You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "Ronald van de Kuil (JIRA)" <ji...@apache.org> on 2017/11/10 12:45:00 UTC
[jira] [Commented] (KAFKA-6198) kerberos login fails
[ https://issues.apache.org/jira/browse/KAFKA-6198?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16247427#comment-16247427 ]
Ronald van de Kuil commented on KAFKA-6198:
-------------------------------------------
Hmm, I found something using -Dsun.security.krb5.debug=true
>>>KRBError:
cTime is Wed Mar 17 02:32:44 CET 1976 195874364000
sTime is Fri Nov 10 13:39:42 CET 2017 1510317582000
suSec is 983774
error code is 7
error Message is Server not found in Kerberos database
cname is producer@DEV.IBM.COM
sname is kafka/localhost@DEV.IBM.COM
msgType is 30
KrbException: Server not found in Kerberos database (7) - LOOKING_UP_SERVER
> kerberos login fails
> --------------------
>
> Key: KAFKA-6198
> URL: https://issues.apache.org/jira/browse/KAFKA-6198
> Project: Kafka
> Issue Type: Test
> Components: clients
> Affects Versions: 0.11.0.1
> Environment: raspberrypi
> Reporter: Ronald van de Kuil
> Priority: Minor
>
> I got very far with setting up kerberos on the raspberry pi as part of self study.
> I believe that the kafka server is happy with kerberos:
> [2017-11-10 12:17:51,659] INFO Successfully authenticated client: authenticationID=kafka/pi99.dev.ibm.com@DEV.IBM.COM; authorizationID=kafka/pi99.dev.ibm.com@DEV.IBM.COM. (org.apache.kafka.common.security.authenticator.SaslServerCallbackHandler)
> [2017-11-10 12:17:51,661] INFO Setting authorizedID: kafka (org.apache.kafka.common.security.authenticator.SaslServerCallbackHandler)
> I have setup the kafka.security.auth.SimpleAclAuthorizer
> And granted the following access:
> Current ACLs for resource `Topic:kerberos-topic`:
> User:producer has Allow permission for operations: Describe from hosts: *
> User:producer has Allow permission for operations: Write from hosts: *
> User:producer@DEV.IBM.COM has Allow permission for operations: Describe from hosts: *
> User:producer@DEV.IBM.COM has Allow permission for operations: Write from hosts: *
> When I start the client, then I see it getting the kerberos ticket:
> [main] INFO org.apache.kafka.common.security.authenticator.AbstractLogin - Successfully logged in.
> [kafka-kerberos-refresh-thread-producer@DEV.IBM.COM] INFO org.apache.kafka.common.security.kerberos.KerberosLogin - [Principal=producer@DEV.IBM.COM]: TGT refresh thread started.
> [kafka-kerberos-refresh-thread-producer@DEV.IBM.COM] INFO org.apache.kafka.common.security.kerberos.KerberosLogin - [Principal=producer@DEV.IBM.COM]: TGT valid starting at: Fri Nov 10 12:50:11 CET 2017
> [kafka-kerberos-refresh-thread-producer@DEV.IBM.COM] INFO org.apache.kafka.common.security.kerberos.KerberosLogin - [Principal=producer@DEV.IBM.COM]: TGT expires: Fri Nov 10 22:50:11 CET 2017
> [kafka-kerberos-refresh-thread-producer@DEV.IBM.COM] INFO org.apache.kafka.common.security.kerberos.KerberosLogin - [Principal=producer@DEV.IBM.COM]: TGT refresh sleeping until: Fri Nov 10 21:13:37 CET 2017
> But the client fails to login:
> [kafka-producer-network-thread | producer-1] WARN org.apache.kafka.clients.NetworkClient - Connection to node -1 terminated during authentication. This may indicate that authentication failed due to invalid credentials.
> I do not see any warnings in the logs, so I do not have much to go on.
> What can I do to get my finger behind this issue?
> Thank you,
> Ronald - the NOOB
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)