suggestion, comment is highly
> appreciated.
>
> *Apache Hadoop version: *
> 2.0.0
>
> *Security configuration Snippet of DN:*
> ...
> <property>
>    <name>dfs.datanode.data.dir.perm</name>
>    <value>700</value>
>  </property>
>
>  <property>
>    <name>dfs.datanode.address</name>
>    <value>0.0.0.0:1004</value>
>  </property>
>
>  <property>
>    <name>dfs.datanode.http.address</name>
>    <value>0.0.0.0:1006</value>
>  </property>
>
>  <property>
>    <name>dfs.datanode.keytab.file</name>
>    <value>/etc/hadoop/conf/hdfs.keytab</value>
>
>  <property>
>    <name>dfs.datanode.kerberos.principal</name>
>    <value>hdfs/_HOST@REALM</value>
>  </property>
> ...
>
> *Exceptions in Log:*
>
> javax.security.sasl.
> SaslException: GSS initiate failed [Caused by GSSException: Failure
> unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS
> mode with HMAC SHA1-96 is not supported/enabled)]
>        at
> com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:159)
>        at
> org.apache.hadoop.ipc.Server$Connection.saslReadAndProcess(Server.java:1199)
>        at
> org.apache.hadoop.ipc.Server$Connection.readAndProcess(Server.java:1393)
>        at org.apache.hadoop.ipc.Server$Listener.doRead(Server.java:710)
>        at
> org.apache.hadoop.ipc.Server$Listener$Reader.doRunLoop(Server.java:509)
>        at org.apache.hadoop.ipc.Server$Listener$Reader.run(Server.java:484)
> Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism
> level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not
> supported/enabled)
>        at
> sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
>        at
> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
>        at
> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
>        at
> com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:137)
>        ... 5 more
> Caused by: KrbException: Encryption type AES256 CTS mode with HMAC SHA1-96
> is not supported/enabled
>
>
> Thanks,
> Shumin Wu

NEW: Monitor These Apps!
elasticsearch, apache solr, apache hbase, hadoop, redis, casssandra, amazon cloudwatch, mysql, memcached, apache kafka, apache zookeeper, apache storm, ubuntu, centOS, red hat, debian, puppet labs, java, senseiDB