来源:蜘蛛抓取(WebSpider)
时间:2016-05-29 07:46
标签:
kerbstone
hey todd,thanks for getting back. strangely after a few restarts of kerberos KDC itsuddenly want away! no idea what it was.best,koertOn Tue, Sep 18, 2012 at 4:02 PM, Todd Lipcon wrote:Hi Koert,Might be a difference between TCP and UDP?You could try setting 'udp_preference_limit =1' in your krb5.conf onthe client machine to force to TCP.What's the output from kinit if you add the -V flag to make it verbose?-ToddOn Fri, Sep 14, 2012 at 10:52 AM, Koert wrote:hey all,i moved a small virtual test cluster (CDH3U5), and had to give all boxesnew ips (including kerberos KDC).now when i log into the box that is the namenode, kinit still works forme. the same is true for kinit for hdfs from keytab:[koert@master ~]$ sudo -u hdfs kinit -k -t /etc/hadoop/conf/hdfs.keytabbut the namenode no longer starts. it times out connecting with the KDC.the relevant logs from the namenode (including kerberos debugging) arebelow.any idea? i don't know why it works fine from command line but java canno longer connect to KDC.thanks! koertvar/log/hadoop/hadoop-hadoop-namenode-master..log:************************************************************/ 13:31:56,891 INFOorg.apache.hadoop.hdfs.server.namenode.NameNode: STARTUP_MSG:/************************************************************ 13:33:27,782 ERRORorg.apache.hadoop.hdfs.server.namenode.NameNode: java.io.IOException: Loginfailure for hdfs/master.@ fromkeytab /etc/hadoop/conf/hdfs.keytabatorg.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:788)atorg.apache.hadoop.security.SecurityUtil.login(SecurityUtil.java:276)atorg.apache.hadoop.hdfs.server.namenode.NameNode.initialize(NameNode.java:302)atorg.apache.hadoop.hdfs.server.namenode.NameNode.&init&(NameNode.java:568)atorg.apache.hadoop.hdfs.server.namenode.NameNode.createNameNode(NameNode.java:1444)atorg.apache.hadoop.hdfs.server.namenode.NameNode.main(NameNode.java:1453)Caused by: javax.security.auth.login.LoginException: Receive timed outatcom.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:700)atcom.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)atsun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)atsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)at java.lang.reflect.Method.invoke(Method.java:597)atjavax.security.auth.login.LoginContext.invoke(LoginContext.java:769)atjavax.security.auth.login.LoginContext.access$000(LoginContext.java:186)atjavax.security.auth.login.LoginContext$5.run(LoginContext.java:706)at java.security.AccessController.doPrivileged(Native Method)atjavax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703)atjavax.security.auth.login.LoginContext.login(LoginContext.java:575)atorg.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:779)... 5 moreCaused by: java.net.SocketTimeoutException: Receive timed outat java.net.PlainDatagramSocketImpl.receive0(Native Method)atjava.net.PlainDatagramSocketImpl.receive(PlainDatagramSocketImpl.java:145)at java.net.DatagramSocket.receive(DatagramSocket.java:725)atsun.security.krb5.internal.UDPClient.receive(UDPClient.java:77)atsun.security.krb5.KrbKdcReq$KdcCommunication.run(KrbKdcReq.java:352)at java.security.AccessController.doPrivileged(Native Method)at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:266)at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:174)at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:147)at sun.security.krb5.KrbAsReq.send(KrbAsReq.java:431)atsun.security.krb5.Credentials.sendASRequest(Credentials.java:400)at sun.security.krb5.Credentials.acquireTGT(Credentials.java:350)atcom.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:672)... 17 more 13:33:27,790 INFOorg.apache.hadoop.hdfs.server.namenode.NameNode: SHUTDOWN_MSG:/************************************************************SHUTDOWN_MSG: Shutting down NameNode atmaster./192.168.1.82************************************************************//var/log/hadoop/hadoop-hadoop-namenode-master..out:KrbKdcReq send: kdc=kerberos. UDP:88,timeout=30000, number of retries =3, #bytes=195KDCCommunication: kdc=kerberos. UDP:88,timeout=30000,Attempt =1, #bytes=195SocketTimeOutException with attempt: 1KDCCommunication: kdc=kerberos. UDP:88,timeout=30000,Attempt =2, #bytes=195SocketTimeOutException with attempt: 2KDCCommunication: kdc=kerberos. UDP:88,timeout=30000,Attempt =3, #bytes=195SocketTimeOutException with attempt: 3KrbKdcReq send: error trying kerberos.:88java.net.SocketTimeoutException: