zoukankan      html  css  js  c++  java
  • Kerberos常见错误

    1.CDH安装Kerberos后,重启集群报错

    Socket Reader #1 for port 8022: readAndProcess from client 192.168.50.83 threw exception [javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)]]
    Socket Reader #1 for port 8020: readAndProcess from client 192.168.50.77 threw exception [javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)]]
    

    原因:

    因为系统采用的是Centos7.6,对于使用Centos5.6及以上西戎,默认采用 AES-256 来加密;这就需要CDH集群所有的节点都安装 Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy File
    下载链接:https://www.oracle.com/technetwork/java/javase/downloads/index.html

    解决办法:

    1.下载的文件是个zip包,解压

    2.将解压后的 UnlimitedJCEPolicyJDK8 文件下的两个jar包 复制到 $JAVA_HOME/jre/lib/security/
    #我的JAVA_HOME=/opt/module/jdk1.8.0_144
    cp UnlimitedJCEPolicyJDK8/*.jar /opt/module/jdk1.8.0_144/jre/lib/security/
    
    3.如果你的JAVA_HOME不是在/usr/java下,那么还需要进行一步操作
    mkdir /usr/java
    #创建软链接指向自己的JAVA_HOME
    ln -s /opt/module/jdk1.8.0_144/ default
    

    2.HUE报错

    Couldn't renew kerberos ticket in order to work around Kerberos 1.8.1 issue. Please check that the ticket for 'hue/cdh03@BIGDATATEST.COM' is still renewable:
      $ klist -f -c /var/run/hue/hue_krb5_ccache
    If the 'renew until' date is the same as the 'valid starting' date, the ticket cannot be renewed. Please check your KDC configuration, and the ticket renewal policy (maxrenewlife) for the 'hue/cdh03@BIGDATATEST.COM' and `krbtgt' principals.
    

    原因:Kerberos Ticket过期

    解决办法:

    1.检查配置文件
    vim /etc/krb5.conf
    

    vim /var/kerberos/krb5kdc/kdc.conf
    

    2.检查krbtgt用户的Maximum renewable life
    kadmin.local -q 'getprinc krbtgt/BIGDATATEST.COM@BIGDATATEST.COM'
    

    3.修改krbtgt的maxrenewlife
    kadmin.local -q 'modprinc -maxrenewlife "7d" krbtgt/BIGDATATEST.COM'
    

    4.删除cache
    rm -rfv /var/run/hue/hue_krb5_ccache
    
    4.重启Kerberos Ticket Renewer

  • 相关阅读:
    【转】灰色在PPT中的运用
    [转]多多“亦”善:把大量内容放到一页PPT的5个技巧
    android应用程序的安装方式与原理
    oracle 数据库 date + 1 转载
    运行ant脚本(转载)
    Oracle修改字段类型方法总结(转)
    转载 jQueryEasyUI Messager基本使用
    oracle dmp数据导入
    oracle 查看表的索引信息
    sqlplus 分析执行计划
  • 原文地址:https://www.cnblogs.com/wuning/p/11908861.html
Copyright © 2011-2022 走看看