You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zookeeper.apache.org by "Ahshan (Jira)" <ji...@apache.org> on 2019/10/14 06:03:00 UTC
[jira] [Created] (ZOOKEEPER-3576) Zookeeper Fails with AUTH_FAILED
state with SASL
Ahshan created ZOOKEEPER-3576:
---------------------------------
Summary: Zookeeper Fails with AUTH_FAILED state with SASL
Key: ZOOKEEPER-3576
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3576
Project: ZooKeeper
Issue Type: Bug
Components: kerberos, security
Affects Versions: 3.4.10
Reporter: Ahshan
Attachments: zoo.cfg, zookeeper_server.log
Although i'm able to authenticate successfully with the kerberoes account *"zookeeper/kafka-d1.eng.company.com@COMPANY.COM" , i still happen to encounter* AUTH_FAILED during client Authentication
Following is the verification made from my end :
# Checked DNS ( Both Forward and Backward)
nslookup kafka-d1.eng.company.com
Server: 172.16.2.3
Address: 172.16.2.3#53
Name: kafka-d1.eng.company.com
Address: 10.14.61.17
Reverse DNS
nslookup 10.14.61.17
Server: 172.16.2.3
Address: 172.16.2.3#53
17.61.14.10.in-addr.arpa name = kafka-d1.eng.company.com.
2. Kerberoes Authentication
kinit -kt /etc/keytabs/zookeeper.keytab -V zookeeper/kafka-d1.eng.company.com
Using default cache: /tmp/krb5cc_0
Using principal: zookeeper/kafka-d1.eng.company.com@COMPANY.COM
Using keytab: /etc/keytabs/zookeeper.keytab
Authenticated to Kerberos v5
Below is the krb5 configuration File:
cat /etc/krb5.conf
[libdefaults]
default_realm = COMPANY.COM
dns_lookup_kdc = true
dns_lookup_realm = true
ticket_lifetime = 86400
renew_lifetime = 604800
forwardable = true
default_tgs_enctypes = aes256-cts
default_tkt_enctypes = aes256-cts
permitted_enctypes = aes256-cts
udp_preference_limit = 1
kdc_timeout = 3000
ignore_acceptor_hostname = true
[realms]
COMPANY.COM = {
kdc = srv-ussc-dc01e.company.com
admin_server = srv-exxx.company.com
kdc = srv-exxxe.company.com
}
[domain_realm]
kafka-d1.eng.company.com = COMPANY.COM
*Error Message :[^zoo.cfg][^zookeeper_server.log]*
{noformat}
WatchedEvent state:SyncConnected type:None path:null
2019-10-14 01:46:47,858 [myid:] - ERROR [main-SendThread(localhost:2181):ZooKeeperSaslClient@308] - An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]) occurred when evaluating Zookeeper Quorum Member's received SASL token. Zookeeper Client will go to AUTH_FAILED state.
2019-10-14 01:46:47,859 [myid:] - ERROR [main-SendThread(localhost:2181):ClientCnxn$SendThread@1072] - SASL authentication with Zookeeper Quorum member failed: javax.security.sasl.SaslException: An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]) occurred when evaluating Zookeeper Quorum Member's received SASL token. Zookeeper Client will go to AUTH_FAILED state.{noformat}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)