Cloudera Community

Archives of Support Questions (Read Only)

This is an archived board for historical reference. Information and links may no longer be available or relevant
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
This board is archived and read-only for historical reference. To ask a new question, please post a new topic on the appropriate active board.
Solved Go to solution

SOLR + Kerberos error: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)

Labels:
avatar
author-rank geko
Guru

Created ‎04-27-2017 11:22 AM

Hi,

I am currently facing an issue at accessing SOLR collection via curl . Cluster is kerberized and working properly (HDFS/Hive/...), but while executing (after grabbing a kerberos ticket as user 'solr') e.g. 

curl --negotiate -u : 'http://mgr-node1:8983/solr/'

I receive the following response:

...HTTP Status 403 - GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)...

Keytab for user 'solr' contains:

   2 27.04.2017 09:02:49 solr/<node>@<realm> (aes256-cts-hmac-sha1-96)  
   2 27.04.2017 09:02:49 solr/<node>@<realm> (des3-cbc-sha1)     2 27.04.2017 09:02:49 solr/<node>@<realm> (arcfour-hmac)     2 27.04.2017 09:02:49 solr/<node>@<realm> (des-hmac-sha1)

MIT-KDC config contains this enctype as well:

sudo cat /var/kerberos/krb5kdc/kdc.conf | grep supported_enctypes
  supported_enctypes = aes256-cts-hmac-sha1-96 des3-hmac-sha1 aes256-cts arcfour-hmac des-hmac-sha1
cat /etc/krb5.conf | grep _enctypes
default_tgs_enctypes = aes256-cts-hmac-sha1-96 des3-hmac-sha1 aes256-cts arcfour-hmac des-hmac-sha1
default_tkt_enctypes = aes256-cts-hmac-sha1-96 des3-hmac-sha1 aes256-cts arcfour-hmac des-hmac-sha1
permitted_enctypes = aes256-cts-hmac-sha1-96 des3-hmac-sha1 aes256-cts arcfour-hmac des-hmac-sha1

What is going on there ?

Any help highly appreciated...

16,167 Views
1 ACCEPTED SOLUTION

avatar
author-rank VR46 author-rank
Guru

Created ‎04-28-2017 03:58 PM

Hello @Gerd Koenig,

I don't see any problem with the encryption type here. There are couple of reasons for this kind of error:

1. Please check the SOLR hostname in the curl request is exactly same as what is used in keytab "solr/<solr-hostname>". In ideal condition, both should be FQDN. Also check the same for SPNEGO keytab (HTTP/<solr-hostname>).

2. The Key Version Number (kvno) of solr/<sorl-hostname> and HTTP/<solr-hostname> should be same in the keytab and in MIT KDC database. You can do a 'klist -kt <keytab>' and 'kadmin.local -q "getprincs solr/<solr-hostname>" ' to compare the kvno.

In case the error persist, please set KRB5_TRACE and then run kinit & curl to get more debug output and paste here:

export KRB5_TRACE=/tmp/curl-krb.log
kinit <user-principal>
klist -eaf
curl -iv --negotiate -u : http://<solr-hostname>:8983/solr

Hope this helps!

View solution in original post

11,860 Views
5 REPLIES 5

avatar
author-rank VR46 author-rank
Guru

Created ‎04-28-2017 03:58 PM

Hello @Gerd Koenig,

I don't see any problem with the encryption type here. There are couple of reasons for this kind of error:

1. Please check the SOLR hostname in the curl request is exactly same as what is used in keytab "solr/<solr-hostname>". In ideal condition, both should be FQDN. Also check the same for SPNEGO keytab (HTTP/<solr-hostname>).

2. The Key Version Number (kvno) of solr/<sorl-hostname> and HTTP/<solr-hostname> should be same in the keytab and in MIT KDC database. You can do a 'klist -kt <keytab>' and 'kadmin.local -q "getprincs solr/<solr-hostname>" ' to compare the kvno.

In case the error persist, please set KRB5_TRACE and then run kinit & curl to get more debug output and paste here:

export KRB5_TRACE=/tmp/curl-krb.log
kinit <user-principal>
klist -eaf
curl -iv --negotiate -u : http://<solr-hostname>:8983/solr

Hope this helps!

11,861 Views

avatar
author-rank VR46 author-rank
Guru

Created ‎04-28-2017 04:03 PM

The correct commands are - 

kadmin.local -q "getprincs solr/<hostname>"
kadmin.local -q "getprincs HTTP/<hostname>"
11,860 Views
0 Kudos

avatar
author-rank geko
Guru

Created ‎04-28-2017 06:02 PM

Hello @Vipin Rathor ,

thank you sooo much. Your hint with the FQDN did the trick.

After putting the FQDN in the curl command, it works nice!

11,860 Views
0 Kudos

avatar
author-rank VR46 author-rank
Guru

Created ‎05-01-2017 04:07 PM

Awesome ! Thanks @Gerd Koenig for the update. I'm glad that it worked out for you. Cheers.

11,860 Views
0 Kudos

avatar
author-rank vishwanath_voru
New Member

Created ‎07-18-2017 09:01 AM

@Vipin Rathor:

Can you please help on issue reported in below ticket:

https://community.hortonworks.com/questions/114311/unable-to-start-solr-service-in-kerberized-enviro...

11,860 Views
0 Kudos
Announcements
What's New @ Cloudera
Announcing Cloudera Streaming Analytics 1.17: Python UDFs, S...
Community Announcements
Content Update: Evolving Our Community Content for Better, A...
Community Announcements
Product Name Updates — Community Label Changes & Notificatio...
What's New @ Cloudera
Announcing Cloudera Data Lineage for Trino
What's New @ Cloudera
Announcing Cloudera Streaming Analytics Operator for Kuberne...
View More Announcements