Hi expert,
Now I am verifying connection between broker and zookeeper using SASL
mechanisms and the zookeeper always claims: GSS initiate failed [Caused by
GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum
failed)
>From Kerberos log, I see zookeeper sent AS_REQ, broker sent AS_REQ and
>TGS_REQ. Kerberos server answered them successfully.
Then through Wireshark, I see broker sent SMPP message to zookeeper, then
failure happened. Confused by that. It is supposed for broker to send
KRB_AP_REQ message to zookeeper then, right?
Already confused for a week! Very appreciate if any hint on this issue!
Here is the log:
zookeeper:
[2016-11-15 08:34:21,319] INFO Established session 0x1586868cc200000 with
negotiated timeout 6000 for client /10.160.32.153:33610
(org.apache.zookeeper.server.ZooKeeperServer)
[2016-11-15 08:34:21,320] WARN Client failed to SASL authenticate:
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException:
Failure unspecified at GSS-API level (Mechanism level: Checksum failed)]
(org.apache.zookeeper.server.ZooKeeperServer)
[2016-11-15 08:34:21,320] WARN Closing client connection due to SASL
authentication failure. (org.apache.zookeeper.server.ZooKeeperServer)
[2016-11-15 08:34:21,320] INFO Closed socket connection for client
/10.160.32.153:33610 which had sessionid 0x1586868cc200000
(org.apache.zookeeper.server.NIOServerCnxn)
kafka broker:
[2016-11-15 08:34:21,316] INFO zookeeper state changed (SyncConnected)
(org.I0Itec.zkclient.ZkClient)
[2016-11-15 08:34:21,321] INFO Unable to read additional data from server
sessionid 0x1586868cc200000, likely server has closed socket, closing socket
connection and attempting reconnect (org.apache.zookeeper.ClientCnxn)
[2016-11-15 08:34:21,421] INFO zookeeper state changed (Disconnected)
(org.I0Itec.zkclient.ZkClient)
Kerberos:
Nov 15 08:34:08 YeKerberosServer-0-0-1 krb5kdc[10896](info): AS_REQ (1 etypes
{17}) 10.160.32.153: ISSUE: authtime 1479220448, etypes {rep=17 tkt=17 ses=17},
zookeeper/kafka.example....@example.com for krbtgt/example....@example.com
Nov 15 08:34:19 YeKerberosServer-0-0-1 krb5kdc[10896](info): AS_REQ (1 etypes
{17}) 10.160.32.153: NEEDED_PREAUTH: kafka/kafka.example....@example.com for
krbtgt/example....@example.com, Additional pre-authentication required
Nov 15 08:34:19 YeKerberosServer-0-0-1 krb5kdc[10896](info): AS_REQ (1 etypes
{17}) 10.160.32.153: ISSUE: authtime 1479220459, etypes {rep=17 tkt=17 ses=17},
kafka/kafka.example....@example.com for krbtgt/example....@example.com
Nov 15 08:34:19 YeKerberosServer-0-0-1 krb5kdc[10896](info): TGS_REQ (1 etypes
{17}) 10.160.32.153: ISSUE: authtime 1479220459, etypes {rep=17 tkt=17 ses=17},
kafka/kafka.example....@example.com for zookeeper/10.160.32....@example.com
kafka_server_ jaas.conf
KafkaServer {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
useTicketCache=false
serviceName="kafka"
keyTab="/u/ainet/kafka_2.11-0.10.0.0/config/kafka.keytab"
principal="kafka/kafka.example....@example.com";
};
// Zookeeper client authentication
Client {
com.sun.security.auth.module.Krb5LoginModule required
//useTicketCache=true;
useKeyTab=true
storeKey=true
useTicketCache=false
serviceName="zookeeper"
doNotPrompt=true
refreshKrb5Config=true
isInitiator=true
keyTab="/u/ainet/kafka_2.11-0.10.0.0/config/kafka.keytab"
principal="kafka/kafka.example....@example.com";
};
zookeeper_server_jaas.conf
Server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
useTicketCache=false
keyTab="/u/ainet/kafka_2.11-0.10.0.0/config/zookeeper.keytab"
principal="zookeeper/kafka.example....@example.com";
};
krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
default_tkt_enctypes = aes128-cts
default_tgs_enctypes = aes128-cts
permitted_enctypes = aes128-cts
debug=true
[realms]
EXAMPLE.COM = {
kdc = kbserver.example.com
admin_server = kbserver.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[appdefaults]
validate=false
Thanks,
Ye
