个人中心
文章发布
退出
作者热门文章
- html - 出于某种原因,IE8 对我的 Sass 文件中继承的 html5 CSS 不友好?
- JMeter 在响应断言中使用 span 标签的问题
- html - 在 :hover and :active? 上具有不同效果的 CSS 动画
- html - 相对于居中的 html 内容固定的 CSS 重复背景?
25
4
我们正在尝试为SAS Hadoop数据加载器(DLH)配置IWA。 SAS服务器在Active Directory域下运行,并且SSO已成功配置。我们需要配置DLH,以使用客户端生成的票证与Hortonworks Hadoop MIT Kerberos进行通信。该功能不起作用。
因此,基本上,我们在AD(ABC.COM)和Hadoop MIT Kerberos(xyz-Hadoop Realm 名称没有任何FQDN,而且都是小写字母)2方式信任建立中遇到问题。我们已经按照以下链接(https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.0/bk_security/content/kerb-config-realm-kdc.html)确认了信任关系,并且一切正常,但是以某种方式使用AD的HTTP票证,我们无法登录到hadoop并收到以下错误消息:
com.sas.svcs.dm.hadoop.spi.exception.HadoopConfigurationException: Failed to find GSSCredential. Check Kerberos configuration
kinit -f HTTP/xxx.abc.com@ABC.COM
klist -eaf
kvno hive/xyz@xyz
kvno: KDC returned error string: PROCESS_TGS while getting credentials for hive/xyz@xyz
kvno: Decrypt integrity check failed while getting credentials for hive/xyz@xyz
kinit -f HTTP/xxx.abc.com@ABC.COM (this works fine)
# kinit -k -t xxx.host.keytab HTTP/xxx.abc.com@ABC.COM
[65181] 1559895039.846538: Getting initial credentials for HTTP/xxx.abc.com@ABC.COM
[65181] 1559895039.846539: Looked up etypes in keytab: des-cbc-crc, des, des-cbc-crc, rc4-hmac, aes256-cts, aes128-cts
[65181] 1559895039.846541: Sending unauthenticated request
[65181] 1559895039.846542: Sending request (220 bytes) to ABC.COM
[65181] 1559895039.846543: Sending initial UDP request to dgram 10.68.5.219:88
[65181] 1559895039.846544: Received answer (819 bytes) from dgram 10.68.5.219:88
[65181] 1559895039.846545: Response was from master KDC
[65181] 1559895039.846546: Processing preauth types: PA-ETYPE-INFO2 (19)
[65181] 1559895039.846547: Selected etype info: etype aes256-cts, salt "ABC.COMHTTPxxx.abc.com", params ""
[65181] 1559895039.846548: Produced preauth for next request: (empty)
[65181] 1559895039.846549: Getting AS key, salt "ABC.COMHTTPxxx.abc.com", params ""
[65181] 1559895039.846550: Retrieving HTTP/xxx.abc.com@ABC.COM from FILE:xxx.host.keytab (vno 0, enctype aes256-cts) with result: 0/Success
[65181] 1559895039.846551: AS key obtained from gak_fct: aes256-cts/8AEB
[65181] 1559895039.846552: Decrypted AS reply; session key is: aes256-cts/E734
[65181] 1559895039.846553: FAST negotiation: unavailable
[65181] 1559895039.846554: Initializing FILE:/tmp/krb5cc_0 with default princ HTTP/xxx.abc.com@ABC.COM
[65181] 1559895039.846555: Storing HTTP/xxx.abc.com@ABC.COM -> krbtgt/ABC.COM@ABC.COM in FILE:/tmp/krb5cc_0
##########################################################
klist -e (this shows the ticket is generated)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/xxx.abc.com@ABC.COM
Valid starting Expires Service principal
06/07/2019 13:40:39 06/07/2019 13:50:39 krbtgt/ABC.COM@ABC.COM
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
###########################################################
kvno hive/xyz@xyz (this command fails)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# kvno hive/xyz@xyz
[65247] 1559895064.242178: Getting credentials HTTP/xxx.abc.com@ABC.COM -> hive/xyz@xyz using ccache FILE:/tmp/krb5cc_0
[65247] 1559895064.242179: Retrieving HTTP/xxx.abc.com@ABC.COM -> hive/xyz@xyz from FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_0)
[65247] 1559895064.242180: Retrieving HTTP/xxx.abc.com@ABC.COM -> krbtgt/xyz@xyz from FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_0)
[65247] 1559895064.242181: Retrieving HTTP/xxx.abc.com@ABC.COM -> krbtgt/ABC.COM@ABC.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[65247] 1559895064.242182: Starting with TGT for client realm: HTTP/xxx.abc.com@ABC.COM -> krbtgt/ABC.COM@ABC.COM
[65247] 1559895064.242183: Retrieving HTTP/xxx.abc.com@ABC.COM -> krbtgt/xyz@xyz from FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_0)
[65247] 1559895064.242184: Requesting TGT krbtgt/xyz@ABC.COM using TGT krbtgt/ABC.COM@ABC.COM
[65247] 1559895064.242185: Generated subkey for TGS request: aes256-cts/C142
[65247] 1559895064.242186: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts, des-cbc-crc, des, des-cbc-md4
[65247] 1559895064.242188: Encoding request body and padata into FAST request
[65247] 1559895064.242189: Sending request (1001 bytes) to ABC.COM
[65247] 1559895064.242190: Sending initial UDP request to dgram 10.68.5.219:88
[65247] 1559895064.242191: Received answer (873 bytes) from dgram 10.68.5.219:88
[65247] 1559895064.242192: Response was from master KDC
[65247] 1559895064.242193: Decoding FAST response
[65247] 1559895064.242194: FAST reply key: aes256-cts/9192
[65247] 1559895064.242195: TGS reply is for HTTP/xxx.abc.com@ABC.COM -> krbtgt/xyz@ABC.COM with session key des-cbc-crc/330F
[65247] 1559895064.242196: TGS request result: 0/Success
[65247] 1559895064.242197: Storing HTTP/xxx.abc.com@ABC.COM -> krbtgt/xyz@ABC.COM in FILE:/tmp/krb5cc_0
[65247] 1559895064.242198: Received TGT for service realm: krbtgt/xyz@ABC.COM
[65247] 1559895064.242199: Requesting tickets for hive/xyz@xyz, referrals on
[65247] 1559895064.242200: Generated subkey for TGS request: des-cbc-crc/FB8F
[65247] 1559895064.242201: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts, des-cbc-crc, des, des-cbc-md4
[65247] 1559895064.242203: Encoding request body and padata into FAST request
[65247] 1559895064.242204: Sending request (935 bytes) to xyz
[65247] 1559895064.242205: Resolving hostname xyz
[65247] 1559895064.242206: Sending initial UDP request to dgram 10.68.166.7:88
[65247] 1559895064.242207: Received answer (138 bytes) from dgram 10.68.166.7:88
[65247] 1559895064.242208: Response was not from master KDC
[65247] 1559895064.242209: TGS request result: -1765328324/KDC returned error string: PROCESS_TGS
[65247] 1559895064.242210: Requesting tickets for hive/xyz@xyz, referrals off
[65247] 1559895064.242211: Generated subkey for TGS request: des-cbc-crc/01C2
[65247] 1559895064.242212: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts, des-cbc-crc, des, des-cbc-md4
[65247] 1559895064.242214: Encoding request body and padata into FAST request
[65247] 1559895064.242215: Sending request (935 bytes) to xyz
[65247] 1559895064.242216: Resolving hostname xyz
[65247] 1559895064.242217: Sending initial UDP request to dgram 10.68.166.7:88
[65247] 1559895064.242218: Received answer (138 bytes) from dgram 10.68.166.7:88
[65247] 1559895064.242219: Response was not from master KDC
[65247] 1559895064.242220: TGS request result: -1765328324/KDC returned error string: PROCESS_TGS
kvno: KDC returned error string: PROCESS_TGS while getting credentials for hive/xyz@xyz
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Also just for troubleshooting I add enctypes on my AD server using the following command:
ksetup /SetEncTypeAttr xyz DES-CBC-CRC DES-CBC-MD5 RC4-HMAC-MD5 AES128-CTS-HMAC-SHA1-96 AES256-CTS-HMAC-SHA1-96
So, after running the above command when I try to run the kvno command, my error message changes
:from
kvno: KDC returned error string: PROCESS_TGS while getting credentials for hive/xyz@xyz
:to
kvno: Decrypt integrity check failed while getting credentials for hive/xyz@xyz
full kvno cmmand trace is as below:
# kvno hive/xyz@xyz
[128763] 1559917554.849763: Getting credentials HTTP/xxx.abc.com@ABC.COM -> hive/xyz@xyz using ccache FILE:/tmp/krb5cc_0
[128763] 1559917554.849764: Retrieving HTTP/xxx.abc.com@ABC.COM -> hive/xyz@xyz from FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_0)
[128763] 1559917554.849765: Retrieving HTTP/xxx.abc.com@ABC.COM -> krbtgt/xyz@xyz from FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_0)
[128763] 1559917554.849766: Retrieving HTTP/xxx.abc.com@ABC.COM -> krbtgt/ABC.COM@ABC.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[128763] 1559917554.849767: Starting with TGT for client realm: HTTP/xxx.abc.com@ABC.COM -> krbtgt/ABC.COM@ABC.COM
[128763] 1559917554.849768: Retrieving HTTP/xxx.abc.com@ABC.COM -> krbtgt/xyz@xyz from FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_0)
[128763] 1559917554.849769: Requesting TGT krbtgt/xyz@ABC.COM using TGT krbtgt/ABC.COM@ABC.COM
[128763] 1559917554.849770: Generated subkey for TGS request: aes256-cts/4F0F
[128763] 1559917554.849771: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts, des-cbc-crc, des, des-cbc-md4
[128763] 1559917554.849773: Encoding request body and padata into FAST request
[128763] 1559917554.849774: Sending request (1022 bytes) to ABC.COM
[128763] 1559917554.849775: Sending initial UDP request to dgram 10.68.5.219:88
[128763] 1559917554.849776: Received answer (969 bytes) from dgram 10.68.5.219:88
[128763] 1559917554.849777: Response was from master KDC
[128763] 1559917554.849778: Decoding FAST response
[128763] 1559917554.849779: FAST reply key: aes256-cts/944C
[128763] 1559917554.849780: TGS reply is for HTTP/xxx.abc.com@ABC.COM -> krbtgt/xyz@ABC.COM with session key aes256-cts/B3D3
[128763] 1559917554.849781: TGS request result: 0/Success
[128763] 1559917554.849782: Storing HTTP/xxx.abc.com@ABC.COM -> krbtgt/xyz@ABC.COM in FILE:/tmp/krb5cc_0
[128763] 1559917554.849783: Received TGT for service realm: krbtgt/xyz@ABC.COM
[128763] 1559917554.849784: Requesting tickets for hive/xyz@xyz, referrals on
[128763] 1559917554.849785: Generated subkey for TGS request: aes256-cts/DF91
[128763] 1559917554.849786: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts, des-cbc-crc, des, des-cbc-md4
[128763] 1559917554.849788: Encoding request body and padata into FAST request
[128763] 1559917554.849789: Sending request (1013 bytes) to xyz
[128763] 1559917554.849790: Resolving hostname xyz
[128763] 1559917554.849791: Sending initial UDP request to dgram 10.68.166.7:88
[128763] 1559917554.849792: Received answer (138 bytes) from dgram 10.68.166.7:88
[128763] 1559917554.849793: Response was not from master KDC
[128763] 1559917554.849794: TGS request result: -1765328353/Decrypt integrity check failed
[128763] 1559917554.849795: Requesting tickets for hive/xyz@xyz, referrals off
[128763] 1559917554.849796: Generated subkey for TGS request: aes256-cts/34D1
[128763] 1559917554.849797: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts, des-cbc-crc, des, des-cbc-md4
[128763] 1559917554.849799: Encoding request body and padata into FAST request
[128763] 1559917554.849800: Sending request (1013 bytes) to xyz
[128763] 1559917554.849801: Resolving hostname xyz
