DN cannot talk to NN using Kerberos on secured hdfs

Wed, 12 Sep 2012 09:48:23 -0700 

Hi,

I am setting up a secured hdfs using Kerberos.  I got NN, 2NN working just
fine. However, DN cannot talk to NN and throws the following exception. I
disabled the AES256 from keytab, which in theory it should fall back to the
AES128, or whatever encryption on the top of the list, but it still
complains about the same. Any help, suggestion, comment is highly
appreciated.

*Apache Hadoop version: *
2.0.0

*Security configuration Snippet of DN:*
...
 <property>
    <name>dfs.datanode.data.dir.perm</name>
    <value>700</value>
  </property>

  <property>
    <name>dfs.datanode.address</name>
    <value>0.0.0.0:1004</value>
  </property>

  <property>
    <name>dfs.datanode.http.address</name>
    <value>0.0.0.0:1006</value>
  </property>

  <property>
    <name>dfs.datanode.keytab.file</name>
    <value>/etc/hadoop/conf/hdfs.keytab</value>

  <property>
    <name>dfs.datanode.kerberos.principal</name>
    <value>hdfs/_HOST@REALM</value>
  </property>
...

*Exceptions in Log:*

javax.security.sasl.
SaslException: GSS initiate failed [Caused by GSSException: Failure
unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS
mode with HMAC SHA1-96 is not supported/enabled)]
        at
com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:159)
        at
org.apache.hadoop.ipc.Server$Connection.saslReadAndProcess(Server.java:1199)
        at
org.apache.hadoop.ipc.Server$Connection.readAndProcess(Server.java:1393)
        at org.apache.hadoop.ipc.Server$Listener.doRead(Server.java:710)
        at
org.apache.hadoop.ipc.Server$Listener$Reader.doRunLoop(Server.java:509)
        at org.apache.hadoop.ipc.Server$Listener$Reader.run(Server.java:484)
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism
level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not
supported/enabled)
        at
sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
        at
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
        at
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
        at
com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:137)
        ... 5 more
Caused by: KrbException: Encryption type AES256 CTS mode with HMAC SHA1-96
is not supported/enabled


Thanks,
Shumin Wu

Reply via email to