You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zookeeper.apache.org by "Ahshan (Jira)" <ji...@apache.org> on 2019/10/14 06:03:00 UTC

[jira] [Created] (ZOOKEEPER-3576) Zookeeper Fails with AUTH_FAILED state with SASL

Ahshan created ZOOKEEPER-3576:
---------------------------------

             Summary: Zookeeper Fails with AUTH_FAILED state  with SASL
                 Key: ZOOKEEPER-3576
                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3576
             Project: ZooKeeper
          Issue Type: Bug
          Components: kerberos, security
    Affects Versions: 3.4.10
            Reporter: Ahshan
         Attachments: zoo.cfg, zookeeper_server.log

Although i'm able to authenticate successfully with the kerberoes account *"zookeeper/kafka-d1.eng.company.com@COMPANY.COM" , i still happen to encounter*  AUTH_FAILED during client Authentication

Following is the verification made from my end :
 # Checked DNS ( Both Forward and Backward)

nslookup kafka-d1.eng.company.com
Server: 172.16.2.3
Address: 172.16.2.3#53

Name: kafka-d1.eng.company.com
Address: 10.14.61.17

Reverse DNS

nslookup 10.14.61.17
Server: 172.16.2.3
Address: 172.16.2.3#53

17.61.14.10.in-addr.arpa name = kafka-d1.eng.company.com.

 

2. Kerberoes Authentication

kinit -kt /etc/keytabs/zookeeper.keytab -V zookeeper/kafka-d1.eng.company.com
Using default cache: /tmp/krb5cc_0
Using principal: zookeeper/kafka-d1.eng.company.com@COMPANY.COM
Using keytab: /etc/keytabs/zookeeper.keytab
Authenticated to Kerberos v5

 

Below is the krb5 configuration File:

cat /etc/krb5.conf
[libdefaults]
default_realm = COMPANY.COM
dns_lookup_kdc = true
dns_lookup_realm = true
ticket_lifetime = 86400
renew_lifetime = 604800
forwardable = true
default_tgs_enctypes = aes256-cts
default_tkt_enctypes = aes256-cts
permitted_enctypes = aes256-cts
udp_preference_limit = 1
kdc_timeout = 3000
ignore_acceptor_hostname = true
[realms]
COMPANY.COM = {
kdc = srv-ussc-dc01e.company.com
admin_server = srv-exxx.company.com
kdc = srv-exxxe.company.com
}
[domain_realm]
kafka-d1.eng.company.com = COMPANY.COM

 

*Error Message :[^zoo.cfg][^zookeeper_server.log]*
{noformat}
WatchedEvent state:SyncConnected type:None path:null
2019-10-14 01:46:47,858 [myid:] - ERROR [main-SendThread(localhost:2181):ZooKeeperSaslClient@308] - An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]) occurred when evaluating Zookeeper Quorum Member's received SASL token. Zookeeper Client will go to AUTH_FAILED state.
2019-10-14 01:46:47,859 [myid:] - ERROR [main-SendThread(localhost:2181):ClientCnxn$SendThread@1072] - SASL authentication with Zookeeper Quorum member failed: javax.security.sasl.SaslException: An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]) occurred when evaluating Zookeeper Quorum Member's received SASL token. Zookeeper Client will go to AUTH_FAILED state.{noformat}
 

 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)