Member since
04-04-2021
3
Posts
0
Kudos Received
1
Solution
My Accepted Solutions
Title | Views | Posted |
---|---|---|
2668 | 04-19-2021 08:22 AM |
04-19-2021
08:22 AM
I have found the cause, it seems that Cloudera always use the /etc/krb5.conf file, if fact, if I changed this file to restrict the algoriths, Cloudera would not get up; but for jobs running inside Cloudera, it looks for /etc/krb5/krb5.conf file, once I created this file and add the following line to it, it started to work properly: allow_weak_crypto = true Note: It was needed to remove "MD5" from jdk.tls.disabledAlgorithms y java.security.
... View more
04-12-2021
05:19 AM
Hello, @GangWar , thank you for your answer. The problem is that I do not know why it is trying to use this algorithm or where I can configure it to use another, I mean, using JDK 1.7 it worked withouth any further configuration, but upgrading to JDK 1.8 it did not; I should not have to accept weak algorithms like des-cbc-md5. Tikets generated manually with kinit use aes256-cts-hmac-sha1-96 encription, I don't know if I can change this behaviour or if it is even configurable. Thanks.
... View more
04-04-2021
08:16 AM
Hello, I have just upgraded the JDK version of my Cloudera 5.10 cluster from 1.7 to 1.8 and everything starts ok but when I try to run a job from Talend the following error appears in HDFS Name Node log: 2021-03-22 13:11:32,711 INFO org.apache.hadoop.ipc.Server: Socket Reader #1 for port 8020: readAndProcess from client 69.117.42.187 threw exception [javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: DES CBC mode with MD5 encryption type not in permitted_enctypes list)]] If I go back to JDK 1.7 it runs perfectly. I have tried with 1.8.201 and also with 1.8.91 (since this was one of the tested ones). I think I have JCE and java.security correctly configured. We do not want to allow DES CBC in the KDC since it a weak algorith. Has it happened to anyone? Thanks in advance, Ángel
... View more
Labels:
- Labels:
-
Kerberos