kinit: krb5_init_creds_set_keytab: 找不到密钥表(未知加密类型)

kinit: krb5_init_creds_set_keytab: Failed to find keytab (unknown enctype)

为了能够从 MacBook 访问 Kerberized Hadoop,尝试创建 SPNEGO。 Post 在 Centos 7 中从 KDC 复制 spnego keytab,执行 kinit 失败并出现以下错误:

$kinit -kt /etc/security/keytabs/spnego.service.keytab ambari-qa-tcluster@EXAMPLE.COM

kinit: krb5_init_creds_set_keytab: Failed to find ambari-qa-ambari-qa-tcluster@EXAMPLE.COM in keytab FILE:/etc/security/keytabs/smokeuser.headless.keytab (unknown enctype)

在 Centos 上使用以下检查 enctype:

[root@vpimply1 ~]# klist -kte /etc/security/keytabs/smokeuser.headless.keytab
Keytab name: FILE:/etc/security/keytabs/smokeuser.headless.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 11/27/2018 21:48:00 ambari-qa-tcluster@EXAMPLE.COM (des-cbc-md5)
   2 11/27/2018 21:48:00 ambari-qa-tcluster@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
   2 11/27/2018 21:48:00 ambari-qa-tcluster@EXAMPLE.COM (arcfour-hmac)
   2 11/27/2018 21:48:00 ambari-qa-tcluster@EXAMPLE.COM (des3-cbc-sha1)
   2 11/27/2018 21:48:00 ambari-qa-tcluster@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
[root@vpimply1 ~]#

尝试创建具有特定加密类型的密钥表,但仍然遇到同样的错误。

如何解决此 "enctype" 问题?

经过一番努力,我在 Macbook 中将 KRB5 Tracing 设置如下:

KRB5_TRACE=/dev/stdout

Post 设置这个,我可以清楚地看到keytab 上的权限不正确。

$ kinit -t /etc/security/keytabs/smokeuser.headless.keytab ambari-qa-vpimply@IMPLY.IO
2018-11-29T11:17:29 set-error: -1765328242: Reached end of credential caches
2018-11-29T11:17:29 set-error: -1765328243: Principal ambari-qa-vpimply@IMPLY.IO not found in any credential cache
2018-11-29T11:17:29 set-error: 13: keytab /etc/security/keytabs/smokeuser.headless.keytab access failed: Permission denied
2018-11-29T11:17:29 set-error: 13: Failed to find ambari-qa-vpimply@IMPLY.IO in keytab FILE:/etc/security/keytabs/smokeuser.headless.keytab (unknown enctype)
kinit: krb5_init_creds_set_keytab: Failed to find ambari-qa-vpimply@IMPLY.IO in keytab FILE:/etc/security/keytabs/smokeuser.headless.keytab (unknown enctype)

$ ls -alrt /etc/security/keytabs
total 24
-r--r-----  1 root                wheel  338 Nov 28 13:19 smokeuser.headless.keytab
drwxr-xr-x  5 root                wheel  160 Nov 28 17:16 .

修复权限以匹配当前登录用户后,kinit 运行良好!这与 'enctype' 无关。此外,最近的 MACO 不需要安装任何软件包——甚至 MIT Kerberos 也不需要,客户端就可以正常工作。

了解 Mac 上默认安装的 kerberos 将无法工作会有所帮助。

我用 Homebrew 安装解决了这个问题:brew install krb5

为避免使用原始二进制文件,还必须将这些路径添加到 ~/.bashrc~/.zshrc 文件中:

export PATH="/usr/local/opt/krb5/bin:$PATH"
export PATH="/usr/local/opt/krb5/sbin:$PATH"