Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

SOLR + Kerberos error: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)

Labels:
avatar
author-rank geko
Guru

Created ‎04-27-2017 11:22 AM

Hi,

I am currently facing an issue at accessing SOLR collection via curl . Cluster is kerberized and working properly (HDFS/Hive/...), but while executing (after grabbing a kerberos ticket as user 'solr') e.g. 

curl --negotiate -u : 'http://mgr-node1:8983/solr/'

I receive the following response:

...HTTP Status 403 - GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)...

Keytab for user 'solr' contains:

   2 27.04.2017 09:02:49 solr/<node>@<realm> (aes256-cts-hmac-sha1-96)  
   2 27.04.2017 09:02:49 solr/<node>@<realm> (des3-cbc-sha1)     2 27.04.2017 09:02:49 solr/<node>@<realm> (arcfour-hmac)     2 27.04.2017 09:02:49 solr/<node>@<realm> (des-hmac-sha1)

MIT-KDC config contains this enctype as well:

sudo cat /var/kerberos/krb5kdc/kdc.conf | grep supported_enctypes
  supported_enctypes = aes256-cts-hmac-sha1-96 des3-hmac-sha1 aes256-cts arcfour-hmac des-hmac-sha1
cat /etc/krb5.conf | grep _enctypes
default_tgs_enctypes = aes256-cts-hmac-sha1-96 des3-hmac-sha1 aes256-cts arcfour-hmac des-hmac-sha1
default_tkt_enctypes = aes256-cts-hmac-sha1-96 des3-hmac-sha1 aes256-cts arcfour-hmac des-hmac-sha1
permitted_enctypes = aes256-cts-hmac-sha1-96 des3-hmac-sha1 aes256-cts arcfour-hmac des-hmac-sha1

What is going on there ?

Any help highly appreciated...

13,495 Views
1 ACCEPTED SOLUTION

avatar
author-rank VR46 author-rank
Guru

Created ‎04-28-2017 03:58 PM

Hello @Gerd Koenig,

I don't see any problem with the encryption type here. There are couple of reasons for this kind of error:

1. Please check the SOLR hostname in the curl request is exactly same as what is used in keytab "solr/<solr-hostname>". In ideal condition, both should be FQDN. Also check the same for SPNEGO keytab (HTTP/<solr-hostname>).

2. The Key Version Number (kvno) of solr/<sorl-hostname> and HTTP/<solr-hostname> should be same in the keytab and in MIT KDC database. You can do a 'klist -kt <keytab>' and 'kadmin.local -q "getprincs solr/<solr-hostname>" ' to compare the kvno.

In case the error persist, please set KRB5_TRACE and then run kinit & curl to get more debug output and paste here:

export KRB5_TRACE=/tmp/curl-krb.log
kinit <user-principal>
klist -eaf
curl -iv --negotiate -u : http://<solr-hostname>:8983/solr

Hope this helps!

View solution in original post

9,188 Views
5 REPLIES 5

avatar
author-rank VR46 author-rank
Guru

Created ‎04-28-2017 03:58 PM

Hello @Gerd Koenig,

I don't see any problem with the encryption type here. There are couple of reasons for this kind of error:

1. Please check the SOLR hostname in the curl request is exactly same as what is used in keytab "solr/<solr-hostname>". In ideal condition, both should be FQDN. Also check the same for SPNEGO keytab (HTTP/<solr-hostname>).

2. The Key Version Number (kvno) of solr/<sorl-hostname> and HTTP/<solr-hostname> should be same in the keytab and in MIT KDC database. You can do a 'klist -kt <keytab>' and 'kadmin.local -q "getprincs solr/<solr-hostname>" ' to compare the kvno.

In case the error persist, please set KRB5_TRACE and then run kinit & curl to get more debug output and paste here:

export KRB5_TRACE=/tmp/curl-krb.log
kinit <user-principal>
klist -eaf
curl -iv --negotiate -u : http://<solr-hostname>:8983/solr

Hope this helps!

9,189 Views

avatar
author-rank VR46 author-rank
Guru

Created ‎04-28-2017 04:03 PM

The correct commands are - 

kadmin.local -q "getprincs solr/<hostname>"
kadmin.local -q "getprincs HTTP/<hostname>"
9,188 Views
0 Kudos

avatar
author-rank geko
Guru

Created ‎04-28-2017 06:02 PM

Hello @Vipin Rathor ,

thank you sooo much. Your hint with the FQDN did the trick.

After putting the FQDN in the curl command, it works nice!

9,188 Views
0 Kudos

avatar
author-rank VR46 author-rank
Guru

Created ‎05-01-2017 04:07 PM

Awesome ! Thanks @Gerd Koenig for the update. I'm glad that it worked out for you. Cheers.

9,188 Views
0 Kudos

avatar
author-rank vishwanath_voru
Contributor

Created ‎07-18-2017 09:01 AM

@Vipin Rathor:

Can you please help on issue reported in below ticket:

https://community.hortonworks.com/questions/114311/unable-to-start-solr-service-in-kerberized-enviro...

9,188 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements