Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Kerberos Checksum error

avatar
author-rank baig_mujeeb
Explorer

Created ‎11-25-2017 10:53 PM

Hi,

I am having trouble with beeline on hiveserver2 direct mode, kerberos is spitting Mechanism level: Checksum failed error

In my krb5.conf I got the tgs and tkt encryption entries as follows:

#default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5

#default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5

listing master keys is as follows:

root@hmaster:~# kdb5_util list_mkeys

Master keys for Principal: K/M@xxxx.LOCAL

KVNO: 1, Enctype: des3-cbc-sha1, Active on: Thu Jan 01 01:00:00 BST 1970 *

getprinc output shows it is using AES-256 encryption

kadmin.local: getprinc hive/hdata1.xxxx.local@xxxx.LOCAL

Principal: hive/hdata1.xxxx.local@xxxx.LOCAL

Expiration date: [never] Last password change: Fri Nov 24 21:01:55 GMT 2017

Password expiration date: [none]

Maximum ticket life: 0 days 10:00:00

Maximum renewable life: 7 days 00:00:00

Last modified: Fri Nov 24 21:01:55 GMT 2017 (admin/admin@xxxx.LOCAL)

Last successful authentication: Sat Nov 25 22:17:56 GMT 2017

Last failed authentication: [never] Failed password attempts: 0

Number of keys: 8

Key: vno 1, aes256-cts-hmac-sha1-96, no salt

Key: vno 1, arcfour-hmac, no salt

Key: vno 1, des3-cbc-sha1, no salt

Key: vno 1, des-cbc-crc, no salt

Key: vno 1, des-cbc-md5, Version 4

Key: vno 1, des-cbc-md5, Version 5 - No Realm

Key: vno 1, des-cbc-md5, Version 5 - Realm Only

Key: vno 1, des-cbc-md5, AFS version 3

MKey: vno 1

Attributes: REQUIRES_PRE_AUTH

Policy: [none] kadmin.local:

Is this normal that kdb is listing only one masterkey of des3 encryption and service principal is using AES-256

Thanks

MB

9,726 Views
0 Kudos
3 REPLIES 3

avatar
author-rank Shelton
Master Mentor

Created ‎11-26-2017 10:43 PM

@M B

If you observe carefully, the encryption types in your krb5.conf have been commented out !!! The see the valid encryption types check your kdc.conf see below

# cat /var/kerberos/krb5kdc/kdc.conf 

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88
[realms]
 NANDOS.COM = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

From the output, this is your original master key because the KVNO is 1 

# kdb5_util list_mkeys
Master keys for Principal: K/M@NANDOS.COM
KVNO: 1, Enctype: aes256-cts-hmac-sha1-96, Active on: Thu Jan 01 01:00:00 CET 1970 *

Output looks correct 

# kadmin.local
Authenticating as principal root/admin@NANDOS.COM with password.
kadmin.local:  getprinc hive/test.nandos.com@NANDOS.COM
Principal: hive/test.nandos.com@NANDOS.COM
Expiration date: [never]
Last password change: Thu Aug 24 15:42:17 CEST 2017
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Thu Aug 24 15:42:17 CEST 2017 (root/admin@NANDOS.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 8
Key: vno 1, aes256-cts-hmac-sha1-96
Key: vno 1, aes128-cts-hmac-sha1-96
Key: vno 1, des3-cbc-sha1
Key: vno 1, arcfour-hmac
Key: vno 1, camellia256-cts-cmac
Key: vno 1, camellia128-cts-cmac
Key: vno 1, des-hmac-sha1
Key: vno 1, des-cbc-md5
MKey: vno 1
Attributes:
Policy: [none]
kadmin.local:

Can you do the following as hive user,

$ kdestroy

Check for the correct principal

$ klist  -kt  /etc/security/keytabs/hive.service.keytab

Then using the correct principal run kinit

$kinit -kt /etc/security/keytabs/hive.service.keytab  hive/hdata1.xxxx.local@xxxx.LOCAL

Check the validity of the ticket 

$klist

Try accessing 

$ beeline

Connect with the correct principal

!connect jdbc:hive2://localhost:10000/default;principal=hive/hdata1.xxxx.local@xxxx.LOCAL;auth=kerberos

That should work please revert

8,138 Views
0 Kudos

avatar
author-rank baig_mujeeb
Explorer

Created ‎11-27-2017 02:56 PM

Hi Geoffery,

Many thanks for the reply. Still having issues.

8,138 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created ‎11-27-2017 04:29 PM

@M B

What issues exactly?

8,138 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements