You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@kafka.apache.org by Shrikant Patel <SP...@pdxinc.com> on 2017/01/23 16:32:38 UTC

SASL for ZK\Kafka

Hi

I was trying to secure communication between ZK and Kafka. We generate the keytab file with principal

We were following this document - https://www.confluent.io/blog/apache-kafka-security-authorization-authentication-encryption/ (really detailed doc)

For Kafka - kafka/xx-xxxx-xx.XXXXX.COM@XXXXX.COM<ma...@XXXXX.COM>

For ZK -zk//xx-xxxx-xx.XXXXX.COM@XXXXX.COM <ma...@NHSRX.COM>  (our IT expert was running into issue creating principal as in link, because of AD has 20 character limit)

Since we running into issue, we enable SASL debug flag -Dsun.security.krb5.debug=true

And see below error, I don't have in-depth knowledge about SASL, so wanted to check with group to see if they faced this issue.

>>>KRBError:
         sTime is Wed Jan 18 09:46:12 CST 2017 1484754372000
         suSec is 434552
         error code is 24
         error Message is Pre-authentication information was invalid
         sname is krbtgt/XXXXX.COM@XXXXX.COM
         eData provided.
        msgType is 30
>>>Pre-Authentication Data:
         PA-DATA type = 19
         PA-ETYPE-INFO2 etype = 17, salt = XXXXX.COMzkxx-xxxx-xx.xxxxx.com, s2kparams = null
         PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

[2017-01-18 09:46:12,517] ERROR Unexpected exception, exiting abnormally (org.apache.zookeeper.server.quorum.QuorumPeerMain)
java.io.IOException: Could not configure server because SASL configuration did not allow the  ZooKeeper server to authenticate itself properly: javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)
        at org.apache.zookeeper.server.ServerCnxnFactory.configureSaslLogin(ServerCnxnFactory.java:207)
        at org.apache.zookeeper.server.NIOServerCnxnFactory.configure(NIOServerCnxnFactory.java:82)
        at org.apache.zookeeper.server.quorum.QuorumPeerMain.runFromConfig(QuorumPeerMain.java:130)
        at org.apache.zookeeper.server.quorum.QuorumPeerMain.initializeAndRun(QuorumPeerMain.java:111)
        at org.apache.zookeeper.server.quorum.QuorumPeerMain.main(QuorumPeerMain.java:78)




Thanks,
Shri
______________________________________________________________
Shrikant Patel   |   PDX-NHIN
Enterprise Architecture Team
Asserting the Role of Pharmacy in Healthcare  www.pdxinc.com<http://www.pdxinc.com/>
main 817.367.4302
101 Jim Wright Freeway South, Suite 200, Fort Worth, Texas 76108-2202<http://maps.google.com/maps?q=PDX,+Inc.&hl=en&sll=32.758696,-97.476397&sspn=0.006295,0.006295&filter=0&update=1&t=h&z=17&iwloc=A>


P Please consider the environment before printing this email.

This e-mail and its contents (to include attachments) are the property of National Health Systems, Inc., its subsidiaries and affiliates, including but not limited to Rx.com Community Healthcare Network, Inc. and its subsidiaries, and may contain confidential and proprietary or privileged information. If you are not the intended recipient of this e-mail, you are hereby notified that any unauthorized disclosure, copying, or distribution of this e-mail or of its attachments, or the taking of any unauthorized action based on information contained herein is strictly prohibited. Unauthorized use of information contained herein may subject you to civil and criminal prosecution and penalties. If you are not the intended recipient, please immediately notify the sender by telephone at 800-433-5719 or return e-mail and permanently delete the original e-mail.