You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@zookeeper.apache.org by Shrikant Patel <SP...@pdxinc.com> on 2017/03/15 16:40:49 UTC

Help with SASL configuration for Zookeeper on the Microsoft AD.

Hi

Has anyone experience with securing Kafka to Zookeeper configuration and setting up SASL on Microsoft AD account.

We create keytab and principal for Kafka and ZK using https://www.confluent.io/blog/apache-kafka-security-authorization-authentication-encryption/

We see these principal in our AD. When ZK and Kafka are launched they are able to connect to Kerberos \ AD server using their individual keytabs. But when Kafka tries to request service ticket for ZK from Kerberos, it errors out using below error.

>>>KRBError:
         sTime is Fri Feb 10 11:48:41 CST 2017 1486748921000
         suSec is 282568
         error code is 7
         error Message is Server not found in Kerberos database
         sname is zk/XXXX.XXXXX.com@XXX.COM
         msgType is 30

(https://issues.apache.org/jira/browse/ZOOKEEPER-1811 , as per this we have set zookeeper.sasl.client.username so that zk is used for zookeeper name)

It seems the issue is we may not setup SPN (servive profile name) correct, or link the user account\keytab to the SPN.

We have spent good amount of time with our IT\AD team on this. We are ready to provide some monetary incentive to anyone if they help us resolve this issue.

Thanks,
Shri

This e-mail and its contents (to include attachments) are the property of National Health Systems, Inc., its subsidiaries and affiliates, including but not limited to Rx.com Community Healthcare Network, Inc. and its subsidiaries, and may contain confidential and proprietary or privileged information. If you are not the intended recipient of this e-mail, you are hereby notified that any unauthorized disclosure, copying, or distribution of this e-mail or of its attachments, or the taking of any unauthorized action based on information contained herein is strictly prohibited. Unauthorized use of information contained herein may subject you to civil and criminal prosecution and penalties. If you are not the intended recipient, please immediately notify the sender by telephone at 800-433-5719 or return e-mail and permanently delete the original e-mail.