Home | About | Sematext search-lucene.com search-hadoop.com
 Search Hadoop and all its subprojects:

Switch to Threaded View
Hadoop, mail # user - DN cannot talk to NN using Kerberos on secured hdfs


Copy link to this message
-
Re: DN cannot talk to NN using Kerberos on secured hdfs
Vinod Kumar Vavilapalli 2012-09-12, 17:25

This is because JAVA only supports AES 128 by default. To support AES 256, you will need to install the unlimited-JCE policy jar from http://www.oracle.com/technetwork/java/javase/downloads/index.html

Also, there is another case of Kerberos having issues with hostnames with some/all letters in caps. If that is the case, you should try tweaking your host-names to all lower-case.

Thanks,
+Vinod Kumar Vavilapalli
Hortonworks Inc.
http://hortonworks.com/

On Sep 12, 2012, at 9:47 AM, Shumin Wu wrote:

> Hi,
>
> I am setting up a secured hdfs using Kerberos.  I got NN, 2NN working just
> fine. However, DN cannot talk to NN and throws the following exception. I
> disabled the AES256 from keytab, which in theory it should fall back to the
> AES128, or whatever encryption on the top of the list, but it still
> complains about the same. Any help, suggestion, comment is highly
> appreciated.
>
> *Apache Hadoop version: *
> 2.0.0
>
> *Security configuration Snippet of DN:*
> ...
> <property>
>    <name>dfs.datanode.data.dir.perm</name>
>    <value>700</value>
>  </property>
>
>  <property>
>    <name>dfs.datanode.address</name>
>    <value>0.0.0.0:1004</value>
>  </property>
>
>  <property>
>    <name>dfs.datanode.http.address</name>
>    <value>0.0.0.0:1006</value>
>  </property>
>
>  <property>
>    <name>dfs.datanode.keytab.file</name>
>    <value>/etc/hadoop/conf/hdfs.keytab</value>
>
>  <property>
>    <name>dfs.datanode.kerberos.principal</name>
>    <value>hdfs/_HOST@REALM</value>
>  </property>
> ...
>
> *Exceptions in Log:*
>
> javax.security.sasl.
> SaslException: GSS initiate failed [Caused by GSSException: Failure
> unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS
> mode with HMAC SHA1-96 is not supported/enabled)]
>        at
> com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:159)
>        at
> org.apache.hadoop.ipc.Server$Connection.saslReadAndProcess(Server.java:1199)
>        at
> org.apache.hadoop.ipc.Server$Connection.readAndProcess(Server.java:1393)
>        at org.apache.hadoop.ipc.Server$Listener.doRead(Server.java:710)
>        at
> org.apache.hadoop.ipc.Server$Listener$Reader.doRunLoop(Server.java:509)
>        at org.apache.hadoop.ipc.Server$Listener$Reader.run(Server.java:484)
> Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism
> level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not
> supported/enabled)
>        at
> sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
>        at
> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
>        at
> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
>        at
> com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:137)
>        ... 5 more
> Caused by: KrbException: Encryption type AES256 CTS mode with HMAC SHA1-96
> is not supported/enabled
>
>
> Thanks,
> Shumin Wu