Cloudera Community
Aorosa
user rank
New Contributor
My Accepted Solutions
Show All

Re: Cannot run jobs with Kerberos after upgrading ...

by New Contributor in Support Questions
‎04-19-2021 08:22 AM
‎04-19-2021 08:22 AM
I have found the cause, it seems that Cloudera always use the /etc/krb5.conf file, if fact, if I changed this file to restrict the algoriths, Cloudera would not get up; but for jobs running inside Cloudera, it looks for /etc/krb5/krb5.conf file, once I created this file and add the following line to it, it started to work properly: allow_weak_crypto = true  Note: It was needed to remove "MD5" from jdk.tls.disabledAlgorithms y java.security. ... View more

Re: Cannot run jobs with Kerberos after upgrading ...

by New Contributor in Support Questions
‎04-12-2021 05:19 AM
‎04-12-2021 05:19 AM
Hello, @GangWar , thank you for your answer.   The problem is that I do not know why it is trying to use this algorithm or where I can configure it to use another, I mean, using JDK 1.7 it worked withouth any further configuration, but upgrading to JDK 1.8 it did not; I should not have to accept weak algorithms like des-cbc-md5.   Tikets generated manually with kinit use aes256-cts-hmac-sha1-96 encription, I don't know if I can change this behaviour or if it is even configurable.   Thanks. ... View more

Cannot run jobs with Kerberos after upgrading to J...

by New Contributor in Support Questions
‎04-04-2021 08:16 AM
‎04-04-2021 08:16 AM
Hello,    I have just upgraded the JDK version of my Cloudera 5.10 cluster from 1.7 to 1.8 and everything starts ok but when I try to run a job from Talend the following error appears in HDFS Name Node log:   2021-03-22 13:11:32,711 INFO org.apache.hadoop.ipc.Server: Socket Reader #1 for port 8020: readAndProcess from client 69.117.42.187 threw exception [javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: DES CBC mode with MD5 encryption type not in permitted_enctypes list)]]   If I go back to JDK 1.7 it runs perfectly. I have tried with 1.8.201 and also with 1.8.91 (since this was one of the tested ones). I think I have JCE and java.security correctly configured.   We do not want to allow DES CBC in the KDC since it a weak algorith.   Has it happened to anyone?   Thanks in advance,   Ángel ... View more
Labels:
Contact Me
Online
Offline
Last Visited
‎04-28-2021 04:01 AM
Community Statistics
Member Since ‎04-04-2021 04:33 AM
Last Visited ‎04-28-2021 04:01 AM
Posts 3