This is because JAVA only supports AES 128 by default. To support AES 256, you will need to install the unlimited-JCE policy jar from http://www.oracle.com/technetwork/java/javase/downloads/index.html
Also, there is another case of Kerberos having issues with hostnames with some/all letters in caps. If that is the case, you should try tweaking your host-names to all lower-case. Thanks, +Vinod Kumar Vavilapalli Hortonworks Inc. http://hortonworks.com/ On Sep 12, 2012, at 9:47 AM, Shumin Wu wrote: > Hi, > > I am setting up a secured hdfs using Kerberos. I got NN, 2NN working just > fine. However, DN cannot talk to NN and throws the following exception. I > disabled the AES256 from keytab, which in theory it should fall back to the > AES128, or whatever encryption on the top of the list, but it still > complains about the same. Any help, suggestion, comment is highly > appreciated. > > *Apache Hadoop version: * > 2.0.0 > > *Security configuration Snippet of DN:* > ... > <property> > <name>dfs.datanode.data.dir.perm</name> > <value>700</value> > </property> > > <property> > <name>dfs.datanode.address</name> > <value>0.0.0.0:1004</value> > </property> > > <property> > <name>dfs.datanode.http.address</name> > <value>0.0.0.0:1006</value> > </property> > > <property> > <name>dfs.datanode.keytab.file</name> > <value>/etc/hadoop/conf/hdfs.keytab</value> > > <property> > <name>dfs.datanode.kerberos.principal</name> > <value>hdfs/_HOST@REALM</value> > </property> > ... > > *Exceptions in Log:* > > javax.security.sasl. > SaslException: GSS initiate failed [Caused by GSSException: Failure > unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS > mode with HMAC SHA1-96 is not supported/enabled)] > at > com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:159) > at > org.apache.hadoop.ipc.Server$Connection.saslReadAndProcess(Server.java:1199) > at > org.apache.hadoop.ipc.Server$Connection.readAndProcess(Server.java:1393) > at org.apache.hadoop.ipc.Server$Listener.doRead(Server.java:710) > at > org.apache.hadoop.ipc.Server$Listener$Reader.doRunLoop(Server.java:509) > at org.apache.hadoop.ipc.Server$Listener$Reader.run(Server.java:484) > Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism > level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not > supported/enabled) > at > sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741) > at > sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323) > at > sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267) > at > com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:137) > ... 5 more > Caused by: KrbException: Encryption type AES256 CTS mode with HMAC SHA1-96 > is not supported/enabled > > > Thanks, > Shumin Wu
signature.asc
Description: Message signed with OpenPGP using GPGMail
