碼上歡樂
相關內容    簡體    繁體

Kerberos常見錯誤

本文轉載自   查看原文   2019-11-22 10:38   355 

1.CDH安裝Kerberos后,重啟集群報錯

Socket Reader #1 for port 8022: readAndProcess from client 192.168.50.83 threw exception [javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)]]
Socket Reader #1 for port 8020: readAndProcess from client 192.168.50.77 threw exception [javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)]]

原因:

因為系統采用的是Centos7.6,對於使用Centos5.6及以上西戎,默認采用 AES-256 來加密;這就需要CDH集群所有的節點都安裝 Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy File
下載鏈接:https://www.oracle.com/technetwork/java/javase/downloads/index.html

解決辦法:

1.下載的文件是個zip包,解壓

2.將解壓后的 UnlimitedJCEPolicyJDK8 文件下的兩個jar包 復制到 $JAVA_HOME/jre/lib/security/
#我的JAVA_HOME=/opt/module/jdk1.8.0_144
cp UnlimitedJCEPolicyJDK8/*.jar /opt/module/jdk1.8.0_144/jre/lib/security/
3.如果你的JAVA_HOME不是在/usr/java下,那么還需要進行一步操作
mkdir /usr/java
#創建軟鏈接指向自己的JAVA_HOME
ln -s /opt/module/jdk1.8.0_144/ default

2.HUE報錯

Couldn't renew kerberos ticket in order to work around Kerberos 1.8.1 issue. Please check that the ticket for 'hue/cdh03@BIGDATATEST.COM' is still renewable:
  $ klist -f -c /var/run/hue/hue_krb5_ccache
If the 'renew until' date is the same as the 'valid starting' date, the ticket cannot be renewed. Please check your KDC configuration, and the ticket renewal policy (maxrenewlife) for the 'hue/cdh03@BIGDATATEST.COM' and `krbtgt' principals.

原因:Kerberos Ticket過期

解決辦法:

1.檢查配置文件
vim /etc/krb5.conf


vim /var/kerberos/krb5kdc/kdc.conf

2.檢查krbtgt用戶的Maximum renewable life
kadmin.local -q 'getprinc krbtgt/BIGDATATEST.COM@BIGDATATEST.COM'

3.修改krbtgt的maxrenewlife
kadmin.local -q 'modprinc -maxrenewlife "7d" krbtgt/BIGDATATEST.COM'

4.刪除cache
rm -rfv /var/run/hue/hue_krb5_ccache
4.重啟Kerberos Ticket Renewer


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 常見的 Kerberos 錯誤消息 Kerberos簡介及常見問題 Kerberos常見報錯匯總 kerberos 配置錯誤記錄 Kerberos kerberos java 鏈接hive(kerberos認證)實例 以及 錯誤點講解 SVN常見錯誤 NHibernate常見錯誤 oozie常見錯誤問題
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM