我试图为我的设备启用 KerberosCDH 4.3(通过 Cloudera Manager)测试床。因此,在 WebUI 中将身份验证从 Simple 更改为 Kerberos 后,我无法执行任何 hadoop 操作,如下所示。是否有明确指定密钥表?
[root@host-dn15 ~]# su - hdfs
-bash-4.1$ hdfs dfs -ls /
13/09/10 08:15:35 ERROR security.UserGroupInformation: PriviledgedActionException as:hdfs (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
13/09/10 08:15:35 WARN ipc.Client: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
13/09/10 08:15:35 ERROR security.UserGroupInformation: PriviledgedActionException as:hdfs (auth:KERBEROS) cause:java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
ls: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]; Host Details : local host is: "host-dn15.hadoop.com/192.168.10.227"; destination host is: "host-dn15.hadoop.com":8020;
-bash-4.1$ kdestroy
-bash-4.1$ kinit
Password for [email protected] /cdn-cgi/l/email-protection:
-bash-4.1$ klist
Ticket cache: FILE:/tmp/krb5cc_494
Default principal: [email protected] /cdn-cgi/l/email-protection
Valid starting Expires Service principal
09/10/13 08:20:31 09/11/13 08:20:31 krbtgt/[email protected] /cdn-cgi/l/email-protection
renew until 09/10/13 08:20:31
-bash-4.1$ klist -e
Ticket cache: FILE:/tmp/krb5cc_494
Default principal: [email protected] /cdn-cgi/l/email-protection
Valid starting Expires Service principal
09/10/13 08:20:31 09/11/13 08:20:31 krbtgt/[email protected] /cdn-cgi/l/email-protection
renew until 09/10/13 08:20:31, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
-bash-4.1$
所以我仔细查看了namenode日志,
2013-09-10 10:02:06,085 INFO org.apache.hadoop.ipc.Server: IPC Server listener on 8022: readAndProcess threw exception javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)] from client 10.132.100.228. Count of bytes read: 0
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)]
JCE 策略文件已安装在所有节点上。
[root@host-dn15 security]# sha256sum ./local_policy.jar
4a5c8f64107c349c662ea688563e5cd07d675255289ab25246a3a46fc4f85767 ./local_policy.jar
[root@host-dn15 security]# sha256sum ./US_export_policy.jar
b800fef6edc0f74560608cecf3775f7a91eb08d6c3417aed81a87c6371726115 ./US_export_policy.jar
[root@host-dn15 security]# sha256sum ./local_policy.jar.bak
7b26d0e16722e5d84062240489dea16acef3ea2053c6ae279933499feae541ab ./local_policy.jar.bak
[root@host-dn15 security]# sha256sum ./US_export_policy.jar.bak
832133c52ed517df991d69770f97c416d2e9afd874cb4f233a751b23087829a3 ./US_export_policy.jar.bak
[root@host-dn15 security]#
以及王国中的校长名单。
kadmin: listprincs
HTTP/[email protected] /cdn-cgi/l/email-protection
HTTP/[email protected] /cdn-cgi/l/email-protection
HTTP/[email protected] /cdn-cgi/l/email-protection
K/[email protected] /cdn-cgi/l/email-protection
cloudera-scm/[email protected] /cdn-cgi/l/email-protection
hbase/[email protected] /cdn-cgi/l/email-protection
hbase/[email protected] /cdn-cgi/l/email-protection
hbase/[email protected] /cdn-cgi/l/email-protection
hdfs/[email protected] /cdn-cgi/l/email-protection
hdfs/[email protected] /cdn-cgi/l/email-protection
hdfs/[email protected] /cdn-cgi/l/email-protection
[email protected] /cdn-cgi/l/email-protection
hue/[email protected] /cdn-cgi/l/email-protection
host-dn16/[email protected] /cdn-cgi/l/email-protection
kadmin/[email protected] /cdn-cgi/l/email-protection
kadmin/[email protected] /cdn-cgi/l/email-protection
kadmin/[email protected] /cdn-cgi/l/email-protection
krbtgt/[email protected] /cdn-cgi/l/email-protection
mapred/[email protected] /cdn-cgi/l/email-protection
mapred/[email protected] /cdn-cgi/l/email-protection
mapred/[email protected] /cdn-cgi/l/email-protection
root/[email protected] /cdn-cgi/l/email-protection
[email protected] /cdn-cgi/l/email-protection
zookeeper/ho[email protected] /cdn-cgi/l/email-protection
kadmin: exit
[root@host-dn15 ~]#
导出 hdfs 的密钥表并用于 kinit。
-bash-4.1$ kinit -kt ./hdfs.keytab hdfs
-bash-4.1$ klist
Ticket cache: FILE:/tmp/krb5cc_494
Default principal: [email protected] /cdn-cgi/l/email-protection
Valid starting Expires Service principal
09/10/13 09:49:42 09/11/13 09:49:42 krbtgt/[email protected] /cdn-cgi/l/email-protection
renew until 09/10/13 09:49:42
一切都变得徒劳。任何想法??
提前谢谢,