question Re: SOLR + Kerberos error: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96) in Support Questions

SOLR + Kerberos error: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)

geko — Thu, 27 Apr 2017 18:22:55 GMT

Hi,

I am currently facing an issue at accessing SOLR collection via curl . Cluster is kerberized and working properly (HDFS/Hive/...), but while executing (after grabbing a kerberos ticket as user 'solr') e.g.

curl --negotiate -u : 'http://mgr-node1:8983/solr/'

I receive the following response:

...HTTP Status 403 - GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)...

Keytab for user 'solr' contains:

   2 27.04.2017 09:02:49 solr/<node>@<realm> (aes256-cts-hmac-sha1-96)  
   2 27.04.2017 09:02:49 solr/<node>@<realm> (des3-cbc-sha1)     2 27.04.2017 09:02:49 solr/<node>@<realm> (arcfour-hmac)     2 27.04.2017 09:02:49 solr/<node>@<realm> (des-hmac-sha1)

MIT-KDC config contains this enctype as well:

sudo cat /var/kerberos/krb5kdc/kdc.conf | grep supported_enctypes
  supported_enctypes = aes256-cts-hmac-sha1-96 des3-hmac-sha1 aes256-cts arcfour-hmac des-hmac-sha1

cat /etc/krb5.conf | grep _enctypes
default_tgs_enctypes = aes256-cts-hmac-sha1-96 des3-hmac-sha1 aes256-cts arcfour-hmac des-hmac-sha1
default_tkt_enctypes = aes256-cts-hmac-sha1-96 des3-hmac-sha1 aes256-cts arcfour-hmac des-hmac-sha1
permitted_enctypes = aes256-cts-hmac-sha1-96 des3-hmac-sha1 aes256-cts arcfour-hmac des-hmac-sha1

What is going on there ?

Any help highly appreciated...

Re: SOLR + Kerberos error: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)

VR46 — Fri, 28 Apr 2017 22:58:25 GMT

Hello @Gerd Koenig,

I don't see any problem with the encryption type here. There are couple of reasons for this kind of error:

1. Please check the SOLR hostname in the curl request is exactly same as what is used in keytab "solr/<solr-hostname>". In ideal condition, both should be FQDN. Also check the same for SPNEGO keytab (HTTP/<solr-hostname>).

2. The Key Version Number (kvno) of solr/<sorl-hostname> and HTTP/<solr-hostname> should be same in the keytab and in MIT KDC database. You can do a 'klist -kt <keytab>' and 'kadmin.local -q "getprincs solr/<solr-hostname>" ' to compare the kvno.

In case the error persist, please set KRB5_TRACE and then run kinit & curl to get more debug output and paste here:

export KRB5_TRACE=/tmp/curl-krb.log
kinit <user-principal>
klist -eaf
curl -iv --negotiate -u : http://<solr-hostname>:8983/solr

Hope this helps!

Re: SOLR + Kerberos error: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)

VR46 — Fri, 28 Apr 2017 23:03:26 GMT

The correct commands are -

kadmin.local -q "getprincs solr/<hostname>"
kadmin.local -q "getprincs HTTP/<hostname>"

Re: SOLR + Kerberos error: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)

geko — Sat, 29 Apr 2017 01:02:17 GMT

Hello @Vipin Rathor ,

thank you sooo much. Your hint with the FQDN did the trick.

After putting the FQDN in the curl command, it works nice!

Re: SOLR + Kerberos error: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)

VR46 — Mon, 01 May 2017 23:07:21 GMT

Awesome ! Thanks @Gerd Koenig for the update. I'm glad that it worked out for you. Cheers.

Re: SOLR + Kerberos error: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)

vishwanath_voru — Tue, 18 Jul 2017 16:01:49 GMT

@Vipin Rathor:

Can you please help on issue reported in below ticket:

https://community.hortonworks.com/questions/114311/unable-to-start-solr-service-in-kerberized-environ.html