That should be a bug. All host names should be case insensitive. Sent from a remote device. Please excuse any typos...
Mike Segel On Sep 12, 2012, at 12:25 PM, Vinod Kumar Vavilapalli <vino...@hortonworks.com> wrote: > > This is because JAVA only supports AES 128 by default. To support AES 256, > you will need to install the unlimited-JCE policy jar from > http://www.oracle.com/technetwork/java/javase/downloads/index.html > > Also, there is another case of Kerberos having issues with hostnames with > some/all letters in caps. If that is the case, you should try tweaking your > host-names to all lower-case. > > Thanks, > +Vinod Kumar Vavilapalli > Hortonworks Inc. > http://hortonworks.com/ > > On Sep 12, 2012, at 9:47 AM, Shumin Wu wrote: > >> Hi, >> >> I am setting up a secured hdfs using Kerberos. I got NN, 2NN working just >> fine. However, DN cannot talk to NN and throws the following exception. I >> disabled the AES256 from keytab, which in theory it should fall back to the >> AES128, or whatever encryption on the top of the list, but it still >> complains about the same. Any help, suggestion, comment is highly >> appreciated. >> >> *Apache Hadoop version: * >> 2.0.0 >> >> *Security configuration Snippet of DN:* >> ... >> <property> >> <name>dfs.datanode.data.dir.perm</name> >> <value>700</value> >> </property> >> >> <property> >> <name>dfs.datanode.address</name> >> <value>0.0.0.0:1004</value> >> </property> >> >> <property> >> <name>dfs.datanode.http.address</name> >> <value>0.0.0.0:1006</value> >> </property> >> >> <property> >> <name>dfs.datanode.keytab.file</name> >> <value>/etc/hadoop/conf/hdfs.keytab</value> >> >> <property> >> <name>dfs.datanode.kerberos.principal</name> >> <value>hdfs/_HOST@REALM</value> >> </property> >> ... >> >> *Exceptions in Log:* >> >> javax.security.sasl. >> SaslException: GSS initiate failed [Caused by GSSException: Failure >> unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS >> mode with HMAC SHA1-96 is not supported/enabled)] >> at >> com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:159) >> at >> org.apache.hadoop.ipc.Server$Connection.saslReadAndProcess(Server.java:1199) >> at >> org.apache.hadoop.ipc.Server$Connection.readAndProcess(Server.java:1393) >> at org.apache.hadoop.ipc.Server$Listener.doRead(Server.java:710) >> at >> org.apache.hadoop.ipc.Server$Listener$Reader.doRunLoop(Server.java:509) >> at org.apache.hadoop.ipc.Server$Listener$Reader.run(Server.java:484) >> Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism >> level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not >> supported/enabled) >> at >> sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741) >> at >> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323) >> at >> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267) >> at >> com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:137) >> ... 5 more >> Caused by: KrbException: Encryption type AES256 CTS mode with HMAC SHA1-96 >> is not supported/enabled >> >> >> Thanks, >> Shumin Wu >