Found unsupported keytype (8) for nn/hadoop-kerberos@HADOOP-KERBEROS

Question

I am trying to set up a single node Hadoop cluster in secure mode with Kerberos authentication enabled, using hadoop-2.4.0 and jdk1.7.0_25.

To do so, I have created keytab files as described in documentation. While debugging things with property HADOOP_OPTS set with -Dsun.security.krb5.debug=true I see the following error messages:

Found unsupported keytype (8) for nn/hadoop-kerberos@HADOOP-KERBEROS
Added key: 23version: 4
Added key: 16version: 4
Added key: 17version: 4
Added key: 18version: 4
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23 1 3.
Added key: 3version: 4
Found unsupported keytype (8) for nn/hadoop-kerberos@HADOOP-KERBEROS
Added key: 23version: 4
Added key: 16version: 4
Added key: 17version: 4
Added key: 18version: 4
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23 1 3.
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23 1 3.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=localhost UDP:3738, timeout=30000, number of retries =3, #bytes=171</code></pre>

Please note that I have ../jre/lib/security/local_policy.jar and .../jre/lib/security/US_export_policy.jar in my CLASSPATH variable.

Also I have the following in kdc.conf:

 [kdcdefaults]
 kdc_ports = 3738
 kdc_tcp_ports = 3738

[realms]
 HADOOP-KERBEROS = {
  kadmind_port = 3739
  #master_key_type = des3-hmac-sha1
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  #admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  admin_keytab = /etc/krb5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
 }
[logging]
   # By default, the KDC and kadmind will log output using
   # syslog.  You can instead send log output to files like this:
   kdc = FILE:/home/build/log/krb5kdc.log
   admin_server = FILE:/home/build/log/kadmin.log
   default = FILE:/home/build/log/krb5lib.log

klist -e shows the following output for user aleksg which I use to run namenode with hadoop namenode command

Ticket cache: FILE:/tmp/krb5cc_501
Default principal: aleksg@HADOOP-KERBEROS

Valid starting     Expires            Service principal
07/12/15 09:16:39  07/13/15 09:16:39  krbtgt/HADOOP-KERBEROS@HADOOP-KERBEROS
        Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1 


Kerberos 4 ticket cache: /tmp/tkt501
klist: You have no tickets cached

So it seems that DES cbc mode with HMAC/sha1 is being used for TGT.

Could you please point me how can I resolve the issue? Can this be somehow related to permissions of keytab files or should I regenerate keytab files with different encryption type enabled?

Thank you !

Answer 1

I have workarounded the issue by generating all keytab files used in configuration of secure Hadoop and which are mentioned in hdfs-site.xml, yarn-site.xml, etc. by using des3-hmac-sha1:normal encryption type.

kadmin.local -e "des3-hmac-sha1:normal"

Also I have changed my krb5.conf to use this encryption type for default_tkt_enctypes, default_tgs_enctypes and permitted_enctypes.

As well changed in krb5kdc/kdc.conf the master_key_type to des3-hmac-sha1.