CDH启用kerberos后，前台浏览器登陆hdfs、solr等会报权限错误

CDH启用kerberos后，前台浏览器登陆hdfs、solr等会报权限错误，这个需要怎么解决？
type Status report
message GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
description Access to the specified resource has been forbidden.


cloudera的doc里面有提到需要在浏览器中设置，但是依旧无用，各位有没有别的思路？



Using a Web Browser to Access an URL Protectedby Kerberos HTTP SPNEGO

To accessan URL protected by Kerberos HTTP SPNEGO, use the following instructions forthe browser you are using.

Toconfigure Mozilla Firefox:

1.    Open the low level Firefoxconfiguration page by loading the about:config page.

2.    In the Search textbox, enter: network.negotiate-auth.trusted-uris

3.    Double-click the network.negotiate-auth.trusted-uris preferenceand enter the hostname or the domain of the web server that is protected byKerberos HTTP SPNEGO. Separate multiple domains and hostnames with a comma.

4.    Click OK.

Toconfigure Internet Explorer:

Followthe instructions given below to configure Internet Explorer to access URLsprotected by

Configuringthe Local Intranet Domain

1.    Open Internet Explorer and clickthe Settings "gear" icon in the top-right corner. Select Internet options.

2.    Select the Security tab.

3.    Select the Local Intranet zoneand click the Sites button.

4.    Make sure that the first twooptions, Include alllocal (intranet) sites not listed in other zones and Include all sites that bypass theproxy server are checked.

5.    Click Advanced andadd the names of the domains that are protected by Kerberos HTTP SPNEGO, one ata time, to the list of websites. For example, myhost.example.com.Click Close.

6.    Click OK tosave your configuration changes.

ConfiguringIntranet Authentication

1.    Click the Settings"gear" icon in the top-right corner. Select Internet options.

2.    Select the Security tab.

3.    Select the Local Intranet zoneand click the Customlevel... button to open the Security Settings - Local IntranetZone dialog box.

4.    Scroll down to the User Authentication optionsand select Automaticlogon only in Intranet zone.

5.    Click OK tosave these changes.

Verifying Proxy Settings

You needto perform the following steps only if you have a proxy server already enabled.

1.    Click the Settings"gear" icon in the top-right corner. Select Internet options.

2.    Select the Connections taband click LANSettings.

3.    Verify that the proxy server Address and Port numbersettings are correct.

4.    Click Advanced toopen the ProxySettings dialog box.

5.    Add the Kerberos-protecteddomains to the Exceptions field.

6.    Click OK tosave any changes.

Toconfigure Google Chrome:

If youare using Windows, use the Control Panel to navigate to the Internet Options dialoguebox. Configuration changes required are the same as those described above forInternet Explorer.

On MacOSor Linux, add the --auth-server-whitelist parameterto the google-chrome command.For example, to run Chrome from a Linux prompt, run the google-chromecommandas follows,

> google-chrome --auth-server-whitelist = "hostname/do

给楼主帮顶
英文有解决方案不管用，这个就属于疑难杂症了。kerberos这个会的不多一般有些是操作问题，然后结合解决方案。

多尝试几种可能性。

没人尝试过吗？