You are viewing a plain text version of this content. The canonical link for it is here.
Posted to hdfs-dev@hadoop.apache.org by "liyunzhang (JIRA)" <ji...@apache.org> on 2014/07/21 10:24:38 UTC
[jira] [Resolved] (HDFS-6676) KMS throws AuthenticationException
when enabling kerberos authentication
[ https://issues.apache.org/jira/browse/HDFS-6676?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
liyunzhang resolved HDFS-6676.
------------------------------
Resolution: Not a Problem
> KMS throws AuthenticationException when enabling kerberos authentication
> -------------------------------------------------------------------------
>
> Key: HDFS-6676
> URL: https://issues.apache.org/jira/browse/HDFS-6676
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: security
> Affects Versions: 2.4.0
> Reporter: liyunzhang
> Priority: Minor
>
> When I made a request http://server-1941.novalocal:16000/kms/v1/names in firefox. (before, i set configs in firefox according https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/sso-config-firefox.html), following info was found in logs/kms.log.
> 2014-07-14 19:18:30,461 WARN AuthenticationFilter - Authentication exception: GSSException: Failure unspecified at GSS-API level (Mechanism level: EncryptedData is encrypted using keytype DES CBC mode with CRC-32 but decryption key is of type NULL)
> org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: Failure unspecified at GSS-API level (Mechanism levelis of type NULL)
> at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:380)
> at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:357)
> at org.apache.hadoop.crypto.key.kms.server.KMSAuthenticationFilter.doFilter(KMSAuthenticationFilter.java:100)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:606)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: EncryptedData is encrypted using keytype DES CBC mode with CRC-32 but decryption key is of type NULL)
> at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:788)
> at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
> at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
> at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:875)
> at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:548)
> at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
> at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
> at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:347)
> at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:329)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:415)
> at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:329)
> ... 14 more
> Caused by: KrbException: EncryptedData is encrypted using keytype DES CBC mode with CRC-32 but decryption key is of type NULL
> at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:169)
> at sun.security.krb5.KrbCred.<init>(KrbCred.java:131)
> at sun.security.jgss.krb5.InitialToken$OverloadedChecksum.<init>(InitialToken.java:282)
> at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:130)
> at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:771)
> ... 25 more
>
> Kerberos is enabled successful in my environment:
> klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: HTTP/server-1941.novalocal@NOVALOCAL
> Valid starting Expires Service principal
> 07/14/14 19:18:10 07/15/14 19:18:09 krbtgt/NOVALOCAL@NOVALOCAL
> renew until 07/14/14 19:18:10
> 07/14/14 19:18:30 07/15/14 19:18:09 HTTP/server-1941.novalocal@NOVALOCAL
> renew until 07/14/14 19:18:10
> Following are kdc configs:
> cat /etc/krb5.conf
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
> [libdefaults]
> default_realm = NOVALOCAL
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
> udp_preference_limit = 1000000
> default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
> default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
> permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
> allow_weak_crypto = true
> [realms]
> NOVALOCAL = {
> kdc = server-355:88
> admin_server = server-355:749
> default_domain=novalocal
> }
> [domain_realm]
> .novalocal = NOVALOCAL
> novalocal = NOVALOCAL
> cat /var/kerberos/krb5kdc/kdc.conf
> [kdcdefaults]
> kdc_ports = 88
> kdc_tcp_ports = 88
>
> [realms]
> NOVALOCAL = {
> acl_file = /var/kerberos/krb5kdc/kadm5.acl
> dict_file = /usr/share/dict/words
> admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
> master_key_type = des3-hmac-sha1
> supported_enctypes = arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
> }
>
> I have updated my jdk to build 1.7.0_60-b19
--
This message was sent by Atlassian JIRA
(v6.2#6252)