Receive timed outat java.net.PlainDatagramSocketImpl.receive0(Native Method)atjava.net.PlainDatagramSocketImpl.receive(PlainDatagramSocketImpl.java:145)at java.net.DatagramSocket.receive(DatagramSocket.java:725)atsun.security.krb5.internal.UDPClient.receive(UDPClient.java:77)atsun.security.krb5.KrbKdcReq$KdcCommunication.run(KrbKdcReq.java:352)at java.security.AccessController.doPrivileged(Native Method)at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:266)at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:174)at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:147)at sun.security.krb5.KrbAsReq.send(KrbAsReq.java:431)atsun.security.krb5.Credentials.sendASRequest(Credentials.java:400)at sun.security.krb5.Credentials.acquireTGT(Credentials.java:350)atcom.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:672)atcom.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)atsun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)atsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)at java.lang.reflect.Method.invoke(Method.java:597)atjavax.security.auth.login.LoginContext.invoke(LoginContext.java:769)atjavax.security.auth.login.LoginContext.access$000(LoginContext.java:186)atjavax.security.auth.login.LoginContext$5.run(LoginContext.java:706)at java.security.AccessController.doPrivileged(Native Method)atjavax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703)atjavax.security.auth.login.LoginContext.login(LoginContext.java:575)atorg.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:779)atorg.apache.hadoop.security.SecurityUtil.login(SecurityUtil.java:276)atorg.apache.hadoop.hdfs.server.namenode.NameNode.initialize(NameNode.java:302)atorg.apache.hadoop.hdfs.server.namenode.NameNode.&init&(NameNode.java:568)atorg.apache.hadoop.hdfs.server.namenode.NameNode.createNameNode(NameNode.java:1444)atorg.apache.hadoop.hdfs.server.namenode.NameNode.main(NameNode.java:1453)KdcAccessibility: add kerberos.:88----Todd LipconSoftware Engineer, Cloudera----
Search Discussions
Discussion Posts
Related Discussions
view | post
| 3 of 3 |
categories
user style
2 users in discussion
site design / logo & 2016 Grokbasekerbauth.dll
E27AFE4F553E01BCE9461EAF
IIS Kerberos Authentication Module
如何使用DLL文件
第一步:您从我们网站下载下来文件之后,先将其解压(一般都是zip压缩包)。
第二步:然后根据您系统的情况选择X86/X64,X86为32位电脑,X64为64位电脑。 如果您不知道是X86还是X64,您可以点此链接检测。
第三步:根据软件情况选择文件版本。此步骤比较复杂,如果是Windows的dll文件,
版本号以5.0开头的或含有 nt 一般是windows2000的文件。
版本号以5.1开头的或含有 xp、xpsp1、xpsp2、xpsp3 信息的一般是windowsXP的文件。
版本号以6.0开头的或含有 longhorn、vista 信息的一般是windowsVista的文件。
版本号以6.1开头的或含有 win7 信息的一般是windows7的文件。 如果不是windows的dll文件,则需要灵活查看版本号、描述、网友提供的信息、以及相关dll的版本号去判断。
如果实在无法判断,则把每个版本的dll文件拷贝到对应目录(可以在我们网站上文件详细页面查看到)或 C:\Windows\System (Windows 95/98/Me), C:\WINNT\System32 (Windows NT/2000), C:\Windows\System32 (Windows XP,Vista,7) , 去尝试。
至此如果问题依旧,您可能需要使用regsvr32,方法如下: 1.单击开始,选择运行 2.输入 regsvr32 文件名.dll 并按下确认 之后会弹出注册成功信息。
另外,您还可以使用我们的修复工具进行修复。
在下列搜索引擎中搜索 kerbauth.dll 的相关信息:
DLL出现路径
查询kerbauth.dll文件放置位置,出现路径,出现次数。
Copyright (C) 《DLL之家》 本主页保留所有权利
本站所有内容均来源于互联网,无任何商业目的。如果转载侵犯了您的权益,请与本站客服联系,我们会立即删除相关内容。Kerberos Module for Apache
Configuration
This page describes configuration of module version 5.0. Configuration guide
for the older module 4.x can be found .
Before starting configuring the module make sure your Kerberos enviroment
is properly configured (i.e. KDC, /etc/krb5.conf, etc.). The easiest way to
check is using the kinit command from the apache machine to get a
ticket for some known principal (preferably that one who will be used to
test the module).
Now you have to create an service key for the module, which is needed to
perform client authentication. Verification of the kerberos password has two
steps. In the first one the KDC is contacted using the password trying to
receive a ticket for the client. After this ticket is sucessfuly acquired,
the module must also verify that KDC hasn't been deliberately faked and the
ticket just received can be trusted. If this check would haven't been done
any attacker capable of spoofing the KDC could impersonate any principal
registered with the KDC. In order to do this check the apache module must
verify that the KDC knows its service key, which the apache shares with the
KDC. This service key must be created during configuration the module.
service key is also needed when the Negotiate method is used. In this case
the module acts as a standard kerberos service (similarly to e.g. kerberized
ssh or ftp servers).
