Java Kerberos - 发现不受支持的密钥类型 (1)
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/23867628/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Kerberos - found unsupported keytype (1)
提问by user3317974
I am getting error after I updated Java from JAVA 6 to JAVA 7. In java 6 everything was running fine, but I need to move.
将 Java 从 JAVA 6 更新到 JAVA 7 后出现错误。在 Java 6 中一切正常,但我需要移动。
Found unsupported keytype (1) for my/my.com
Added key: 16version: 1
Added key: 23version: 1
Added key: 18version: 1
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23.
Found unsupported keytype (1) for my/my.com
Added key: 16version: 1
Added key: 23version: 1
Added key: 18version: 1
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23.
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=my.com UDP:88, timeout=3, number of retries =1, #bytes=183
>>> KDCCommunication: kdc=my.com UDP:88, timeout=3,Attempt =1, #bytes=183
Exception in thread "main" java.io.IOException: Login failure for my/my.com from keytab /etc/hbase/conf/hdfs.keytab 采纳答案by greenmarker
First four lines in the logs, which you've attach show what entries are in your keytab. There are four entries - first line shows that there's key of code 1 (and we can look up in IANA table what this code stands for: http://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xml. etype 1 is des-cbc-crc).
您附加的日志中的前四行显示了密钥表中的条目。有四个条目 - 第一行显示代码 1 的键(我们可以在 IANA 表中查找此代码代表什么:http: //www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xml.etype 1 是 des-cbc-crc)。
Now in the fith line, there's info "Using builtin default etypes..", like you haven't configured your krb5.ini file? (in Windows it's usually in C:\windows\krb5.ini. Full description where this file can be: http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html). We can see default enctypes: 18, 17 (aes), 16 (des) and 23 (rc4-hmac). 1 is not on this list, that's why entry for this very old DES variant is not loaded from keytab, with error: Found unsupported keytype (1) for my/my.com.
现在在 fith 行中,有信息“Using builtin default etypes..”,就像您还没有配置 krb5.ini 文件一样?(在 Windows 中,它通常位于 C:\windows\krb5.ini 中。该文件所在位置的完整说明:http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/KerberosReq .html)。我们可以看到默认的编码类型:18、17 (aes)、16 (des) 和 23 (rc4-hmac)。1 不在此列表中,这就是为什么未从 keytab 加载此非常旧的 DES 变体的条目的原因,并出现错误:为 my/my.com 找到不受支持的密钥类型 (1)。
You need to create krb5.ini file. It should look a bit like this (MUSTbe adjusted to your organization setting):
您需要创建 krb5.ini 文件。它应该看起来像这样(必须根据您的组织设置进行调整):
[libdefaults]
forwardable = true
dns_lookup_kdc = true
dns_lookup_realm = true
default_realm = YOUR.COMPANY
default_tkt_enctypes = rc4-hmac aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = rc4-hmac aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
permitted_enctypes = rc4-hmac aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
[realms]
YOUR.COMPANY = {
kdc = your.company
}
[domain_realm]
.your.company = YOUR.COMPANY
your.company = YOUR.COMPANY
回答by Carlos Gomez
In Cloudera issues you must check the ecryption types in CM -> Administration -> Security -> Kerberos -> Kerberos configuration. the encryptions types are the same that Kerberos Mit KDC in /etc/krb5.conf First all, stop all services and services managment too. then redeploy all keytabs.
在 Cloudera 问题中,您必须在 CM -> 管理 -> 安全 -> Kerberos -> Kerberos 配置中检查 ecryption 类型。加密类型与 /etc/krb5.conf 中的 Kerberos Mit KDC 相同。首先,停止所有服务和服务管理。然后重新部署所有密钥表。