[128763] 1559917554.849802: Sending initial UDP request to dgram 10.68.166.7:88
[128763] 1559917554.849803: Received answer (138 bytes) from dgram 10.68.166.7:88
[128763] 1559917554.849805: TGS request result: -1765328353/Decrypt integrity check failed
kvno: Decrypt integrity check failed while getting credentials for hive/xyz@xyz
最佳答案
问题出在AD上,而Hadoop Trust无法正常工作。因此,在故障排除期间,我在AD的Hadoop Principal上添加了enctypes。我在其中一个网站上发现了以下说明
“主体(帐户)是使用系统默认的enctype创建的。更改密码类型时,还必须重新创建主体,或至少更新主体的密码。”
所以,我做了密码重置
netdom trust xyz /Domain:ABC.COM / reset / realm / passwordt:xxxxXXXxxxx
而且,KVNO在AD和Hadoop之间没有多余的匹配,所以我在Hadoop端更新了kvno
在Hadoop服务器上重新启动了以下服务
/ sbin / service krb5kdc重新启动
/ sbin / service kadmin重新启动
和Voila ...我能够运行kvno命令。
kinit -k -t xxx.host.keytab HTTP/xxx.abc.com@ABC.COM
[74264] 1561019777.500742:在文件中存储HTTP/xxx.abc.com@ABC.COM-> krbtgt/ABC.COM@ABC.COM:/ tmp / krb5cc_1001
klist -eaf
票证缓存:FILE:/ tmp / krb5cc_1001
默认主体:HTTP/xxx.abc.com@ABC.COM
有效的启动过期服务主体
06/20/2019 14:06:17 06/21/2019 00:06:17 krbtgt/ABC.COM@ABC.COM
续展至06/27/2019 14:06:17,标志:FRI
Etype(key,tkt):aes256-cts-hmac-sha1-96,aes256-cts-hmac-sha1-96
地址:(无)
kvno hive / xyz @ xyz
[74362] 1561019789.592571:获得了所需服务 hive 的信用:hive / xyz @ xyz
[74362] 1561019789.592572:在文件中存储HTTP/xxx.abc.com@ABC.COM-> hive / xyz @ xyz:/ tmp / krb5cc_1001
hive / xyz @ xyz:kvno = 1
关于hadoop - Active Directory-Hortonworks跨领域信任建立,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/56504729/
25
4
0
在我的应用程序中播放背景音乐时遇到问题。 首先,我在第一个 Storyboard View Controller 中的 ViewDidLoad 方法中开始播放音乐。即使我从一个页面跳转到另一个页面,它
我想跨行连接数组,然后进行不同的计数。理想情况下,这会起作用: WITH test AS ( SELECT DATE('2018-01-01') as date, 2 as value,
这是一个场景: Repo A 是一个包含大量模块和依赖项的怪异代码。安装起来并不容易。它由其他人维护并托管在 Github 上。 Repo A 包含一个非常有用的模块 X,并且几乎不依赖于 Repo
目前,我在一台服务器上运行了一个应用程序。有一个 crontab 设置,因此根据指定的规则,在某些时间运行任务。 现在,我正在考虑将我的应用程序迁移到 docker 容器中,以便我能够独立运行我的应用
我有一个全局表,我想在两个不同的 Lua 状态之间保持同步。根据我所阅读和理解的内容,唯一的方法似乎是,在我的 C 后端,在状态之间进行表的深层复制(如果表已被修改)。有没有更好的办法 ? 另外,我看
我们目前有一个 asmx webservice,它公开了一个方法来对 Sql 数据库进行各种更新,内部包装在 SqlTransaction 中。 我正在 WCF 中重写此服务,我们希望将现有方法拆分为
我是 Qt 的新手,所以请原谅这个问题的简单性,但我对 Qt 线程有点困惑。假设我有 3 个线程:主要的默认 GUI 线程和我自己创建的 2 个线程(称为 WorkerThread)。我的每个 Wor
我们的产品有一个 Restful API 和一个服务器渲染的应用程序(CMS)。两者共享数据库。两者都是用django编写的 两者所需的字段和模型并不是相互排斥的,有些仅针对 API,有些针对 CMS
我正在实现一个基于角色的访问控制系统,它具有以下数据库表。 groups --------- id (PK) name level resources --------- id (PK) name r
我有三个应用程序,为了便于管理,我希望将它们分开。他们按照建议作为 Plack 服务器运行 here , 代理在 nginx 后面。 我想有一个单独的应用程序来管理登录,并在所有其他应用程序之间共享该
我的主窗口上有一个 UIWebView。我可以通过我的第二个 View Controller 来控制它吗?如果可以的话你能给我举个例子吗? 最佳答案 是的,你可以。 “如何”是一个基本的 Cocoa/
我想制作一个小型应用程序,从连接到串行端口的设备收集数据,并将其通过 LAN 传递到另一个应用程序,后者将其存储在数据库中。 我已经在一台 PC 上的一个应用程序中完成了此操作,因此实际上会将应用程序
从主 AppDomain,我试图调用在不同 AppDomain 中实例化的类型中定义的异步方法。 比如下面的类型MyClass继承自 MarshalByRefObject并在新的 AppDomain
因为 LiveServerTestCase继承自 TransactionTestCase ,默认行为是在每个测试方法结束时删除测试数据。我想用LiveServerTestCase类,但保留方法之间的测
我正在开发我的第一个 WPF/MVVM 应用程序,但我在命令知识方面遇到了限制! 这是我的场景。 我有一个窗口——Customer.xaml。 它包含 2 个用户控件 查看CustomerSearch
这是我的 WPF 应用程序模型的简化版本: Employee +Name:string Client +Name:string +PhoneNumber:string Appointmen
我有一个 mercurial 存储库,它使用子存储库功能(如 .hgsub 文件中定义的)引入依赖项,但我正在努力让它在 TeamCity 中工作。 我启用了 mercurial_keyring 扩展
我正在尝试使用新的 Azure 虚拟网络公共(public)预览版的对等互连功能来加入我在两个不同订阅(即不同租户)上拥有的两个网络。这可能吗?我没有看到任何其他说法,但是当我尝试在 PowerShe
我有 2 个存储库。由于主干代码位于一个 protected 存储库中,因此我进行了 checkout ,然后 checkin 到另一个存储库(因为用户没有第一个 protected 存储库的权限)。
我有一个项目,其调用结构与此类似: 主要项目/应用 我的图书馆代码 别人的库代码 我的图书馆代码 一切都是用 C# 编写的,我可以访问“其他人的库代码”。他们的代码不包含在我的项目中,因为它是开源的而
我是一名优秀的程序员,十分优秀!