原因:

目前已知是6.x和7.x主機(jī)上加密方式異常導(dǎo)致camellia128-cts-cmac,camellia256-cts-cmac這種加密方式不能再6.x主機(jī)上正確解密導(dǎo)致。

可能導(dǎo)致問(wèn)題:

• 6.x主機(jī)上kinit獲取principal失敗。
• cloudera服務(wù)refresh異常(出現(xiàn)在6.x主機(jī)上),報(bào)錯(cuò)是kinit 認(rèn)證失敗。

解決方案:

• 修改kdc主機(jī)上kdc.conf文件中supported_enctypes
  行,去掉'camellia256-cts:normal camellia128-cts:normal'這兩種加密方式。
• 重啟kdc服務(wù)。
• 修改從kdc主機(jī)上kdc.conf文件
• 重啟從kdc服務(wù)。
• 執(zhí)行數(shù)據(jù)同步(kprop)。
• 同步客戶端配置。

測(cè)試驗(yàn)證:

# 當(dāng)前kdc.conf配置
[dengsc@nfjd-hadoop02-node179 ~]$ sudo grep supported_enctypes /var/kerberos/krb5kdc/kdc.conf 
  supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal

# 獲取當(dāng)前principal信息,key值存在camellia*-cts-cmac
kadmin.local:  getprinc dengsc
Principal: dengsc@HADOOP.COM
Expiration date: [never]
Last password change: Thu Jun 08 14:27:11 CST 2017
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 31 days 00:00:00
Last modified: Thu Jun 08 14:35:59 CST 2017 (root/admin@HADOOP.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 7
Key: vno 5, aes128-cts-hmac-sha1-96
Key: vno 5, des3-cbc-sha1
Key: vno 5, arcfour-hmac
Key: vno 5, camellia256-cts-cmac
Key: vno 5, camellia128-cts-cmac
Key: vno 5, des-hmac-sha1
Key: vno 5, des-cbc-md5
MKey: vno 1
Attributes:
Policy: lockout_policy

# 導(dǎo)出keytab文件時(shí),存在camellia*-cts-cmac加密方式
kadmin.local:  xst -kt dengsc.keytab dengsc
Entry for principal dengsc with kvno 6, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:dengsc.keytab.
Entry for principal dengsc with kvno 6, encryption type des3-cbc-sha1 added to keytab WRFILE:dengsc.keytab.
Entry for principal dengsc with kvno 6, encryption type arcfour-hmac added to keytab WRFILE:dengsc.keytab.
Entry for principal dengsc with kvno 6, encryption type camellia256-cts-cmac added to keytab WRFILE:dengsc.keytab.
Entry for principal dengsc with kvno 6, encryption type camellia128-cts-cmac added to keytab WRFILE:dengsc.keytab.
Entry for principal dengsc with kvno 6, encryption type des-hmac-sha1 added to keytab WRFILE:dengsc.keytab.
Entry for principal dengsc with kvno 6, encryption type des-cbc-md5 added to keytab WRFILE:dengsc.keytab.

# klist 查看keytab文件結(jié)構(gòu),存在camellia*-cts-cmac加密方式
[dengsc@nfjd-hadoop02-node179 ~]$ klist -ket dengsc.keytab 
Keytab name: FILE:dengsc.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   6 09/19/2017 13:44:46 dengsc@HADOOP.COM (aes128-cts-hmac-sha1-96) 
   6 09/19/2017 13:44:46 dengsc@HADOOP.COM (des3-cbc-sha1) 
   6 09/19/2017 13:44:46 dengsc@HADOOP.COM (arcfour-hmac) 
   6 09/19/2017 13:44:46 dengsc@HADOOP.COM (camellia256-cts-cmac) 
   6 09/19/2017 13:44:46 dengsc@HADOOP.COM (camellia128-cts-cmac) 
   6 09/19/2017 13:44:46 dengsc@HADOOP.COM (des-hmac-sha1) 
   6 09/19/2017 13:44:46 dengsc@HADOOP.COM (des-cbc-md5) 
   
# 修改kdc.conf
[dengsc@nfjd-hadoop02-node179 ~]$ sudo grep supported_enctypes /var/kerberos/krb5kdc/kdc.conf 
  supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
  
# 重啟krb5kdc服務(wù)
[dengsc@nfjd-hadoop02-node179 ~]$ sudo service krb5kdc restart
Redirecting to /bin/systemctl restart  krb5kdc.service

# 讀取principal信息,camellia*-cts-cmac加密方式已刪除
Principal: dengsc@HADOOP.COM
Expiration date: [never]
Last password change: Tue Sep 19 13:32:33 CST 2017
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 31 days 00:00:00
Last modified: Tue Sep 19 13:32:33 CST 2017 (root/admin@HADOOP.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 5
Key: vno 21, aes128-cts-hmac-sha1-96
Key: vno 21, des3-cbc-sha1
Key: vno 21, arcfour-hmac
Key: vno 21, des-hmac-sha1
Key: vno 21, des-cbc-md5
MKey: vno 1
Attributes:
Policy: lockout_policy

# 重新導(dǎo)出princpal
kadmin.local:  xst -k dengsc.keytab dengsc
Entry for principal dengsc with kvno 22, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:dengsc.keytab.
Entry for principal dengsc with kvno 22, encryption type des3-cbc-sha1 added to keytab WRFILE:dengsc.keytab.
Entry for principal dengsc with kvno 22, encryption type arcfour-hmac added to keytab WRFILE:dengsc.keytab.
Entry for principal dengsc with kvno 22, encryption type des-hmac-sha1 added to keytab WRFILE:dengsc.keytab.
Entry for principal dengsc with kvno 22, encryption type des-cbc-md5 added to keytab WRFILE:dengsc.keytab.

# klist查看principal查看票據(jù)信息
[dengsc@nfjd-hadoop02-node179 ~]$ klist -ket dengsc.keytab 
Keytab name: FILE:dengsc.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
  21 09/19/2017 13:32:33 dengsc@HADOOP.COM (aes128-cts-hmac-sha1-96) 
  21 09/19/2017 13:32:33 dengsc@HADOOP.COM (des3-cbc-sha1) 
  21 09/19/2017 13:32:33 dengsc@HADOOP.COM (arcfour-hmac) 
  21 09/19/2017 13:32:33 dengsc@HADOOP.COM (des-hmac-sha1) 
  21 09/19/2017 13:32:33 dengsc@HADOOP.COM (des-cbc-md5)
  
# kinit 認(rèn)證
[dengsc@nfjd-hadoop02-node179 ~]$ kinit -kt dengsc.keytab dengsc
[dengsc@nfjd-hadoop02-node179 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_2190
Default principal: dengsc@HADOOP.COM

Valid starting       Expires              Service principal
09/19/2017 13:58:46  09/20/2017 13:58:46  krbtgt/HADOOP.COM@HADOOP.COM
    renew until 09/26/2017 13:58:46

# 注意,此方法將導(dǎo)致原先的keytab文件失效
[xujun@nfjd-hadoop02-node179 keytab]$ kinit -kt xujun.keytab xunjun
kinit: Keytab contains no suitable keys for xunjun@HADOOP.COM while getting initial credentials