Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)

avatar

Hi ,

I am currently facing this issue when I'm trying to execute the acceptSecContext() method.

Is this because RC4 with HMAC has been depreciated?

7 REPLIES 7

avatar
Master Mentor

@Amol Gharpure

Can you share your krb5.conf?

Is your domain configured and nslookup <hostname> is working verify that your /etc/resolv.conf is well configured?

Ensure JCE is installed on the Ambari Server.

avatar

Hi , I have added the krb5.conf file

avatar

krb5.conf looks like this

[libdefaults]

ticket_lifetime = 10

default_realm = TEST.GLOBAL.AD

default_keytab_name = file:///C:/Windows/myKeytab.kettab

dns_lookup_realm = false

dns_lookup_kdc = true

default_tkt_enctypes = rc4-hmac

default_tgs_enctypes = rc4-hmac

permitted_enctypes = rc4-hmac

udp_perference_limit = 0

default_principal_flags = +renewable

[realms]

MISYS.GLOBAL.AD = { kdc = (AD IP) }

[appdefaults]

autologin = true

forward = true

forwardable = true

encrypt = true

avatar
Expert Contributor

Did you authenticate using Keytabs or using a password-based kinit?

Could you please send the result of "klist" and "klist -kte <keytab-file>"

avatar

password-based kinit is used.

The output of the klist -kte mykey.keytab :-

Key tab: myKey.keytab, 1 entry found.

[1] Service principal: HTTP/xyz@myCom.global.ad

KVNO: 4

avatar

myCom.global.ad is an invalid realm. The realm needs to be all uppercase characters, like MYCOM.GLOBAL.AD

avatar

yes that was by mistake. The Realm name is as per you mentioned. But still i am facing this issue. Is this a configuration error or something else ?