You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@zookeeper.apache.org by Mohit Anchlia <mo...@gmail.com> on 2016/01/15 22:10:02 UTC

Sasl error

I need help with the following error. I see this error when ZkClient tries
to authenticate with the zookeeper server. In the Kerberos logs I see
tickets being exchanged. I looked at the zookeeper code but couldn't point
to a specific issue.

[2016-01-15 16:03:55,771] DEBUG Leaving process event
(org.I0Itec.zkclient.ZkClient)
[2016-01-15 16:03:55,772] DEBUG saslClient.evaluateChallenge(len=0)
(org.apache.zookeeper.client.ZooKeeperSaslClient)
[2016-01-15 16:03:55,792] DEBUG Responding to client SASL token.
(org.apache.zookeeper.server.ZooKeeperServer)
[2016-01-15 16:03:55,792] DEBUG Size of client SASL token: 611
(org.apache.zookeeper.server.ZooKeeperServer)
[2016-01-15 16:03:55,792] ERROR cnxn.saslServer is null: cnxn object did
not initialize its saslServer properly.
(org.apache.zookeeper.server.ZooKeeperServer)
[2016-01-15 16:03:55,793] ERROR SASL authentication failed using login
context 'Client'. (org.apache.zookeeper.client.ZooKeeperSaslClient)
[2016-01-15 16:03:55,793] DEBUG Received event: WatchedEvent
state:AuthFailed type:None path:null (org.I0Itec.zkclient.ZkClient)
--

Kerberos logs

Jan 15 15:39:44 ip-10-241-251-175.us-west-2.compute.internal
krb5kdc[9767](info): AS_REQ (6 etypes {18 17 16 23 1 3}) 10.241.251.217:
ISSUE: authtime 1452890384, etypes {rep=18 tkt=18 ses=18}, kafka/
10.241.251.217@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM
Jan 15 15:39:44 ip-10-241-251-175.us-west-2.compute.internal
krb5kdc[9767](info): TGS_REQ (6 etypes {18 17 16 23 1 3}) 10.241.251.217:
ISSUE: authtime 1452890384, etypes {rep=18 tkt=18 ses=18}, kafka/
10.241.251.217@EXAMPLE.COM for zookeeper/localhost@EXAMPLE.COM

Re: Sasl error

Posted by Mohit Anchlia <mo...@gmail.com>.

This is the default principal in kds that I have my jaas file configured to
use. The interesting point is that I see ticket exchange taking place
successfully and yet I get a cnxn error.

On Sat, Jan 16, 2016 at 5:51 AM, Flavio Junqueira <fp...@apache.org> wrote:

> Hi Mohit,
>
> I think I've seen your messages on the Kafka list. Have you had a look at
> the Kafka tests? Perhaps you want to have a look there for an example of
> how to generate a correct config file. The logs indicate that you indeed
> have a Client section, but the credentials there don't seem to match what
> the server expects.
>
> Also, this principal called my attention: krbtgt/EXAMPLE.COM@EXAMPLE.COM
> <ma...@EXAMPLE.COM>. Are you trying to do cross-realm
> authentication? Shouldn't they be different in this case?
>
> -Flavio
>
> > On 15 Jan 2016, at 21:10, Mohit Anchlia <mo...@gmail.com> wrote:
> >
> > I need help with the following error. I see this error when ZkClient
> tries
> > to authenticate with the zookeeper server. In the Kerberos logs I see
> > tickets being exchanged. I looked at the zookeeper code but couldn't
> point
> > to a specific issue.
> >
> > [2016-01-15 16:03:55,771] DEBUG Leaving process event
> > (org.I0Itec.zkclient.ZkClient)
> > [2016-01-15 16:03:55,772] DEBUG saslClient.evaluateChallenge(len=0)
> > (org.apache.zookeeper.client.ZooKeeperSaslClient)
> > [2016-01-15 16:03:55,792] DEBUG Responding to client SASL token.
> > (org.apache.zookeeper.server.ZooKeeperServer)
> > [2016-01-15 16:03:55,792] DEBUG Size of client SASL token: 611
> > (org.apache.zookeeper.server.ZooKeeperServer)
> > [2016-01-15 16:03:55,792] ERROR cnxn.saslServer is null: cnxn object did
> > not initialize its saslServer properly.
> > (org.apache.zookeeper.server.ZooKeeperServer)
> > [2016-01-15 16:03:55,793] ERROR SASL authentication failed using login
> > context 'Client'. (org.apache.zookeeper.client.ZooKeeperSaslClient)
> > [2016-01-15 16:03:55,793] DEBUG Received event: WatchedEvent
> > state:AuthFailed type:None path:null (org.I0Itec.zkclient.ZkClient)
> > --
> >
> > Kerberos logs
> >
> > Jan 15 15:39:44 ip-10-241-251-175.us-west-2.compute.internal
> > krb5kdc[9767](info): AS_REQ (6 etypes {18 17 16 23 1 3}) 10.241.251.217:
> > ISSUE: authtime 1452890384, etypes {rep=18 tkt=18 ses=18}, kafka/
> > 10.241.251.217@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM
> > Jan 15 15:39:44 ip-10-241-251-175.us-west-2.compute.internal
> > krb5kdc[9767](info): TGS_REQ (6 etypes {18 17 16 23 1 3}) 10.241.251.217
> :
> > ISSUE: authtime 1452890384, etypes {rep=18 tkt=18 ses=18}, kafka/
> > 10.241.251.217@EXAMPLE.COM for zookeeper/localhost@EXAMPLE.COM
>
>

