Open bacikerik opened 3 months ago
What version of RHEL? I have seen this issue in RHEL 8.9 (did not see this in RHEL8.8...where the change in crypto policies & SHA1 hash seems caused kerberos issues I moved on to RHEL 9.1 and did NOT see this side effect
RHEL 8.9, as you mentioned:
# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.9 (Ootpa)
As of today, Cloudera has not yet done any product testing/certification on RHEL 8.9 Usually RHEL minor upgrades dont impact us so much, but this one def breaks YARN and I don't have any workaround.
See: https://supportmatrix.cloudera.com/ for the official matrix
I recently deployed a new test cluster using Cloudera CDP Private Cloud version 7.1.9.3 (later with hotfix 7.1.9.4) with Cloudera Manager version 7.11.3. The deployment includes a configuration using freeIPA for secure authentication:
However, I was encountering an issue with the YARN service related to AES encryption, specifically 'aes256-cts-hmac-sha384-192' encryption type, which caused problems with service principals:
Based on the log message, I found the following article and tried setting
permitted_enctypes = aes256-cts aes128-cts
in/etc/krb5.conf
, which didn't help at all.After further investigation, I found out that the configuration is managed in the following file:
Solution/Executed steps:
Stop Cluster
Stop CMS
modify /usr/share/crypto-policies/DEFAULT/krb5.txt (contains the same enctypes as hdfs.keytab), comment out the original value and set 'aes256-cts aes128-cts' only:
ipactl restart
CM -> Administration -> Security -> Select all principals -> Regenerate Selected
Start CMS
Start Cluster
Conclusion
The configuration using freeIPA playbooks manage
permitted_enctypes
in/usr/share/crypto-policies/DEFAULT/krb5.txt
instead of/etc/krb5.conf
as assumed.Environment Details: