找到nn / hadoop-kerberos @ HADOOP-KERBEROS不支持的keytype(8)

时间:2015-07-12 21:23:04

标签: java authentication hadoop kerberos

我正在尝试使用hadoop-2.4.0jdk1.7.0_25在安全模式下设置单节点Hadoop集群并启用Kerberos身份验证。

为此,我创建了keytab文件,如文档中所述。在使用HADOOP_OPTS设置的属性-Dsun.security.krb5.debug=true进行调试时,我看到以下错误消息:

Found unsupported keytype (8) for nn/hadoop-kerberos@HADOOP-KERBEROS
Added key: 23version: 4
Added key: 16version: 4
Added key: 17version: 4
Added key: 18version: 4
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23 1 3.
Added key: 3version: 4
Found unsupported keytype (8) for nn/hadoop-kerberos@HADOOP-KERBEROS
Added key: 23version: 4
Added key: 16version: 4
Added key: 17version: 4
Added key: 18version: 4
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23 1 3.
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23 1 3.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=localhost UDP:3738, timeout=30000, number of retries =3, #bytes=171</code></pre>

请注意,我有../jre/lib/security/local_policy.jar和 我.../jre/lib/security/US_export_policy.jar变量中的CLASSPATH

此外,我在kdc.conf中有以下内容:

 [kdcdefaults]
 kdc_ports = 3738
 kdc_tcp_ports = 3738

[realms]
 HADOOP-KERBEROS = {
  kadmind_port = 3739
  #master_key_type = des3-hmac-sha1
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  #admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  admin_keytab = /etc/krb5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
 }
[logging]
   # By default, the KDC and kadmind will log output using
   # syslog.  You can instead send log output to files like this:
   kdc = FILE:/home/build/log/krb5kdc.log
   admin_server = FILE:/home/build/log/kadmin.log
   default = FILE:/home/build/log/krb5lib.log

klist -e显示用户aleksg的以下输出,我用hadoop namenode命令运行namenode 

Ticket cache: FILE:/tmp/krb5cc_501
Default principal: aleksg@HADOOP-KERBEROS

Valid starting     Expires            Service principal
07/12/15 09:16:39  07/13/15 09:16:39  krbtgt/HADOOP-KERBEROS@HADOOP-KERBEROS
        Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1 


Kerberos 4 ticket cache: /tmp/tkt501
klist: You have no tickets cached

所以似乎DES cbc mode with HMAC/sha1被用于TGT。

请您指点一下我该如何解决这个问题?这可能与keytab文件的权限有关,还是应该重新启用启用了不同加密类型的keytab文件?

谢谢!

1 个答案:

答案 0 :(得分:1)

我通过生成安全Hadoop配置中使用的所有keytab文件以及hdfs-site.xmlyarn-site.xml等中使用des3-hmac-sha1:normal加密类型提及的方法来解决此问题。

kadmin.local -e "des3-hmac-sha1:normal"

此外,我已将krb5.conf更改为default_tkt_enctypesdefault_tgs_enctypes和allowed_enctypes使用此加密类型。

krb5kdc/kdc.conf master_key_type改为des3-hmac-sha1

相关问题
最新问题