Vinod, Thanks for your reply. I forgot to mention that I have already installed the JCE policy jar on each node, so that possibility could be ruled out. On the same token, one of my attempts was removing the AES 256 from the keytab, but I saw the same error info. I assume AES 128 should be the one that Kerberos is looking for in this case.
The hostnames are all in lower cases and realm names are in upper cases. The principal names are hdfs, mapred, etc. all convention binding. Shumin On Wed, Sep 12, 2012 at 10:25 AM, Vinod Kumar Vavilapalli < vino...@hortonworks.com> wrote: > > This is because JAVA only supports AES 128 by default. To support AES 256, > you will need to install the unlimited-JCE policy jar from > http://www.oracle.com/technetwork/java/javase/downloads/index.html > > Also, there is another case of Kerberos having issues with hostnames with > some/all letters in caps. If that is the case, you should try tweaking your > host-names to all lower-case. > > Thanks, > +Vinod Kumar Vavilapalli > Hortonworks Inc. > http://hortonworks.com/ > > On Sep 12, 2012, at 9:47 AM, Shumin Wu wrote: > > Hi, > > I am setting up a secured hdfs using Kerberos. I got NN, 2NN working just > fine. However, DN cannot talk to NN and throws the following exception. I > disabled the AES256 from keytab, which in theory it should fall back to the > AES128, or whatever encryption on the top of the list, but it still > complains about the same. Any help, suggestion, comment is highly > appreciated. > > *Apache Hadoop version: * > 2.0.0 > > *Security configuration Snippet of DN:* > > ... > <property> > <name>dfs.datanode.data.dir.perm</name> > <value>700</value> > </property> > > <property> > <name>dfs.datanode.address</name> > <value>0.0.0.0:1004</value> > </property> > > <property> > <name>dfs.datanode.http.address</name> > <value>0.0.0.0:1006</value> > </property> > > <property> > <name>dfs.datanode.keytab.file</name> > <value>/etc/hadoop/conf/hdfs.keytab</value> > > <property> > <name>dfs.datanode.kerberos.principal</name> > <value>hdfs/_HOST@REALM</value> > </property> > ... > > *Exceptions in Log:* > > > javax.security.sasl. > SaslException: GSS initiate failed [Caused by GSSException: Failure > unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS > mode with HMAC SHA1-96 is not supported/enabled)] > at > > com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:159) > at > > org.apache.hadoop.ipc.Server$Connection.saslReadAndProcess(Server.java:1199) > at > org.apache.hadoop.ipc.Server$Connection.readAndProcess(Server.java:1393) > at org.apache.hadoop.ipc.Server$Listener.doRead(Server.java:710) > at > org.apache.hadoop.ipc.Server$Listener$Reader.doRunLoop(Server.java:509) > at org.apache.hadoop.ipc.Server$Listener$Reader.run(Server.java:484) > Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism > level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not > supported/enabled) > at > sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741) > at > sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323) > at > sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267) > at > > com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:137) > ... 5 more > Caused by: KrbException: Encryption type AES256 CTS mode with HMAC SHA1-96 > is not supported/enabled > > > Thanks, > Shumin Wu > > >
