Pivotal Knowledge Base

Follow

GPHDFS Error on Kerboros: "KDC has no Support for Encryption Type <number>"

Environment

 Product  Version
 Pivotal Greenplum  4.3.x 

Symptom

When trying to run a query to create an external table using gphdfs, an error on Kerboros is seen: "KDC has no support for encryption type <number>" and "CANT_FIND_CLIENT_KEY."

Error message:

Exception in thread "main" java.io.IOException: Login failure for gpadmin@YOUR.KERBEROS.REALM from keytab /path/to/keytab/file.keytab: javax.security.auth.login.LoginException: KDC has no support for encryption type (14) - CANT_FIND_CLIENT_KEY (seg20 sdw3:1029 pid=798410) 
DETAIL:

at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:976) 
at org.apache.hadoop.security.SecurityUtil.login(SecurityUtil.java:280) 
at org.apache.hadoop.security.SecurityUtil.login(SecurityUtil.java:244) 
<snip>

Cause

Look at the Kerberos encryption types supported by the KDC and make sure that the Kerberos principal(s) being used complies with the supported/valid types. You should also check the local host(s) krb5.conf file to make sure that it too complies with the KDC encryption types.

Resolution

For the Kerberos principal being used, follow these steps to check the supported/valid types:

  • You can look at encryption types, etc., of the keytab used with:

klist -kKet /path/to/keytab/file.keytab

  • Take a look at the existing Kerberos ticket you are using and the encryption types it has, with:

klist -ae

  • Access your Kerberos KDC and look at the Principal's provisioned data. At the kadmin.local prompt you can check with:

kadmin.local: getprinc gpadmin@HDP.LOCAL

  • Also, make sure that your /etc/krb5.conf file on the cluster host is set up correctly for the encryption type(s).

Comments

Powered by Zendesk