Kerberos - found unsupported keytype (1)

Question

I am getting error after I updated Java from JAVA 6 to JAVA 7. In java 6 everything was running fine, but I need to move.

Found unsupported keytype (1) for my/my.com
Added key: 16version: 1
Added key: 23version: 1
Added key: 18version: 1
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23.
Found unsupported keytype (1) for my/my.com
Added key: 16version: 1
Added key: 23version: 1
Added key: 18version: 1
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23.
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=my.com UDP:88, timeout=3, number of retries =1, #bytes=183
>>> KDCCommunication: kdc=my.com UDP:88, timeout=3,Attempt =1, #bytes=183
Exception in thread "main" java.io.IOException: Login failure for my/my.com from keytab /etc/hbase/conf/hdfs.keytab  

Answer 1

First four lines in the logs, which you've attach show what entries are in your keytab. There are four entries - first line shows that there's key of code 1 (and we can look up in IANA table what this code stands for: http://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xml. etype 1 is des-cbc-crc).

Now in the fith line, there's info "Using builtin default etypes..", like you haven't configured your krb5.ini file? (in Windows it's usually in C:\windows\krb5.ini. Full description where this file can be: http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html). We can see default enctypes: 18, 17 (aes), 16 (des) and 23 (rc4-hmac). 1 is not on this list, that's why entry for this very old DES variant is not loaded from keytab, with error: Found unsupported keytype (1) for my/my.com.

You need to create krb5.ini file. It should look a bit like this (MUST be adjusted to your organization setting):

[libdefaults]
  forwardable = true
  dns_lookup_kdc = true
  dns_lookup_realm = true
  default_realm = YOUR.COMPANY

  default_tkt_enctypes = rc4-hmac aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
  default_tgs_enctypes = rc4-hmac aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
  permitted_enctypes   = rc4-hmac aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc

[realms]
  YOUR.COMPANY = {
     kdc = your.company
  }

[domain_realm]
  .your.company = YOUR.COMPANY
  your.company  = YOUR.COMPANY