问题:
Kerberos:检查和失败的问题
巫马英豪
我看到了“krbeexception:Checksum failed”异常。看起来像是kerberos问题,但我无法解决。
任何关于如何解决问题的建议都会很好!提前谢谢。
机器细节:
没有可用的LSB模块。发行商ID:Ubuntu说明:Ubuntu 12.04.4 LTS发行版:12.04
java版本“1.7.0_55”OpenJDK运行时环境(IcedTea 2.4.7)(7u55-2.4.7-1ubuntu1~0.12.04.2)OpenJDK 64位服务器虚拟机(构建24.51-b03,混合模式)
2014-06-17 22:19:24,475 ERROR [pool-6-thread-198]: server.TThreadPoolServer (TThreadPoolServer.java:run(215)) - Error occurred during processing of message.
java.lang.RuntimeException: org.apache.thrift.transport.TTransportException: GSS initiate failed
at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219)
at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge20S$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge20S.java:676)
at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge20S$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge20S.java:673)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:356)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1574)
at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge20S$Server$TUGIAssumingTransportFactory.getTransport(HadoopThriftAuthBridge20S.java:673)
at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:189)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:744)
Caused by: org.apache.thrift.transport.TTransportException: GSS initiate failed
at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:221)
at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:297)
at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
... 10 more
2014-06-17 22:19:25,481 ERROR [pool-6-thread-198]: transport.TSaslTransport (TSaslTransport.java:open(296)) - SASL negotiation failure
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)]
at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:177)
at org.apache.thrift.transport.TSaslTransport$SaslParticipant.evaluateChallengeOrResponse(TSaslTransport.java:509)
at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:264)
at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge20S$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge20S.java:676)
at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge20S$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge20S.java:673)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:356)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1574)
at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge20S$Server$TUGIAssumingTransportFactory.getTransport(HadoopThriftAuthBridge20S.java:673)
at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:189)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:744)
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:788)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:155)
... 14 more
Caused by: KrbException: Checksum failed
at sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType.decrypt(Des3CbcHmacSha1KdEType.java:96)
at sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType.decrypt(Des3CbcHmacSha1KdEType.java:88)
at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:177)
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:278)
at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:144)
at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:771)
... 17 more
Caused by: java.security.GeneralSecurityException: Checksum failed
at sun.security.krb5.internal.crypto.dk.DkCrypto.decrypt(DkCrypto.java:362)
at sun.security.krb5.internal.crypto.Des3.decrypt(Des3.java:79)
at sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType.decrypt(Des3CbcHmacSha1KdEType.java:94)
... 23 more
2014-06-17 22:19:25,482 ERROR [pool-6-thread-198]: server.TThreadPoolServer (TThreadPoolServer.java:run(215)) - Error occurred during processing of message.
java.lang.RuntimeException: org.apache.thrift.transport.TTransportException: GSS initiate failed
at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219)
at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge20S$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge20S.java:676)
at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge20S$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge20S.java:673)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:356)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1574)
at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge20S$Server$TUGIAssumingTransportFactory.getTransport(HadoopThriftAuthBridge20S.java:673)
at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:189)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:744)
Caused by: org.apache.thrift.transport.TTransportException: GSS initiate failed
at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:221)
at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:297)
at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
... 10 more
共有1个答案
武嘉祥
当我使用Kerberos部署Hadoop安全模式时,我在服务器上遇到了这个问题,它们是由相同的原因引起的:FQDN(完全限定域名)中没有设置地址。
假设机器的主机名是ts01。测验com
错误的例子:
<property>
<name>dfs.namenode.rpc-address.hdfs1</name>
<value>192.168.1.101:8020</value>
</property>
错误的例子:
<property>
<name>dfs.namenode.rpc-address.hdfs1</name>
<value>ts01:8020</value>
</property>
正确的例子:
<property>
<name>dfs.namenode.rpc-address.hdfs1</name>
<value>ts01.test.com:8020</value>
</property>
您应该保留FQDN中的所有地址,而不仅仅是dfs。namenode。rpc地址。
类似资料:
-
我正在尝试使用Active Directory凭据执行Spring SecurityKerberos,如http://docs.Spring.io/spring-security-kerberos/docs/1.0.1.release/reference/htmlsingle/#samples-sec-server-win-auth中所述。我想说,我已经把大部分东西都放下了(SPN、键控等)。现在
-
我一直在用Java开发自己的一个小项目,最近,我编译了它,并收到了以下错误: 线程“main”java.lang.IllegalAccesserror中出现异常:超类访问检查失败:类kröw.zeale.v1.program.core.datamanager$ConstructList(在未命名模块@0x4563e9ab中)无法访问类com.sun.javafx.Collections.Obser
-
问题内容: 我正在尝试使用Flink 5.x Elasticsearch接收器连接器将数据插入到微型VM上托管的ES 5.2.1实例。 由于这是处于开发模式的微型VM,因此我无法使其启动以接受9300上的TransportClient远程客户端连接,而不会失败引导检查。 我已经尝试了以下设置,但无法启动(9200上的http客户端工作正常) 请注意,ES仅出于开发目的而在小型VM上运行,而我无权进
-
我正在尝试用Spring Boot、Ldap和Kerberos实现SSO。其中我得到了不同加密类型的校验和失败的多个错误。 环境详情:- 计算机:Windows 10 下面是安全配置java文件 下面是Windows 10计算机中C:\Windows中的krb5.ini文件的内容:- 我还更新了C:\ProgramFiles\java\jre1.8.0_191\lib\security和C:\Pr
-
在首次尝试实现AES-GCM的过程中,面临着身份验证标记生成、加密密码生成和GCM mac校验失败的问题。对于当前实现,正在填充,但仍然为空。因此,给出了“”。这似乎是围绕字节数组大小的一些问题,能否有人分享一下,应该在什么基础上确定输出缓冲区大小?这是不是应该分块进行? 任何指向AES-GCM实施的指针/链接都将受到高度赞赏。 以下是我们的实施情况: 它给出以下例外情况: 提前谢谢!!
-
我正在kubernetes中运行一个Flink作业。我的设置如下 1个作业管理器吊舱 我的flink作业从kafka源获取时间序列数据(时间、值),进行聚合和其他转换,并将其发布到kafka接收器。 有时,我的作业因检查点异常(10分钟后超时)而失败,主要是由一名操作员完成的。我不理解异步持续时间(在图中)的含义,为什么它花费的时间最长。在这个异常之前,Kafka的吞吐量非常高,有500-800万