Re: Sasl error

Posted by Flavio Junqueira <fp...@apache.org>.

Hi Mohit,

I think I've seen your messages on the Kafka list. Have you had a look at the Kafka tests? Perhaps you want to have a look there for an example of how to generate a correct config file. The logs indicate that you indeed have a Client section, but the credentials there don't seem to match what the server expects.

Also, this principal called my attention: krbtgt/EXAMPLE.COM@EXAMPLE.COM <ma...@EXAMPLE.COM>. Are you trying to do cross-realm authentication? Shouldn't they be different in this case?

-Flavio

> On 15 Jan 2016, at 21:10, Mohit Anchlia <mo...@gmail.com> wrote:
> 
> I need help with the following error. I see this error when ZkClient tries
> to authenticate with the zookeeper server. In the Kerberos logs I see
> tickets being exchanged. I looked at the zookeeper code but couldn't point
> to a specific issue.
> 
> [2016-01-15 16:03:55,771] DEBUG Leaving process event
> (org.I0Itec.zkclient.ZkClient)
> [2016-01-15 16:03:55,772] DEBUG saslClient.evaluateChallenge(len=0)
> (org.apache.zookeeper.client.ZooKeeperSaslClient)
> [2016-01-15 16:03:55,792] DEBUG Responding to client SASL token.
> (org.apache.zookeeper.server.ZooKeeperServer)
> [2016-01-15 16:03:55,792] DEBUG Size of client SASL token: 611
> (org.apache.zookeeper.server.ZooKeeperServer)
> [2016-01-15 16:03:55,792] ERROR cnxn.saslServer is null: cnxn object did
> not initialize its saslServer properly.
> (org.apache.zookeeper.server.ZooKeeperServer)
> [2016-01-15 16:03:55,793] ERROR SASL authentication failed using login
> context 'Client'. (org.apache.zookeeper.client.ZooKeeperSaslClient)
> [2016-01-15 16:03:55,793] DEBUG Received event: WatchedEvent
> state:AuthFailed type:None path:null (org.I0Itec.zkclient.ZkClient)
> --
> 
> Kerberos logs
> 
> Jan 15 15:39:44 ip-10-241-251-175.us-west-2.compute.internal
> krb5kdc[9767](info): AS_REQ (6 etypes {18 17 16 23 1 3}) 10.241.251.217:
> ISSUE: authtime 1452890384, etypes {rep=18 tkt=18 ses=18}, kafka/
> 10.241.251.217@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM
> Jan 15 15:39:44 ip-10-241-251-175.us-west-2.compute.internal
> krb5kdc[9767](info): TGS_REQ (6 etypes {18 17 16 23 1 3}) 10.241.251.217:
> ISSUE: authtime 1452890384, etypes {rep=18 tkt=18 ses=18}, kafka/
> 10.241.251.217@EXAMPLE.COM for zookeeper/localhost@EXAMPLE.COM