liyunzhang created HDFS-6676:
--------------------------------
Summary: KMS throws AuthenticationException when enabling kerberos
authentication
Key: HDFS-6676
URL: https://issues.apache.org/jira/browse/HDFS-6676
Project: Hadoop HDFS
Issue Type: Bug
Components: security
Affects Versions: 2.4.0
Reporter: liyunzhang
Priority: Minor
When I made a request http://server-1941.novalocal:16000/kms/v1/names in
firefox. (before, i set configs in firefox according
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/sso-config-firefox.html),
following info was found in logs/kms.log.
2014-07-14 19:18:30,461 WARN AuthenticationFilter - Authentication exception:
GSSException: Failure unspecified at GSS-API level (Mechanism level:
EncryptedData is encrypted using keytype DES CBC mode with CRC-32 but
decryption key is of type NULL)
org.apache.hadoop.security.authentication.client.AuthenticationException:
GSSException: Failure unspecified at GSS-API level (Mechanism level:
EncryptedData is encrypted using keytype DES CBC mode with CRC-32 but
decryption key is of type NULL)
at
org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:380)
at
org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:357)
at
org.apache.hadoop.crypto.key.kms.server.KMSAuthenticationFilter.doFilter(KMSAuthenticationFilter.java:100)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:606)
at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Thread.java:745)
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level:
EncryptedData is encrypted using keytype DES CBC mode with CRC-32 but
decryption key is of type NULL)
at
sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:788)
at
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at
sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:875)
at
sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:548)
at
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at
org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:347)
at
org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:329)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:415)
at
org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:329)
... 14 more
Caused by: KrbException: EncryptedData is encrypted using keytype DES CBC mode
with CRC-32 but decryption key is of type NULL
at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:169)
at sun.security.krb5.KrbCred.<init>(KrbCred.java:131)
at
sun.security.jgss.krb5.InitialToken$OverloadedChecksum.<init>(InitialToken.java:282)
at
sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:130)
at
sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:771)
... 25 more
Kerberos is enabled successful in my environment:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/server-1941.novalocal@NOVALOCAL
Valid starting Expires Service principal
07/14/14 19:18:10 07/15/14 19:18:09 krbtgt/NOVALOCAL@NOVALOCAL
renew until 07/14/14 19:18:10
07/14/14 19:18:30 07/15/14 19:18:09 HTTP/server-1941.novalocal@NOVALOCAL
renew until 07/14/14 19:18:10
Following are kdc configs:
# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = NOVALOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
udp_preference_limit = 1000000
default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
allow_weak_crypto = true
[realms]
NOVALOCAL = {
kdc = server-355:88
admin_server = server-355:749
default_domain=novalocal
}
[domain_realm]
.novalocal = NOVALOCAL
novalocal = NOVALOCAL
# cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
NOVALOCAL = {
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
master_key_type = des3-hmac-sha1
supported_enctypes = arcfour-hmac:normal des3-hmac-sha1:normal
des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
