zoukankan      html  css  js  c++  java
  • Kerberos常见错误

    1.CDH安装Kerberos后,重启集群报错

    Socket Reader #1 for port 8022: readAndProcess from client 192.168.50.83 threw exception [javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)]]
    Socket Reader #1 for port 8020: readAndProcess from client 192.168.50.77 threw exception [javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)]]
    

    原因:

    因为系统采用的是Centos7.6,对于使用Centos5.6及以上西戎,默认采用 AES-256 来加密;这就需要CDH集群所有的节点都安装 Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy File
    下载链接:https://www.oracle.com/technetwork/java/javase/downloads/index.html

    解决办法:

    1.下载的文件是个zip包,解压

    2.将解压后的 UnlimitedJCEPolicyJDK8 文件下的两个jar包 复制到 $JAVA_HOME/jre/lib/security/
    #我的JAVA_HOME=/opt/module/jdk1.8.0_144
    cp UnlimitedJCEPolicyJDK8/*.jar /opt/module/jdk1.8.0_144/jre/lib/security/
    
    3.如果你的JAVA_HOME不是在/usr/java下,那么还需要进行一步操作
    mkdir /usr/java
    #创建软链接指向自己的JAVA_HOME
    ln -s /opt/module/jdk1.8.0_144/ default
    

    2.HUE报错

    Couldn't renew kerberos ticket in order to work around Kerberos 1.8.1 issue. Please check that the ticket for 'hue/cdh03@BIGDATATEST.COM' is still renewable:
      $ klist -f -c /var/run/hue/hue_krb5_ccache
    If the 'renew until' date is the same as the 'valid starting' date, the ticket cannot be renewed. Please check your KDC configuration, and the ticket renewal policy (maxrenewlife) for the 'hue/cdh03@BIGDATATEST.COM' and `krbtgt' principals.
    

    原因:Kerberos Ticket过期

    解决办法:

    1.检查配置文件
    vim /etc/krb5.conf
    

    vim /var/kerberos/krb5kdc/kdc.conf
    

    2.检查krbtgt用户的Maximum renewable life
    kadmin.local -q 'getprinc krbtgt/BIGDATATEST.COM@BIGDATATEST.COM'
    

    3.修改krbtgt的maxrenewlife
    kadmin.local -q 'modprinc -maxrenewlife "7d" krbtgt/BIGDATATEST.COM'
    

    4.删除cache
    rm -rfv /var/run/hue/hue_krb5_ccache
    
    4.重启Kerberos Ticket Renewer

  • 相关阅读:
    [CSP-S模拟测试]:集合合并(记忆化搜索)
    [CSP-S模拟测试]:小L的数(数位DP+模拟)
    [CSP-S模拟测试]:小Y的图(最小生成树+LCA)
    [CSP-S模拟测试]:小W的魔术(数学 or 找规律)
    [CSP-S模拟测试]:最大值(数学+线段树)
    [CSP-S模拟测试]:最小值(DP+乱搞)
    [CSP-S模拟测试]:中间值(二分)
    [CSP-S模拟测试]:Cover(单调栈++单调队列+DP)
    [JZO6401]:Time(贪心+树状数组)
    BZOJ3193 [JLOI2013]地形生成 【dp】
  • 原文地址:https://www.cnblogs.com/wuning/p/11908861.html
Copyright © 2011-2022 走看看