0
将kerberized Hortonworks Cluster从2.5.3升级到2.6.1后,所有服务(hdfs,hive,spark,zookeeper等)都无法通过Kerberos获取凭据,但出现以下错误:Hortonworks Kerberos:KRBError:错误代码是14
>>>KRBError:
sTime is Wed Jun 14 11:52:10 CEST 2017 1497433930000
suSec is 825974
error code is 14
error Message is **KDC has no support for encryption type**
sname is krbtgt/[email protected]
msgType is 30
>>> Credentials acquireServiceCreds: no tgt; searching thru capath
>>> Credentials acquireServiceCreds: no tgt; cannot get creds
KrbException: Fail to create credential. (63) - No service creds
/etc/krb5.conf中的文件并没有改变(并已在升级前工作):
[libdefaults]
renew_lifetime = 7d
forwardable = true
default_realm = BIGDATACLUSTER.EXAMPLE.COM
ticket_lifetime = 10h
[domain_realm]
.EXAMPLE.com = JUST.EXAMPLE.COM
.BIGDATACLUSTER.EXAMPLE.com = BIGDATACLUSTER.EXAMPLE.COM
BIGDATACLUSTER.EXAMPLE.com = BIGDATACLUSTER.EXAMPLE.COM
[realms]
BIGDATACLUSTER.EXAMPLE.COM = {
admin_server=MACHINE1.EXAMPLE.com
rdns = false
kdc = MACHINE1.EXAMPLE.com
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
}
[capaths]
JUST.EXAMPLE.COM = {
BIGDATACLUSTER.EXAMPLE.COM = .
}
信托看起来是这样的:
addprinc -e "aes256-cts:normal aes128-cts:normal arcfour-hmac:normal" krbtgt/[email protected]
这是我们已经试过:
- 验证Java和JCE,一切ok
- 再生所有Keytabs并重新启动集群 - 选中了“其他域支持Kerberos AES加密”复选框为信任,它被检查。
请参阅答案。看来最后一点是问题所在。
出于好奇:(的片段)的Kerberos迹线示出了由KDC为境界“只是”发出一个错误消息,其未在'[领域]'定义(它经由DNS别名发现并没有具体的参数)。您对该KDC有任何控制权,即您可以访问服务器端日志吗? –
良好的发现,错误是因为在另一领域的跨领域问题。请看我的答案。 – Cos