kinit: krb5_init_creds_set_keytab: 找不到密钥表(未知加密类型)
kinit: krb5_init_creds_set_keytab: Failed to find keytab (unknown enctype)
为了能够从 MacBook 访问 Kerberized Hadoop,尝试创建 SPNEGO。 Post 在 Centos 7 中从 KDC 复制 spnego keytab,执行 kinit 失败并出现以下错误:
$kinit -kt /etc/security/keytabs/spnego.service.keytab ambari-qa-tcluster@EXAMPLE.COM
kinit: krb5_init_creds_set_keytab: Failed to find ambari-qa-ambari-qa-tcluster@EXAMPLE.COM in keytab FILE:/etc/security/keytabs/smokeuser.headless.keytab (unknown enctype)
在 Centos 上使用以下检查 enctype:
[root@vpimply1 ~]# klist -kte /etc/security/keytabs/smokeuser.headless.keytab
Keytab name: FILE:/etc/security/keytabs/smokeuser.headless.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
2 11/27/2018 21:48:00 ambari-qa-tcluster@EXAMPLE.COM (des-cbc-md5)
2 11/27/2018 21:48:00 ambari-qa-tcluster@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
2 11/27/2018 21:48:00 ambari-qa-tcluster@EXAMPLE.COM (arcfour-hmac)
2 11/27/2018 21:48:00 ambari-qa-tcluster@EXAMPLE.COM (des3-cbc-sha1)
2 11/27/2018 21:48:00 ambari-qa-tcluster@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
[root@vpimply1 ~]#
尝试创建具有特定加密类型的密钥表,但仍然遇到同样的错误。
如何解决此 "enctype" 问题?
经过一番努力,我在 Macbook 中将 KRB5 Tracing 设置如下:
KRB5_TRACE=/dev/stdout
Post 设置这个,我可以清楚地看到keytab 上的权限不正确。
$ kinit -t /etc/security/keytabs/smokeuser.headless.keytab ambari-qa-vpimply@IMPLY.IO
2018-11-29T11:17:29 set-error: -1765328242: Reached end of credential caches
2018-11-29T11:17:29 set-error: -1765328243: Principal ambari-qa-vpimply@IMPLY.IO not found in any credential cache
2018-11-29T11:17:29 set-error: 13: keytab /etc/security/keytabs/smokeuser.headless.keytab access failed: Permission denied
2018-11-29T11:17:29 set-error: 13: Failed to find ambari-qa-vpimply@IMPLY.IO in keytab FILE:/etc/security/keytabs/smokeuser.headless.keytab (unknown enctype)
kinit: krb5_init_creds_set_keytab: Failed to find ambari-qa-vpimply@IMPLY.IO in keytab FILE:/etc/security/keytabs/smokeuser.headless.keytab (unknown enctype)
$ ls -alrt /etc/security/keytabs
total 24
-r--r----- 1 root wheel 338 Nov 28 13:19 smokeuser.headless.keytab
drwxr-xr-x 5 root wheel 160 Nov 28 17:16 .
修复权限以匹配当前登录用户后,kinit 运行良好!这与 'enctype' 无关。此外,最近的 MACO 不需要安装任何软件包——甚至 MIT Kerberos 也不需要,客户端就可以正常工作。
了解 Mac 上默认安装的 kerberos 将无法工作会有所帮助。
我用 Homebrew 安装解决了这个问题:brew install krb5
为避免使用原始二进制文件,还必须将这些路径添加到 ~/.bashrc 或 ~/.zshrc 文件中:
export PATH="/usr/local/opt/krb5/bin:$PATH"
export PATH="/usr/local/opt/krb5/sbin:$PATH"
为了能够从 MacBook 访问 Kerberized Hadoop,尝试创建 SPNEGO。 Post 在 Centos 7 中从 KDC 复制 spnego keytab,执行 kinit 失败并出现以下错误:
$kinit -kt /etc/security/keytabs/spnego.service.keytab ambari-qa-tcluster@EXAMPLE.COM
kinit: krb5_init_creds_set_keytab: Failed to find ambari-qa-ambari-qa-tcluster@EXAMPLE.COM in keytab FILE:/etc/security/keytabs/smokeuser.headless.keytab (unknown enctype)
在 Centos 上使用以下检查 enctype:
[root@vpimply1 ~]# klist -kte /etc/security/keytabs/smokeuser.headless.keytab
Keytab name: FILE:/etc/security/keytabs/smokeuser.headless.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
2 11/27/2018 21:48:00 ambari-qa-tcluster@EXAMPLE.COM (des-cbc-md5)
2 11/27/2018 21:48:00 ambari-qa-tcluster@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
2 11/27/2018 21:48:00 ambari-qa-tcluster@EXAMPLE.COM (arcfour-hmac)
2 11/27/2018 21:48:00 ambari-qa-tcluster@EXAMPLE.COM (des3-cbc-sha1)
2 11/27/2018 21:48:00 ambari-qa-tcluster@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
[root@vpimply1 ~]#
尝试创建具有特定加密类型的密钥表,但仍然遇到同样的错误。
如何解决此 "enctype" 问题?
经过一番努力,我在 Macbook 中将 KRB5 Tracing 设置如下:
KRB5_TRACE=/dev/stdout
Post 设置这个,我可以清楚地看到keytab 上的权限不正确。
$ kinit -t /etc/security/keytabs/smokeuser.headless.keytab ambari-qa-vpimply@IMPLY.IO
2018-11-29T11:17:29 set-error: -1765328242: Reached end of credential caches
2018-11-29T11:17:29 set-error: -1765328243: Principal ambari-qa-vpimply@IMPLY.IO not found in any credential cache
2018-11-29T11:17:29 set-error: 13: keytab /etc/security/keytabs/smokeuser.headless.keytab access failed: Permission denied
2018-11-29T11:17:29 set-error: 13: Failed to find ambari-qa-vpimply@IMPLY.IO in keytab FILE:/etc/security/keytabs/smokeuser.headless.keytab (unknown enctype)
kinit: krb5_init_creds_set_keytab: Failed to find ambari-qa-vpimply@IMPLY.IO in keytab FILE:/etc/security/keytabs/smokeuser.headless.keytab (unknown enctype)
$ ls -alrt /etc/security/keytabs
total 24
-r--r----- 1 root wheel 338 Nov 28 13:19 smokeuser.headless.keytab
drwxr-xr-x 5 root wheel 160 Nov 28 17:16 .
修复权限以匹配当前登录用户后,kinit 运行良好!这与 'enctype' 无关。此外,最近的 MACO 不需要安装任何软件包——甚至 MIT Kerberos 也不需要,客户端就可以正常工作。
了解 Mac 上默认安装的 kerberos 将无法工作会有所帮助。
我用 Homebrew 安装解决了这个问题:brew install krb5
为避免使用原始二进制文件,还必须将这些路径添加到 ~/.bashrc 或 ~/.zshrc 文件中:
export PATH="/usr/local/opt/krb5/bin:$PATH"
export PATH="/usr/local/opt/krb5/sbin:$PATH"