[
https://issues.apache.org/jira/browse/KAFKA-4097?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15445624#comment-15445624
]
syam prasad commented on KAFKA-4097:
------------------------------------
Hi,
Zookeeper was started well in a secured mode (as I can see TGT starting time
and expiry time) with the following properties:
zookeeper properties:
=====================
dataDir=/tmp/zookeeper2
# the port at which the clients will connect
clientPort=2182
# disable the per-ip limit on the number of connections since this is a
non-production config
maxClientCnxns=0
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
requireClientAuthScheme=sasl
jaasLoginRenew=3600000
zookeeper_jas.conf:
==================
Server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/home/dsadm/syam/zookeeper-service.keytab"
storeKey=true
serviceName="zookeeper"
debug=true
useTicketCache=false
principal="zookeeper/archimedes.in.ibm....@hadoopbi.com";
};
When I started the kafka server, with the following properties:
server.properties:
==================
listeners=SASL_PLAINTEXT://archimedes.in.ibm.com:9093
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.enabled.mechanisms=GSSAPI
sasl.mechanism.inter.broker.protocol=GSSAPI
sasl.kerberos.service.name=kafka
zookeeper.set.acl=true
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
kafka_broker_jass.conf:
======================
KafkaServer {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
serviceName="kafka"
keyTab="/home/dsadm/syam/kafka_service.keytab"
principal="kafka/archimedes.in.ibm....@hadoopbi.com";
};
// Zookeeper client authentication
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
debug=true
serviceName="zookeeper"
keyTab="/home/dsadm/syam/kafka_service.keytab"
principal="kafka/archimedes.in.ibm....@hadoopbi.com";
};
krb5 and jaas files are specified via exporting KAFKA_OPTS:
=================================================
export KAFKA_OPTS="-Djava.security.krb5.conf=/home/dsadm/syam/krb5.conf
-Djava.security.auth.login.config=/home/dsadm/syam/kafka_broker_jaas.conf"
export KAFKA_OPTS="-Djava.security.krb5.conf=/home/dsadm/syam/krb5.conf
-Djava.security.auth.login.config=/home/dsadm/syam/zookeeper_jaas.conf"
I was seeing the following issue,while starting a kafka server
(./bin/kafka_server_start.sh config/server.properties):
[2016-08-29 16:51:27,375] INFO Socket connection established to
archimedes/9.124.101.5:2182, initiating session
(org.apache.zookeeper.ClientCnxn)
[2016-08-29 16:51:27,467] INFO Session establishment complete on server
archimedes/9.124.101.5:2182, sessionid = 0x156d5ffea8a0001, negotiated timeout
= 6000 (org.apache.zookeeper.ClientCnxn)
[2016-08-29 16:51:27,492] INFO zookeeper state changed (SyncConnected)
(org.I0Itec.zkclient.ZkClient)
[2016-08-29 16:51:27,614] ERROR An error:
(java.security.PrivilegedActionException: javax.security.sasl.SaslException:
GSS initiate failed [Caused by GSSException: No valid credentials provided
(Mechanism level: Server not found in Kerberos database (7) - UNKNOWN_SERVER)])
occurred when evaluating Zookeeper Quorum Member's received SASL token. This
may be caused by Java's being unable to resolve the Zookeeper Quorum Member's
hostname correctly. You may want to try to adding
'-Dsun.net.spi.nameservice.provider.1=dns,sun' to your client's JVMFLAGS
environment. Zookeeper Client will go to AUTH_FAILED state.
(org.apache.zookeeper.client.ZooKeeperSaslClient)
[2016-08-29 16:51:27,615] ERROR SASL authentication with Zookeeper Quorum
member failed: javax.security.sasl.SaslException: An error:
(java.security.PrivilegedActionException: javax.security.sasl.SaslException:
GSS initiate failed [Caused by GSSException: No valid credentials provided
(Mechanism level: Server not found in Kerberos database (7) - UNKNOWN_SERVER)])
occurred when evaluating Zookeeper Quorum Member's received SASL token. This
may be caused by Java's being unable to resolve the Zookeeper Quorum Member's
hostname correctly. You may want to try to adding
'-Dsun.net.spi.nameservice.provider.1=dns,sun' to your client's JVMFLAGS
environment. Zookeeper Client will go to AUTH_FAILED state.
(org.apache.zookeeper.ClientCnxn)
[2016-08-29 16:51:27,617] INFO zookeeper state changed (AuthFailed)
(org.I0Itec.zkclient.ZkClient)
[2016-08-29 16:51:27,621] INFO Terminate ZkClient event thread.
(org.I0Itec.zkclient.ZkEventThread)
[2016-08-29 16:51:27,646] FATAL Fatal error during KafkaServer startup. Prepare
to shutdown (kafka.server.KafkaServer)
org.I0Itec.zkclient.exception.ZkAuthFailedException: Authentication failure
> "Server not found in kerberos database" issue while starting Kafka broker in
> secured mode
> -----------------------------------------------------------------------------------------
>
> Key: KAFKA-4097
> URL: https://issues.apache.org/jira/browse/KAFKA-4097
> Project: Kafka
> Issue Type: Test
> Components: KafkaConnect
> Affects Versions: 0.10.0.1
> Reporter: syam prasad
> Assignee: Ewen Cheslack-Postava
>
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
