Awesome.. I am glad I could help. Rob
From: Chanel Loïc <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Thursday, May 7, 2015 at 11:25 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: RE: Kerberos - Algorithme AES256 not enabled As I rebooted Ambari, I figured I was not quite sure I did it since I installed JCE policies properly. I think that is where the problem came from, since the AES256 related message disappeared. Thanks Rob ! Loïc De : Robert Levas [mailto:[email protected]] Envoyé : mercredi 6 mai 2015 14:25 À : [email protected]<mailto:[email protected]> Objet : Re: Kerberos - Algorithme AES256 not enabled Hi Loïc, It appears you were heading in the correct direction. The issue is related to the lack of JCE. Once you install the JCE policy jars, you need to restart Ambari. If you have already generated the keytabs for the cluster, you can tell Ambari to regenerate the keytabs and the correct entries should be created. To view the contents of your keytab file, use klist -kte <path to keytab file>. With the -e option you will see the encryption algorithms used to generate the keytab entry. For example: # klist -kte /etc/security/keytabs/hdfs.headless.keytab Keytab name: FILE:/etc/security/keytabs/hdfs.headless.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 1 04/30/15 15:20:14 [email protected]<mailto:[email protected]> (des-cbc-md5) 1 04/30/15 15:20:14 [email protected]<mailto:[email protected]> (aes128-cts-hmac-sha1-96) 1 04/30/15 15:20:14 [email protected]<mailto:[email protected]> (arcfour-hmac) 1 04/30/15 15:20:14 [email protected]<mailto:[email protected]> (aes256-cts-hmac-sha1-96) 1 04/30/15 15:20:14 [email protected]<mailto:[email protected]> (des3-cbc-sha1) You also need to make sure all of the hosts have the JCE policy jars installed. After they are installed, you should restart all of the services. I hope this helps, Rob From: Chanel Loïc <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Wednesday, May 6, 2015 at 8:12 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Kerberos - Algorithme AES256 not enabled Hi, Trying to Kerberize my cluster, I encoutered some troubles. When I start to configure security with Ambari wizard, it seems the Ambari server cannot connect to the KDC, while it is on the same network. Therefore I took a closer look to the corresponding logs, and the main issue seems to be related to the Algorithm AES256, as the main error return "Algorithm AES256 not enabled". As I was a little surprised, I tried to reproduce the bug using a personal minimalistic implementation using the same library that is used by Ambari (org.apache.directory.kerberos.client), but I still get the error "Algorithm AES256 not enable" . Searching on Google, I saw that this problem could be related to the installation of JCE, so I re-installed it with the proper parameters from Oracle website ( http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html ), but it did not change a thing. Does someone know where this might come from, or how to avoid this issue ? Thanks, Loïc ________________________________ Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis. This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted. ________________________________ Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis. This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
