AnsweredAssumed Answered

Configuring Mapr security with kerberos

Question asked by mattwuenschel on Jan 10, 2017
Latest reply on Jan 13, 2017 by mattwuenschel

Hello all,

 

I'm trying to get my secure mapr cluster working with kerberos. I'm getting an error when running trying to use maprlogin with kerberos.

maprlogin kerberos

Failure in kerberos handshake Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)

It's failing with an encryption type error. So I added the following to my krb5.conf to try and force it to use AES128 vs AES256. 

default_tkt_enctypes = aes128-cts-hmac-sha1-96
default_tgs_enctypes = aes128-cts-hmac-sha1-96
permitted_enctypes = aes128-cts-hmac-sha1-96

This resulted in the same error so I recreated the keytab using aes128 encryption

ktadd -k /opt/mapr/conf/mapr.keytab -e aes128-cts:normal mapr/hostname

and when I list the keytab in ktutil it only lists aes128

$ ktutil

ktutil: read_kt /opt/mapr/conf/mapr.keytab
ktutil: l -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 3 mapr/hostname@KERBEROS_REALM (aes128-cts-hmac-sha1-96)
2 3 mapr/hostname@KERBEROS_REALM (aes128-cts-hmac-sha1-96)

At this point everything should be using aes128 but when I kinit and run klist -e, it still shows aes256 and maprlogin kerberos fails with the same error. 

$ kinit -kt /opt/mapr/conf/mapr.keytab mapr/hostname@KERBEROS_REALM

$ klist -e
Ticket cache: FILE:/tmp/krb5cc_502
Default principal: mapr/hostname@KERBEROS_REALM

Valid starting Expires Service principal
01/10/17 23:26:40 01/11/17 00:26:40 krbtgt/hostname@KERBEROS_REALM
renew until 01/10/17 23:26:40, Etype (skey, tkt): aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

$ maprlogin kerberos

Failure in kerberos handshake Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)

 

I'm not sure where it is finding the aes256. Am I missing a configuration somewhere?

 

I am running Mapr version 5.0.0.

I replaced all my hostname and realm with default info. 

 

Appreciate your help,

Matt

Outcomes