zoukankan      html  css  js  c++  java

  • Kerberos常见错误

    1.CDH安装Kerberos后,重启集群报错

    Socket Reader #1 for port 8022: readAndProcess from client 192.168.50.83 threw exception [javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)]]
Socket Reader #1 for port 8020: readAndProcess from client 192.168.50.77 threw exception [javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)]]

    原因:

    因为系统采用的是Centos7.6,对于使用Centos5.6及以上西戎,默认采用 AES-256 来加密;这就需要CDH集群所有的节点都安装 Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy File
    下载链接:https://www.oracle.com/technetwork/java/javase/downloads/index.html

    解决办法:

    1.下载的文件是个zip包,解压

    2.将解压后的 UnlimitedJCEPolicyJDK8 文件下的两个jar包 复制到 $JAVA_HOME/jre/lib/security/
    #我的JAVA_HOME=/opt/module/jdk1.8.0_144
cp UnlimitedJCEPolicyJDK8/*.jar /opt/module/jdk1.8.0_144/jre/lib/security/
    3.如果你的JAVA_HOME不是在/usr/java下,那么还需要进行一步操作
    mkdir /usr/java
#创建软链接指向自己的JAVA_HOME
ln -s /opt/module/jdk1.8.0_144/ default

    2.HUE报错

    Couldn't renew kerberos ticket in order to work around Kerberos 1.8.1 issue. Please check that the ticket for 'hue/cdh03@BIGDATATEST.COM' is still renewable:
  $ klist -f -c /var/run/hue/hue_krb5_ccache
If the 'renew until' date is the same as the 'valid starting' date, the ticket cannot be renewed. Please check your KDC configuration, and the ticket renewal policy (maxrenewlife) for the 'hue/cdh03@BIGDATATEST.COM' and `krbtgt' principals.

    原因:Kerberos Ticket过期

    解决办法:

    1.检查配置文件
    vim /etc/krb5.conf


    vim /var/kerberos/krb5kdc/kdc.conf

    2.检查krbtgt用户的Maximum renewable life
    kadmin.local -q 'getprinc krbtgt/BIGDATATEST.COM@BIGDATATEST.COM'

    3.修改krbtgt的maxrenewlife
    kadmin.local -q 'modprinc -maxrenewlife "7d" krbtgt/BIGDATATEST.COM'

    4.删除cache
    rm -rfv /var/run/hue/hue_krb5_ccache
    4.重启Kerberos Ticket Renewer
  • 相关阅读:
    设计模式(连载)
    菜鸟成长记录——2015-2016半年总
    订餐系统——TreeView显示目录结构
    网上商城——ApplicationContext.xml
    订餐系统——Gridview、Repeater和DataList 区别
    订餐系统——后台获取GridView值
    网上商城——邮件发送(二)
    网上商城——邮件发送(一)
    J2EE基础概念
    工作流——顺序工作流
  • 原文地址:https://www.cnblogs.com/wuning/p/11908861.html
Copyright © 2011-2022 走看看