https://community.cloudera.com/t5/Support-Questions/webHDFS-403-error/m-p/242319#M204122 <P><A rel="user" href="https://community.cloudera.com/users/97392/ggoldman.html" nodeid="97392">@Geoffrey Goldman</A></P><P>Important question (should I post it as a new question? It does kind of follow up from your latest comment, so I post it here): so how should ideally the "default_tkt_enctypes", "default_tgs_enctypes" and "permitted_enctypes" should look like for a normal HDP cluster (not a test sandbox), which would work 100% of the times and also provide high level security?</P><P>1. When I've tried the default suggested settings of "des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd", I would get errors that the security level was too low. I've then further added "aes256-cts-hmac-sha1-96", but it seems more than one decent enctype is required for proper encryption?</P><P>2. The default Kerberos settings, suggested by Ambari, also suggests "des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd", <STRONG>but comments it out by default, </STRONG>so I guess it ends up using some default values, which doesn't seem stable (what if the default will change over time or new version of kerberos). </P><P>3. Now I've added all possible configs, <EM>"</EM><EM>aes256-cts-hmac-sha1-96 aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal"</EM>, but when using ``xst -k `` from ``kadmin`` service, it exports arounds 2-3 entries in the keytab with different encryptions, but not all 8+. Suggesting, that only some types are actually important. </P> Thu, 17 Jan 2019 17:20:02 GMT mRabramS 2019-01-17T17:20:02Z