Ambari开启Kerberos认证加密类型错误Kylin V10
温馨提示
本文内容在 Kylin V10 系统 下完成测试,不保证其他系统的正确性。 如在部署中遇到问题,可联系作者共同探讨或反馈。 👉 联系入口在此页 (opens new window)
# 一、报错问题与复现场景
在 Ambari 启用 Kerberos 后执行 KERBEROS_SERVICE_CHECK 时,任务失败,ambari-server.log 出现如下异常日志:
2025-11-03 16:34:37,160 INFO [agent-report-processor-1] o.a.a.s.agent.HeartbeatProcessor:408 - Missing principal: aaaa-110325@TTBIGDATA.COM for keytab: /etc/security/keytabs/kerberos.service_check.110325.keytab on host: dev1
2025-11-03 16:34:37,160 INFO [agent-report-processor-1] o.a.a.s.agent.HeartbeatProcessor:408 - Missing principal: aaaa-110325@TTBIGDATA.COM for keytab: /etc/security/keytabs/kerberos.service_check.110325.keytab on host: dev1
2025-11-03 16:34:37,182 INFO [agent-report-processor-0] o.a.a.s.agent.HeartbeatProcessor:408 - Missing principal: aaaa-110325@TTBIGDATA.COM for keytab: /etc/security/keytabs/kerberos.service_check.110325.keytab on host: dev2
2025-11-03 16:34:37,182 INFO [agent-report-processor-0] o.a.a.s.agent.HeartbeatProcessor:408 - Missing principal: aaaa-110325@TTBIGDATA.COM for keytab: /etc/security/keytabs/kerberos.service_check.110325.keytab on host: dev2
2025-11-03 16:34:37,260 INFO [agent-report-processor-2] o.a.a.s.agent.HeartbeatProcessor:408 - Missing principal: aaaa-110325@TTBIGDATA.COM for keytab: /etc/security/keytabs/kerberos.service_check.110325.keytab on host: dev3
2025-11-03 16:34:37,260 INFO [agent-report-processor-2] o.a.a.s.agent.HeartbeatProcessor:408 - Missing principal: aaaa-110325@TTBIGDATA.COM for keytab: /etc/security/keytabs/kerberos.service_check.110325.keytab on host: dev3
2025-11-03 16:34:37,522 INFO [Server Action Executor Worker 1140] o.a.a.s.s.k.KerberosServerAction:432 - Processing identities...
2025-11-03 16:34:37,522 INFO [Server Action Executor Worker 1140] o.a.a.s.s.k.KerberosServerAction:432 - Processing identities...
2025-11-03 16:34:37,571 INFO [agent-report-processor-2] o.a.a.s.agent.HeartbeatProcessor:408 - Missing principal: aaaa-110325@TTBIGDATA.COM for keytab: /etc/security/keytabs/kerberos.service_check.110325.keytab on host: dev3
2025-11-03 16:34:37,571 INFO [agent-report-processor-2] o.a.a.s.agent.HeartbeatProcessor:408 - Missing principal: aaaa-110325@TTBIGDATA.COM for keytab: /etc/security/keytabs/kerberos.service_check.110325.keytab on host: dev3
2025-11-03 16:34:37,573 WARN [agent-report-processor-2] o.a.a.s.actionmanager.ActionManager:162 - The task 1139 is not in progress, ignoring update
2025-11-03 16:34:37,573 WARN [agent-report-processor-2] o.a.a.s.actionmanager.ActionManager:162 - The task 1139 is not in progress, ignoring update
2025-11-03 16:34:37,664 INFO [Server Action Executor Worker 1140] o.a.ambari.server.utils.ThreadPools:72 - Creating 'process-identity-task-1140-thread-%d' thread pool with configured size 1
2025-11-03 16:34:37,664 INFO [Server Action Executor Worker 1140] o.a.ambari.server.utils.ThreadPools:72 - Creating 'process-identity-task-1140-thread-%d' thread pool with configured size 1
2025-11-03 16:34:37,665 INFO [Server Action Executor Worker 1140] o.a.ambari.server.utils.ThreadPools:160 - Processing 3 identities concurrently...
2025-11-03 16:34:37,665 INFO [Server Action Executor Worker 1140] o.a.ambari.server.utils.ThreadPools:160 - Processing 3 identities concurrently...
2025-11-03 16:34:37,665 INFO [process-identity-task-1140-thread-0] o.a.a.s.s.k.CreatePrincipalsServerAction:241 - Processing principal, aaaa-110325@TTBIGDATA.COM
2025-11-03 16:34:37,665 INFO [process-identity-task-1140-thread-0] o.a.a.s.s.k.CreatePrincipalsServerAction:241 - Processing principal, aaaa-110325@TTBIGDATA.COM
2025-11-03 16:34:37,688 INFO [Server Action Executor Worker 1140] o.a.a.s.s.k.KerberosServerAction:508 - Processing identities completed.
2025-11-03 16:34:37,688 INFO [Server Action Executor Worker 1140] o.a.a.s.s.k.KerberosServerAction:508 - Processing identities completed.
