Hortonworks Kerberos: KRBError: error code is 14
Hortonworks Kerberos: KRBError: error code is 14
将基于 Kerberos 的 Hortonworks 集群从 2.5.3 升级到 2.6.1 后,所有服务(hdfs、hive、spark、zookeeper 等)都无法通过 Kerberos 获取凭据,并出现以下错误:
>>>KRBError:
sTime is Wed Jun 14 11:52:10 CEST 2017 1497433930000
suSec is 825974
error code is 14
error Message is **KDC has no support for encryption type**
sname is krbtgt/BIGDATACLUSTER.EXAMPLE.COM@JUST.EXAMPLE.COM
msgType is 30
>>> Credentials acquireServiceCreds: no tgt; searching thru capath
>>> Credentials acquireServiceCreds: no tgt; cannot get creds
KrbException: Fail to create credential. (63) - No service creds
/etc/krb5.conf 文件没有变化(升级前一直有效):
[libdefaults]
renew_lifetime = 7d
forwardable = true
default_realm = BIGDATACLUSTER.EXAMPLE.COM
ticket_lifetime = 10h
[domain_realm]
.EXAMPLE.com = JUST.EXAMPLE.COM
.BIGDATACLUSTER.EXAMPLE.com = BIGDATACLUSTER.EXAMPLE.COM
BIGDATACLUSTER.EXAMPLE.com = BIGDATACLUSTER.EXAMPLE.COM
[realms]
BIGDATACLUSTER.EXAMPLE.COM = {
admin_server=MACHINE1.EXAMPLE.com
rdns = false
kdc = MACHINE1.EXAMPLE.com
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
}
[capaths]
JUST.EXAMPLE.COM = {
BIGDATACLUSTER.EXAMPLE.COM = .
}
信托看起来像这样:
addprinc -e "aes256-cts:normal aes128-cts:normal arcfour-hmac:normal" krbtgt/BIGDATACLUSTER.EXAMPLE.COM@JUST.EXAMPLE.COM
这是我们尝试过的方法:
- 已验证 Java 和 JCE,一切正常
- 重新生成所有密钥表并重新启动集群
- 选中了信任的 "The other domain supports Kerberos AES Encryption" 复选框,已选中。
请看答案。最后一点似乎是问题所在。
我们终于修复了它。
虽然我在我的问题中写道我们已经“选中了信托的 "The other domain supports Kerberos AES Encryption" 复选框,但似乎该复选框从那时起已被更改(没有人可以解释如何或为什么)。这就是导致我们信任的 AES 加密被其他信任拒绝的原因。
只需设置复选框即可修复错误。
将基于 Kerberos 的 Hortonworks 集群从 2.5.3 升级到 2.6.1 后,所有服务(hdfs、hive、spark、zookeeper 等)都无法通过 Kerberos 获取凭据,并出现以下错误:
>>>KRBError:
sTime is Wed Jun 14 11:52:10 CEST 2017 1497433930000
suSec is 825974
error code is 14
error Message is **KDC has no support for encryption type**
sname is krbtgt/BIGDATACLUSTER.EXAMPLE.COM@JUST.EXAMPLE.COM
msgType is 30
>>> Credentials acquireServiceCreds: no tgt; searching thru capath
>>> Credentials acquireServiceCreds: no tgt; cannot get creds
KrbException: Fail to create credential. (63) - No service creds
/etc/krb5.conf 文件没有变化(升级前一直有效):
[libdefaults]
renew_lifetime = 7d
forwardable = true
default_realm = BIGDATACLUSTER.EXAMPLE.COM
ticket_lifetime = 10h
[domain_realm]
.EXAMPLE.com = JUST.EXAMPLE.COM
.BIGDATACLUSTER.EXAMPLE.com = BIGDATACLUSTER.EXAMPLE.COM
BIGDATACLUSTER.EXAMPLE.com = BIGDATACLUSTER.EXAMPLE.COM
[realms]
BIGDATACLUSTER.EXAMPLE.COM = {
admin_server=MACHINE1.EXAMPLE.com
rdns = false
kdc = MACHINE1.EXAMPLE.com
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
}
[capaths]
JUST.EXAMPLE.COM = {
BIGDATACLUSTER.EXAMPLE.COM = .
}
信托看起来像这样:
addprinc -e "aes256-cts:normal aes128-cts:normal arcfour-hmac:normal" krbtgt/BIGDATACLUSTER.EXAMPLE.COM@JUST.EXAMPLE.COM
这是我们尝试过的方法:
- 已验证 Java 和 JCE,一切正常
- 重新生成所有密钥表并重新启动集群 - 选中了信任的 "The other domain supports Kerberos AES Encryption" 复选框,已选中。
请看答案。最后一点似乎是问题所在。
我们终于修复了它。
虽然我在我的问题中写道我们已经“选中了信托的 "The other domain supports Kerberos AES Encryption" 复选框,但似乎该复选框从那时起已被更改(没有人可以解释如何或为什么)。这就是导致我们信任的 AES 加密被其他信任拒绝的原因。
只需设置复选框即可修复错误。