找到nn不支持的键类型(8)/hadoop-kerberos@hadoop-kerberos

zzlelutf  于 2021-05-29  发布在  Hadoop
关注(0)|答案(1)|浏览(386)

我正在尝试在启用kerberos身份验证的安全模式下设置单节点hadoop集群,使用 hadoop-2.4.0 以及 jdk1.7.0_25 .
为此,我创建了keytab文件,如文档中所述。在调试属性时 HADOOP_OPTS 设置 -Dsun.security.krb5.debug=true 我看到以下错误消息:

Found unsupported keytype (8) for nn/hadoop-kerberos@HADOOP-KERBEROS
Added key: 23version: 4
Added key: 16version: 4
Added key: 17version: 4
Added key: 18version: 4
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23 1 3.
Added key: 3version: 4
Found unsupported keytype (8) for nn/hadoop-kerberos@HADOOP-KERBEROS
Added key: 23version: 4
Added key: 16version: 4
Added key: 17version: 4
Added key: 18version: 4
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23 1 3.
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23 1 3.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=localhost UDP:3738, timeout=30000, number of retries =3, #bytes=171</code></pre>

请注意,我有 ../jre/lib/security/local_policy.jar 以及 .../jre/lib/security/US_export_policy.jar 在我的 CLASSPATH 变量。
我还有以下几点 kdc.conf :

[kdcdefaults]
 kdc_ports = 3738
 kdc_tcp_ports = 3738

[realms]
 HADOOP-KERBEROS = {
  kadmind_port = 3739
  #master_key_type = des3-hmac-sha1
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  #admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  admin_keytab = /etc/krb5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
 }
[logging]
   # By default, the KDC and kadmind will log output using
   # syslog.  You can instead send log output to files like this:
   kdc = FILE:/home/build/log/krb5kdc.log
   admin_server = FILE:/home/build/log/kadmin.log
   default = FILE:/home/build/log/krb5lib.log
``` `klist -e` 为用户显示以下输出 `aleksg` 我用它来运行namenode `hadoop namenode` 命令

Ticket cache: FILE:/tmp/krb5cc_501
Default principal: aleksg@HADOOP-KERBEROS

Valid starting Expires Service principal
07/12/15 09:16:39 07/13/15 09:16:39 krbtgt/HADOOP-KERBEROS@HADOOP-KERBEROS
Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1

Kerberos 4 ticket cache: /tmp/tkt501
klist: You have no tickets cached

看来 `DES cbc mode with HMAC/sha1` 正在用于tgt。
你能告诉我怎么解决这个问题吗?这是否与keytab文件的权限有关,或者我是否应该重新生成启用了不同加密类型的keytab文件?
谢谢您!
JavahadoopAuthenticationkerberos

1条答案

按热度按时间
11dmarpk

11dmarpk1#

我已经通过生成安全hadoop配置中使用的所有keytab文件解决了这个问题,这些文件在 hdfs-site.xml , yarn-site.xmldes3-hmac-sha1:normal 加密类型。

kadmin.local -e "des3-hmac-sha1:normal"

我也改变了主意 krb5.conf 将此加密类型用于 default_tkt_enctypes , default_tgs_enctypes 和允许的类型。
以及在 krb5kdc/kdc.conf 这个 master_key_typedes3-hmac-sha1 .

赞(0)分享  回复(0)举报  2021-05-30
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备2022004421号-2 NULL123 https://www.null123.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com