Ahshan created ZOOKEEPER-3576:
---------------------------------
Summary: Zookeeper Fails with AUTH_FAILED state with SASL
Key: ZOOKEEPER-3576
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3576
Project: ZooKeeper
Issue Type: Bug
Components: kerberos, security
Affects Versions: 3.4.10
Reporter: Ahshan
Attachments: zoo.cfg, zookeeper_server.log
Although i'm able to authenticate successfully with the kerberoes account
*"zookeeper/[email protected]" , i still happen to
encounter* AUTH_FAILED during client Authentication
Following is the verification made from my end :
# Checked DNS ( Both Forward and Backward)
nslookup kafka-d1.eng.company.com
Server: 172.16.2.3
Address: 172.16.2.3#53
Name: kafka-d1.eng.company.com
Address: 10.14.61.17
Reverse DNS
nslookup 10.14.61.17
Server: 172.16.2.3
Address: 172.16.2.3#53
17.61.14.10.in-addr.arpa name = kafka-d1.eng.company.com.
2. Kerberoes Authentication
kinit -kt /etc/keytabs/zookeeper.keytab -V zookeeper/kafka-d1.eng.company.com
Using default cache: /tmp/krb5cc_0
Using principal: zookeeper/[email protected]
Using keytab: /etc/keytabs/zookeeper.keytab
Authenticated to Kerberos v5
Below is the krb5 configuration File:
cat /etc/krb5.conf
[libdefaults]
default_realm = COMPANY.COM
dns_lookup_kdc = true
dns_lookup_realm = true
ticket_lifetime = 86400
renew_lifetime = 604800
forwardable = true
default_tgs_enctypes = aes256-cts
default_tkt_enctypes = aes256-cts
permitted_enctypes = aes256-cts
udp_preference_limit = 1
kdc_timeout = 3000
ignore_acceptor_hostname = true
[realms]
COMPANY.COM = {
kdc = srv-ussc-dc01e.company.com
admin_server = srv-exxx.company.com
kdc = srv-exxxe.company.com
}
[domain_realm]
kafka-d1.eng.company.com = COMPANY.COM
*Error Message :[^zoo.cfg][^zookeeper_server.log]*
{noformat}
WatchedEvent state:SyncConnected type:None path:null
2019-10-14 01:46:47,858 [myid:] - ERROR
[main-SendThread(localhost:2181):ZooKeeperSaslClient@308] - An error:
(java.security.PrivilegedActionException: javax.security.sasl.SaslException:
GSS initiate failed [Caused by GSSException: No valid credentials provided
(Mechanism level: Server not found in Kerberos database (7))]) occurred when
evaluating Zookeeper Quorum Member's received SASL token. Zookeeper Client will
go to AUTH_FAILED state.
2019-10-14 01:46:47,859 [myid:] - ERROR
[main-SendThread(localhost:2181):ClientCnxn$SendThread@1072] - SASL
authentication with Zookeeper Quorum member failed:
javax.security.sasl.SaslException: An error:
(java.security.PrivilegedActionException: javax.security.sasl.SaslException:
GSS initiate failed [Caused by GSSException: No valid credentials provided
(Mechanism level: Server not found in Kerberos database (7))]) occurred when
evaluating Zookeeper Quorum Member's received SASL token. Zookeeper Client will
go to AUTH_FAILED state.{noformat}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
