Hadoop Hortonworks Kerberos:KRBError:错误代码为14
将kerberized Hortonworks群集从2.5.3升级到2.6.1后,所有服务(hdfs、hive、spark、zookeeper等)都无法通过Kerberos获取凭据,出现以下错误:Hadoop Hortonworks Kerberos:KRBError:错误代码为14,hadoop,kerberos,hortonworks-data-platform,Hadoop,Kerberos,Hortonworks Data Platform,将kerberized Hortonworks群集从2.5.3升级到2.6.1后,所有服务(hdfs、hive、spark、zookeeper等)都无法通过Kerberos获取凭据,出现以下错误: >>>KRBError: sTime is Wed Jun 14 11:52:10 CEST 2017 1497433930000 suSec is 825974 error code is 14 error M
>>>KRBError:
sTime is Wed Jun 14 11:52:10 CEST 2017 1497433930000
suSec is 825974
error code is 14
error Message is **KDC has no support for encryption type**
sname is krbtgt/BIGDATACLUSTER.EXAMPLE.COM@JUST.EXAMPLE.COM
msgType is 30
>>> Credentials acquireServiceCreds: no tgt; searching thru capath
>>> Credentials acquireServiceCreds: no tgt; cannot get creds
KrbException: Fail to create credential. (63) - No service creds
/etc/krb5.conf文件没有更改(并且在升级之前一直有效):
信托基金看起来是这样的:
addprinc -e "aes256-cts:normal aes128-cts:normal arcfour-hmac:normal" krbtgt/BIGDATACLUSTER.EXAMPLE.COM@JUST.EXAMPLE.COM
这就是我们尝试过的:
- 验证了Java和JCE,一切正常
- 重新生成所有键表并重新启动群集 -选中信任的“其他域支持Kerberos AES加密”复选框,即选中
出于好奇:Kerberos跟踪的(片段)显示了KDC针对领域“Just”发出的错误消息,该错误消息未在
[realms]
中定义(它通过DNS别名找到,并且没有特定的参数)。你对KDC有控制权吗,比如说,你能访问服务器端日志吗?很好,错误是因为另一个领域的跨领域问题。请看我的答案。
addprinc -e "aes256-cts:normal aes128-cts:normal arcfour-hmac:normal" krbtgt/BIGDATACLUSTER.EXAMPLE.COM@JUST.EXAMPLE.COM