[jira] [Commented] (ZOOKEEPER-2345) ServerCnxnFactory.configureSaslLogin() loses stack trace on auth failures

[Jeremy Custenborder (JIRA)]

    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15134725#comment-15134725
 ] 

Jeremy Custenborder commented on ZOOKEEPER-2345:
------------------------------------------------

I've bumped into this a couple times recently so I'll add some troubleshooting 
information for anyone who arrives here via a search for the exception.
h4. Verify DNS
The machine must be able to resolve it's own hostname to the hostname that 
other machines will connect to. Verify the hosts file is setup correctly.
h4. Verify the format of your jaas file 
The principal needs to be to the fully qualified hostname
{code}
Server {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  keyTab="/etc/security/keytabs/zookeeper.keytab"
  storeKey=true
  useTicketCache=false
  principal="zookeeper/zookeeper.example....@example.com";
};
{code}
h4. Make sure you can kinit with the contents of your jaas file
If possible you should try to do this with the local user zookeeper will be 
running as. 
{code}
kinit -kt <keyTab value from jaas> <zookeeper/zookeeper.example....@example.com>
{code}
This should return successfully without prompting for a password.
h4. Make sure your jaas file and keytab are readable by the zookeeper user
{code}
ls -la 
-r--r-----. 1 zookeeper zookeeper 4198 Feb  3 19:32 
/etc/security/keytabs/zookeeper.keytab
{code}
If the permissions are not correct use this.
{code}
chmod 0440 /etc/security/keytabs/zookeeper.keytab
{code}
h4. Verify you have the proper JCE policy files (Oracle JRE)
If you are using the Oracle JRE and strong encryption like 
aes256-cts-hmac-sha1-96 or aes128-cts-hmac-sha1-96, additional policy jars need 
to be installed. Download the JCE jars for [Java 
7|http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html]
 or [Java 
8|http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html]

> ServerCnxnFactory.configureSaslLogin() loses stack trace on auth failures
> -------------------------------------------------------------------------
>
>                 Key: ZOOKEEPER-2345
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2345
>             Project: ZooKeeper
>          Issue Type: Sub-task
>          Components: server
>    Affects Versions: 3.4.6
>            Reporter: Steve Loughran
>
> When there's a problem authenticating in 
> {{ServerCnxnFactory.configureSaslLogin() }}, the exception is retained -but 
> the full stack lost.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)