Pivotal Knowledge Base


GPHDFS Error on Kerboros "KDC has no Support for Encryption Type <number>"


Pivotal Greenplum Database (GPDB) 4.3.x


When trying to run a query to create an external table using gphdfs, an error on Kerboros is seen: "KDC has no support for encryption type <number>" and "CANT_FIND_CLIENT_KEY."

Error message:

Exception in thread "main" java.io.IOException: Login failure for gpadmin@YOUR.KERBEROS.REALM from keytab /path/to/keytab/file.keytab: javax.security.auth.login.LoginException: KDC has no support for encryption type (14) - CANT_FIND_CLIENT_KEY (seg20 sdw3:1029 pid=798410) 
at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:976) 
at org.apache.hadoop.security.SecurityUtil.login(SecurityUtil.java:280) 
at org.apache.hadoop.security.SecurityUtil.login(SecurityUtil.java:244) 


Look at the Kerberos encryption types supported by the KDC and make sure that the Kerberos principal(s) being used complies with the supported/valid types. You should also check the local host(s) krb5.conf file to make sure that it too complies with the KDC encryption types.


For the Kerberos principal being used, follow these steps to check the supported/valid types:

  • You can look at encryption types, etc., of the keytab used with:

klist -kKet /path/to/keytab/file.keytab

  • Take a look at the existing Kerberos ticket you are using and the encryption types it has, with:

klist -ae

  • Access your Kerberos KDC and look at the Principal's provisioned data. At the kadmin.local prompt you can check with:

kadmin.local: getprinc gpadmin@HDP.LOCAL

  • Also, make sure that your /etc/krb5.conf file on the cluster host is set up correctly for the encryption type(s).


Powered by Zendesk