Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

kerberos HDFS seems to enforce rc4-hmac encryption

kerberos HDFS seems to enforce rc4-hmac encryption

Explorer

If one does no have rc4-hmac in Kerberos Encryption Types list HDFS does not start.

The following exception found in datanodes log file:

 

KrbException: No supported encryption types listed in default_tkt_enctypes

 

Adding rc4-hmac to the list of Kerberos Encryption Types, following by Deploy Client Configuration and Deploy Kerberos Client Configuration allows cluster to start successfully.

 

Relevant page http://www.cloudera.com/documentation/enterprise/latest/topics/cm_sg_s4_kerb_wizard.html in the manual does not say that rc4-hmac MUST be included in Kerberos Encryption Types, it just says

 

Make sure the entries for the Kerberos Encryption Types field matches what your KDC supports.

 

 

Am I missing something here or it is working as designed?

4 REPLIES 4
Highlighted

Re: kerberos HDFS seems to enforce rc4-hmac encryption

Rising Star

Hello @qfcd,

 

Please check your supported encryption types (supported_enctypes) in this configuration: /var/kerberos/krb5kdc/kdc.conf on the KDC host.

 

Gabor

Re: kerberos HDFS seems to enforce rc4-hmac encryption

Super Guru

Cloudera Manager and CDH does not enforce using rc4-hmac.

 

What did your krb5.conf file look like before you added rc4-hmac?  What encryption algorithms does your KDC support?

 

If you were attempting to use AES256, make sure you have the unlimited JCE Policy files distributed in the JDK that is used for Hadoop Services.

 

For documentation on that:

 

http://www.cloudera.com/documentation/enterprise/latest/topics/cm_sg_s2_jce_policy.html#xd_583c10bfd...

 

-Ben 

Re: kerberos HDFS seems to enforce rc4-hmac encryption

Explorer

AES256 was the only algorithm listed in krb5.conf at the time. All components besides HDFS were operating on AES256 as far as I recall, only HDFS complained. And yes, unlimited JCE Policy files were used.

Re: kerberos HDFS seems to enforce rc4-hmac encryption

Super Guru

What was the exact configuration you had in /etc/krb5.conf.  I'm wondering if there may have been a typo in the encryption.

 

Make sure you had:

 

aes256-cts-hmac-sha1-96

 

I tested and reproduced with a bogus encryption algorithm.

 

Cheers,

 

Ben