2025-11-03 16:34:38,541 INFO [Server Action Executor Worker 1141] o.a.a.s.s.k.KerberosServerAction:432 - Processing identities...
2025-11-03 16:34:38,541 INFO [Server Action Executor Worker 1141] o.a.a.s.s.k.KerberosServerAction:432 - Processing identities...
2025-11-03 16:34:38,685 INFO [Server Action Executor Worker 1141] o.a.ambari.server.utils.ThreadPools:72 - Creating 'process-identity-task-1141-thread-%d' thread pool with configured size 1
2025-11-03 16:34:38,685 INFO [Server Action Executor Worker 1141] o.a.ambari.server.utils.ThreadPools:72 - Creating 'process-identity-task-1141-thread-%d' thread pool with configured size 1
2025-11-03 16:34:38,686 INFO [Server Action Executor Worker 1141] o.a.ambari.server.utils.ThreadPools:160 - Processing 3 identities concurrently...
2025-11-03 16:34:38,686 INFO [Server Action Executor Worker 1141] o.a.ambari.server.utils.ThreadPools:160 - Processing 3 identities concurrently...
2025-11-03 16:34:38,688 INFO [process-identity-task-1141-thread-0] o.a.a.s.s.k.CreateKeytabFilesServerAction:200 - Creating keytab file for aaaa-110325@TTBIGDATA.COM on host dev1
2025-11-03 16:34:38,688 INFO [process-identity-task-1141-thread-0] o.a.a.s.s.k.CreateKeytabFilesServerAction:200 - Creating keytab file for aaaa-110325@TTBIGDATA.COM on host dev1
2025-11-03 16:34:38,708 ERROR [Server Action Executor Worker 1141] o.a.a.s.s.k.KerberosServerAction:493 - Unable to process identities asynchronously
java.util.concurrent.ExecutionException: java.lang.NullPointerException: Cannot invoke "org.apache.directory.server.kerberos.shared.keytab.Keytab.write(java.io.File)" because "keytab" is null
at java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122)
at java.base/java.util.concurrent.FutureTask.get(FutureTask.java:191)
at org.apache.ambari.server.utils.ThreadPools.parallelOperation(ThreadPools.java:165)
at org.apache.ambari.server.serveraction.kerberos.KerberosServerAction.processIdentities(KerberosServerAction.java:473)
at org.apache.ambari.server.serveraction.kerberos.CreateKeytabFilesServerAction.execute(CreateKeytabFilesServerAction.java:106)
at org.apache.ambari.server.serveraction.ServerActionExecutor$Worker.execute(ServerActionExecutor.java:550)
at org.apache.ambari.server.serveraction.ServerActionExecutor$Worker.run(ServerActionExecutor.java:466)
at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: java.lang.NullPointerException: Cannot invoke "org.apache.directory.server.kerberos.shared.keytab.Keytab.write(java.io.File)" because "keytab" is null
at org.apache.ambari.server.serveraction.kerberos.CreateKeytabFilesServerAction.cacheKeytab(CreateKeytabFilesServerAction.java:422)
at org.apache.ambari.server.serveraction.kerberos.CreateKeytabFilesServerAction.createKeytab(CreateKeytabFilesServerAction.java:354)
at org.apache.ambari.server.serveraction.kerberos.CreateKeytabFilesServerAction.processIdentity(CreateKeytabFilesServerAction.java:250)
at org.apache.ambari.server.serveraction.kerberos.KerberosServerAction.lambda$processIdentities$3(KerberosServerAction.java:477)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
... 1 common frames omitted
2025-11-03 16:34:38,708 ERROR [Server Action Executor Worker 1141] o.a.a.s.s.k.KerberosServerAction:493 - Unable to process identities asynchronously
java.util.concurrent.ExecutionException: java.lang.NullPointerException: Cannot invoke "org.apache.directory.server.kerberos.shared.keytab.Keytab.write(java.io.File)" because "keytab" is null
at java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122)
at java.base/java.util.concurrent.FutureTask.get(FutureTask.java:191)
at org.apache.ambari.server.utils.ThreadPools.parallelOperation(ThreadPools.java:165)
at org.apache.ambari.server.serveraction.kerberos.KerberosServerAction.processIdentities(KerberosServerAction.java:473)
at org.apache.ambari.server.serveraction.kerberos.CreateKeytabFilesServerAction.execute(CreateKeytabFilesServerAction.java:106)
