I'm trying to upgrade the Kerberos encryption types for an existing HDP 2.6 cluster. The problem is that I want to use the same KDC servers with a single configuration for multiple realms, where one would be set up with a Centos 7.8 or Centos 8, which does not support DES-type encryptions.
The HDP2.6 cluster does not seem to work with other than the DES encryptions.
In my understanding, these should cover both the old and weak des3-cbc-sha1 types, and the later aes256 types for the newer system.
However, with this configuration set and doing the Keytab Regeneration through Ambari, the HDFS services doesn't start due to a probably GSS issue (same errors as in https://community.cloudera.com/t5/Support-Questions/Cloudera-Kerberos-GSS-initiate-failed/m-p/78727). When inspecting the auto-generated keytab, only one entry is created with "des3-cbc-sha1" tab. While this should work (and it does allow for a kinit), something is not okay for the namenode and it still results in the GSS errors while starting the namenode.
What could be the issue here?
What is the correct setting for kerberos enctypes that works with HDP?
I can reform the question in the following manner:
Why does HDFS Namenode works (on HDP 2.6) only with the following krb5.conf entries: