Thanks for the tip, Evert! Something new that I learnt today. Will post more info once I get there.
P.S. I am using jpwd to debug. I wanted to fish a quick answer or two instead of painful debugging, but looks like I just cannot avoid this route. :-( - Shumin On Wed, Sep 12, 2012 at 1:56 PM, Evert Lammerts <[email protected]>wrote: > Hi Shumin, > > Setting up Kerberos can be a pain, but debug output gets you a long way. > I'm not sure whether these semantics still work in 2.0, but something like > this used to give lots of output in 0.20.205: > > $ HADOOP_OPTS='-Dsun.security.krb5.debug=true -Djavax.net.debug=all' > HADOOP_NAMENODE_USER=hdfs sudo -E hadoop namenode > > Then start a single datanode: > > $ HADOOP_OPTS='-Dsun.security.krb5.debug=true -Djavax.net.debug=all' > HADOOP_NAMENODE_USER=hdfs sudo -E hadoop datanode > > Evert > > ________________________________________ > From: Shumin Wu [[email protected]] > Sent: Wednesday, September 12, 2012 7:40 PM > To: [email protected] > Subject: Re: DN cannot talk to NN using Kerberos on secured hdfs > > Vinod, > > Thanks for your reply. I forgot to mention that I have already installed > the JCE policy jar on each node, so that possibility could be ruled out. On > the same token, one of my attempts was removing the AES 256 from the > keytab, but I saw the same error info. I assume AES 128 should be the one > that Kerberos is looking for in this case. > > The hostnames are all in lower cases and realm names are in upper cases. > The principal names are hdfs, mapred, etc. all convention binding. > > Shumin > > On Wed, Sep 12, 2012 at 10:25 AM, Vinod Kumar Vavilapalli < > [email protected]> wrote: > > > > > This is because JAVA only supports AES 128 by default. To support AES > 256, > > you will need to install the unlimited-JCE policy jar from > > http://www.oracle.com/technetwork/java/javase/downloads/index.html > > > > Also, there is another case of Kerberos having issues with hostnames with > > some/all letters in caps. If that is the case, you should try tweaking > your > > host-names to all lower-case. > > > > Thanks, > > +Vinod Kumar Vavilapalli > > Hortonworks Inc. > > http://hortonworks.com/ > > > > On Sep 12, 2012, at 9:47 AM, Shumin Wu wrote: > > > > Hi, > > > > I am setting up a secured hdfs using Kerberos. I got NN, 2NN working > just > > fine. However, DN cannot talk to NN and throws the following exception. I > > disabled the AES256 from keytab, which in theory it should fall back to > the > > AES128, or whatever encryption on the top of the list, but it still > > complains about the same. Any help, suggestion, comment is highly > > appreciated. > > > > *Apache Hadoop version: * > > 2.0.0 > > > > *Security configuration Snippet of DN:* > > > > ... > > <property> > > <name>dfs.datanode.data.dir.perm</name> > > <value>700</value> > > </property> > > > > <property> > > <name>dfs.datanode.address</name> > > <value>0.0.0.0:1004</value> > > </property> > > > > <property> > > <name>dfs.datanode.http.address</name> > > <value>0.0.0.0:1006</value> > > </property> > > > > <property> > > <name>dfs.datanode.keytab.file</name> > > <value>/etc/hadoop/conf/hdfs.keytab</value> > > > > <property> > > <name>dfs.datanode.kerberos.principal</name> > > <value>hdfs/_HOST@REALM</value> > > </property> > > ... > > > > *Exceptions in Log:* > > > > > > javax.security.sasl. > > SaslException: GSS initiate failed [Caused by GSSException: Failure > > unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS > > mode with HMAC SHA1-96 is not supported/enabled)] > > at > > > > > com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:159) > > at > > > > > org.apache.hadoop.ipc.Server$Connection.saslReadAndProcess(Server.java:1199) > > at > > org.apache.hadoop.ipc.Server$Connection.readAndProcess(Server.java:1393) > > at org.apache.hadoop.ipc.Server$Listener.doRead(Server.java:710) > > at > > org.apache.hadoop.ipc.Server$Listener$Reader.doRunLoop(Server.java:509) > > at > org.apache.hadoop.ipc.Server$Listener$Reader.run(Server.java:484) > > Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism > > level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not > > supported/enabled) > > at > > sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741) > > at > > > sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323) > > at > > > sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267) > > at > > > > > com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:137) > > ... 5 more > > Caused by: KrbException: Encryption type AES256 CTS mode with HMAC > SHA1-96 > > is not supported/enabled > > > > > > Thanks, > > Shumin Wu > > > > > > >