at org.apache.ambari.server.serveraction.ServerActionExecutor$Worker.execute(ServerActionExecutor.java:550)
at org.apache.ambari.server.serveraction.ServerActionExecutor$Worker.run(ServerActionExecutor.java:466)
at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: java.lang.NullPointerException: Cannot invoke "org.apache.directory.server.kerberos.shared.keytab.Keytab.write(java.io.File)" because "keytab" is null
at org.apache.ambari.server.serveraction.kerberos.CreateKeytabFilesServerAction.cacheKeytab(CreateKeytabFilesServerAction.java:422)
at org.apache.ambari.server.serveraction.kerberos.CreateKeytabFilesServerAction.createKeytab(CreateKeytabFilesServerAction.java:354)
at org.apache.ambari.server.serveraction.kerberos.CreateKeytabFilesServerAction.processIdentity(CreateKeytabFilesServerAction.java:250)
at org.apache.ambari.server.serveraction.kerberos.KerberosServerAction.lambda$processIdentities$3(KerberosServerAction.java:477)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
... 1 common frames omitted
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
这意味着 Ambari Server 在生成 kerberos.service_check.*.keytab 文件时拿到的 keytab 对象为空(keytab == null),
因此在写文件阶段触发 NullPointerException,Service Check 直接失败。
现场特征
- 多台主机同时提示 Missing principal;
- 随后触发
CreateKeytabFilesServerAction; - 关键异常位于
keytab.write()调用处; - 通常与 加密算法不被系统接受 或 principal 含旧密钥算法 有关。
# 二、错误原因分析
# 1、触发点:CreateKeytabFilesServerAction 调用链
processIdentities → createKeytab → cacheKeytab → keytab.write(file)
1
该流程中,createKeytab 会调用 krb5 库生成密钥文件。
若系统不支持所请求的 enctype(加密类型),则返回 null,
后续 keytab.write(File) 无法执行 → 抛出 NPE。
# 2、直接原因:加密类型不兼容
在旧环境(如 CentOS 7.9)常见的配置如下:
[libdefaults]
default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
permitted_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
1
2
3
4
2
3
4
说明
在 Kylin V10 / openEuler / UOS 等新系统中,
系统级安全策略默认禁用了 DES、RC4、MD5 等弱算法,
KDC 无法生成相应密钥,因此 createKeytab() 返回 null。
# 三、系统差异对比:CentOS 7.9 vs Kylin V10
| 对比项 | CentOS 7.9 | Kylin V10 / openEuler |
|---|---|---|
| krb5 版本 | 1.15.x | 1.18+(国密策略增强) |
| 默认算法 | aes des3-cbc-sha1 rc4 des-cbc-md5 | aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 |
| 是否允许 DES/RC4 | ✅ 允许 | ❌ 禁用 |
| keytab 生成兼容性 | 正常生成 | 报错:keytab is null |
| 安全策略来源 | 兼容旧算法 | 执行 FIPS / Crypto Policy 标准 |
提示
Kylin 系统默认开启 FIPS 模式 或 Crypto Policy 安全策略, 旧算法在系统层被禁用,Ambari 调用 krb5 时自然生成失败。
# 四、验证加密算法来源:系统策略优先于 krb5.conf
很多人会疑惑:“我在 /etc/krb5.conf 里根本没写算法,为什么还是报错?”
这其实是因为 Kylin 系统默认启用了系统级加密策略文件,
会在 krb5 启动时自动加载可用加密类型。
# 1、系统策略文件位置
在系统上执行:
ls /etc/krb5.conf.d/
1
可看到:
crypto-policies
kcm_default_ccache
1
2
2
打开 crypto-policies 文件:
cat /etc/krb5.conf.d/crypto-policies
1
内容示例:
[libdefaults]
permitted_enctypes = aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 \
camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 \
camellia128-cts-cmac
1
2
3
4
2
3
4
可见系统仅允许 AES 与 Camellia 系列算法, 而 DES、RC4、MD5 已被系统策略永久禁用。 即便 krb5.conf 没写,也会自动使用该策略。
# 2、查看系统加密策略状态
# 当前系统策略模式(DEFAULT / FUTURE / FIPS)
update-crypto-policies --show
# 是否启用 FIPS
cat /proc/sys/crypto/fips_enabled
1
2
3
4
5
2
3
4
5
常见输出:
DEFAULT
1
1
2
2
表示系统处于高安全策略模式,弱算法完全禁用。
# 3、生效顺序与层级关系
| 层级 | 配置文件 | 控制范围 | 优先级 |
|---|---|---|---|
| 系统加密策略 | /etc/krb5.conf.d/crypto-policies | 限制全局算法范围 | 最高 |
| 用户配置 | /etc/krb5.conf | 可修改部分非安全参数 | 次级 |
| 应用调用 | Ambari / kinit / kadmin | 依赖前两级策略结果 | 最低 |
结论
在 Kylin / openEuler / UOS 系统中,
即使不在 krb5.conf 写加密算法,系统也会自动加载 AES-only 限制。
因此,报错原因不是配置缺失,而是系统策略拒绝了旧算法。
# 4、验证实际加密类型(推荐检查)
# 查看 principal 的密钥算法
kadmin.local -q "getprinc <principal>"
# 查看 keytab 内部加密算法
klist -k -e /etc/security/keytabs/<component>.keytab
1
2
3
4
5
2
3
4
5
如果输出中包含 rc4-hmac 或 des-cbc-md5,
说明该 principal 来自旧环境,应重新生成。
# 五、修复方案
将 Encyption Types 修改为 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
执行结果正常,日志中可见:
2025-11-03 16:34:38,540 - Processing identities...
2025-11-03 16:34:38,688 - Creating keytab file for aaaa-110325@TTBIGDATA.COM on host dev1
1
2
2
- 01
- KERBEROS SERVICE CHECK 报错11-04
- 03
- Kafka 启动兼容 Kerberos 源码级修改11-03