java远程连接hadoop，kerbers认证失败 报no supported default etypes for default_tkt_enctypes

 

@PostConstruct
    public void init() throws Exception {
        if (conn == null) {
//            System.setProperty("hadoop.home.dir", "G:/keyberos/hbase");
            System.setProperty("java.security.krb5.conf",krbConf);
            conf = HBaseConfiguration.create();
            conf.set("hbase.zookeeper.property.clientPort", zkPort); 
            conf.set("hbase.zookeeper.quorum", zkHost);
            conf.set("hbase.master", master);
//            conf.addResource(hbaseSite);
            conf.set("hadoop.security.authentication", "kerberos");
            conf.set("hbase.security.authentication", "kerberos");
            conf.set("hbase.cluster.distributed", "true");
            conf.set("hbase.rpc.protection", "authentication"); 
            conf.set("hbase.master.kerberos.principal", principal); // this is needed even if you connect over rpc/zookeeper
            conf.set("hbase.regionserver.kerberos.principal", principal); //what principal the master/region. servers use.
            
            String principal = System.getProperty("kerberosPrincipal", kerberosPrincipal);
            String keytabLocation = System.getProperty("kerberosKeytab",keyberos);
            
            UserGroupInformation.setConfiguration(conf);
            UserGroupInformation.loginUserFromKeytab(principal, keytabLocation);
            
            conn = ConnectionFactory.createConnection(conf);
        }
    }

在 UserGroupInformation.loginUserFromKeytab(principal, keytabLocation) 处报错：

java.io.IOException: Login failure for hbase@XXXX.COM from keytab F:/hbase/hbase.keytab: javax.security.auth.login.LoginException: no supported default etypes for default_tkt_enctypes

参数分别为 hbase@XXXX.COM，F:/hbase/hbase.keytab 。

java.security.krb5.conf设置为F:/hbase/krb5.conf :

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = XXXX.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 default_tgs_enctypes = aes256-cts-hmac-sha1-96
 default_tkt_enctypes = aes256-cts-hmac-sha1-96
 permitted_enctypes = aes256-cts-hmac-sha1-96
 clockskew = 120
 udp_preference_limit = 1

[realms]
XXXX.COM = {
  kdc = bdp01
  admin_server = bdp01
 }

[domain_realm]
 .xxxx.com = XXXX.COM
xxxx.com = XXXX.COM

处理：下载jdk8对应的JCE文件添加到jdk/jre/lib/security下

 

 初步推测是，jdk需要相应的加密解密方式来处理hbase.keytab 文件。

参考https://blog.csdn.net/wulantian/article/details/42173095