本地环境访问集群OK
生产环境却报错
查找日志信息,发现Kerberos认证的时候,域名解析出现问题?!!
登录生产环境ping 043节点,能ping通说明域名是能解析成IP地址的(有DNS服务器)蓝瘦香菇,明明报错是域名解析问题为什么能ping通呢?
于是把本地Java访问集群代码改成IP试一试,呵呵报错了
Caused by: org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - LOOKING_UP_SERVER)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:770)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:192)
... 90 common frames omitted
Caused by: sun.security.krb5.KrbException: Server not found in Kerberos database (7) - LOOKING_UP_SERVER
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:73)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:251)
at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:262)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:308)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:126)
at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:458)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:693)
... 93 common frames omitted
Caused by: sun.security.krb5.Asn1Exception: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65)
at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55)
... 99 common frames omitted
本地直接访问IP的话Kerberos认证不通过,改成域名是可以的
(本地配置了hosts映射)
经过两天的排查终于发现了问题所在:
生产环境krb5.conf文件中有个配置是关闭dns访问的,也就是说集群直接是通过hosts进行通信的,并没有使用DNS服务器?!!
我还纳闷既然能ping通,不应该存在IP和域名解析的错误才对,原来是集群配置的问题,不懂运维的开发不是一个合格程序员。。。
解决方法:
生产环境配置IP和域名映射即可。
课后作业:
#本地域名解析
/etc/host.conf
#DNS服务器
/etc/resolv.conf
#本地还是DNS优先级
/etc/nsswitch.conf