Default name of the service key is
HTTP/&fqdn_of_www_server&@REALM, another name of the first
instance can be set using the KrbServiceName option. The key must be stored
in a keytab on a local disk, the Krb5Keytab and Krb4Srvtab options are used
to specify the filename with the keytab. This file should be only readable
for the apache process and contain only the key used for www
authentication.
In order to get the module loaded on start of apache add following line
to your httpd.conf:
LoadModule auth_kerb_module libexec/mod_auth_kerb.so
AuthType type
For Kerberos authentication to work, AuthType must be set to
For the reasons of backwards compatibility the values KerberosV4
and KerberosV5 are also supported. Their use is not recommended
though, for finer setting use following three options.
KrbMethodNegotiate on | off
(set to on by default)
To enable or disable the use of the Negotiate method. You need a special
support on the browser side to support this mechanism.
KrbMethodK5Passwd on | off
(set to on by default)
To enable or disable the use of password based authentication for Kerberos v5.
KrbMethodK4Passwd on | off
(set to on by default)
To enable or disable the use of password based authentication for Kerberos v4.
KrbAuthoritative on | off
(set to on by default)
If set to off this directive allow authentication controls to be pass
on to another modules. Use only if you really know what you are doing.
KrbAuthRealms
realm1 [realm2 ... realmN]
This option takes one or more arguments (separated by spaces), specifying the
Kerberos realm(s) to be used for authentication.
This defaults to the default
realm taken from the local Kerberos configuration.
KrbVerifyKDC on | off
(set to on by default)
This option can be used to disable the verification tickets against local
keytab to prevent KDC spoofing atacks. It should be used only for testing
purposes. You have been warned.
KrbServiceName service
(set to HTTP by default)
For specification the service name that will be used by Apache for
authentication. Corresponding key of this name must be stored in the keytab.
Krb4Srvtab /path/to/srvtab
This option takes one argument, specifying the path to the Kerberos V4 srvtab.
It will simply use the "default srvtab" from Kerberos V4's configuration if
this option is not specified. The srvtab must be readable for the apache
process, and should be different from srvtabs containing keys for other
Krb5Keytab /path/to/keytab
This option takes one argument, specifying the location of the Kerberos V5
keytab file. It will use the "default keytab" from Kerberos V5's config if it
is not specified here. The keytab file must be readable for the apache process,
and should be different from other keytabs in the system.
KrbSaveCredentials on | off
(set to off by default)
This option enables
functionality.
Sometimes there is need to keep the ticket file or credential cache around
after a user authenticates, normally for cgi scripts. If you turn on
, the tickets will be
retrieved into a ticket file or credential cache that will be available for the
request handler. The ticket file will be removed after request is handled.
A CGI script can use these files by setting the KRB5CCNAME (v5) or
KRBTKFILE (v4) environment variables to point to the filename as listed
A sample script to use the KRB5CCNAME is
Sample .htaccess
AuthType Kerberos
AuthName "Kerberos Login"
KrbAuthRealms KRB.NCSU.EDU NCSU.EDU
KrbMethodK4Passwd off
require user principal1@KRB.NCSU.EDU principal2@NCSU.EDU
Reminder, you need to set the appropriate AllowOverride directive in your
server access configuration so that a different AuthType will be
Using Mozilla
The module was tested with the latest Mozilla 1.7b which supports GSSAPI
authentication in the default distribution for Linux. If you want to give it a
try download the
mozilla package. If you're using the MIT implementation of krb5 all you
have to do is to make sure that the MIT dynamic libraries are available for
Mozilla. They must be either installed in a system directories or set the
LD_LIBRARY_PATH enviroment variable to point to the directory
containing the libraries.
If you're using the Heimdal krb5 implementation, you have to install an
additional package with dummy libraries.
and unpack it. Enter the gss_dummy directory and run make. Then
add full path to the directory to the LD_LIBRARY_PATH enviroment
variable as well as path to your standard Heimdal libraries. Then set the
LD_PRELOAD variable to point to Heimdal libgssapi.so and to the
libgss_nt_service_name.so library created in the dummy directory.
When you set up your enviroment and export the variables you can start the
Mozilla and should be able to talk to the module. You can also enable
debugging of the Mozilla Negotiate module by setting the NSPR_LOG_MODULES
and NSPR_LOG_FILE variables to negotiateauth:5 and /tmp/negotiateauth.log
respectively.
LD_PRELOAD=/usr/heimdal-0.6/lib/libgssapi.so:gss_lib/libgss_nt_service_name.so
LD_LIBRARY_PATH=gss_lib:/usr/heimdal-0.6/lib
NSPR_LOG_MODULES=negotiateauth:5
NSPR_LOG_FILE=/tmp/negotiateauth.log
export LD_PRELOAD LD_LIBRARY_PATH NSPR_LOG_MODULES NSPR_LOG_FILE
