Support Questions
Find answers, ask questions, and share your expertise

Correct configuration for HDP Kerberos

Correct configuration for HDP Kerberos

Explorer

I'm trying to upgrade the Kerberos encryption types for an existing HDP 2.6 cluster. The problem is that I want to use the same KDC servers with a single configuration for multiple realms, where one would be set up with a Centos 7.8 or Centos 8, which does not support DES-type encryptions. 

 

The HDP2.6 cluster does not seem to work with other than the DES encryptions. 

 

I'm trying the following krb5.conf:

 

 

default_tkt_enctypes = aes256-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4

default_tgs_enctypes = aes256-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4

 

 

In my understanding, these should cover both the old and weak des3-cbc-sha1 types, and the later aes256 types for the newer system. 

 

However, with this configuration set and doing the Keytab Regeneration through Ambari, the HDFS services doesn't start due to a probably GSS issue (same errors as in https://community.cloudera.com/t5/Support-Questions/Cloudera-Kerberos-GSS-initiate-failed/m-p/78727). When inspecting the auto-generated keytab, only one entry is created with "des3-cbc-sha1" tab. While this should work (and it does allow for a kinit), something is not okay for the namenode and it still results in the GSS errors while starting the namenode. 

 

What could be the issue here? 

 

What is the correct setting for kerberos enctypes that works with HDP?

 

--------

I can reform the question in the following manner:

 

Why does HDFS Namenode works (on HDP 2.6) only with the following krb5.conf entries:

 

default_tkt_enctypes = des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd
default_tgs_enctypes = des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd
permitted_enctypes = des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd

 

Nothing else works if I try moving away from the DES encryption.