Hi, Sorry to reply to this so late. Hopefully you've long since figured out the issue. But if not...
1. Just to clarify, are you seeing the error message above when Solr tries to talk to ZooKeeper? Or does that error message appear in your ZK logs, or from a ZK-client you're using to test connections to your kerberized-ZK? You may have done this already, but I would recommend making sure that ZooKeeper is fully kerberized before introducing Solr into the mix. 2. To me, the key piece of that error message is: "Server not found in Kerberos database". That makes is sound like the hostname (or IP) one of your machines is using doesn't match anything the KDC knows about. Normally this is a DNS issue. Or if you used raw IPs when setting up your configuration, some of them might have changed. You can find a little more information here: https://steveloughran.gitbooks.io/kerberos_and_hadoop/content/sections/errors.html. (I can't recommend that guide enough btw. It doesn't cover Solr explicitly, but is great for an overview on Kerberos setup and debugging.) 3. For anyone on the list to help you much beyond that, you might have to add more information. What do the logs tell you when you enable Kerberos debug logging (-Dsun.security.krb5.debug=true)? What startup parameters are you using with Solr? Have you tested the Zookeeper Kerberization in isolation from Solr (i.e. with zkCli.sh)? What do your JAAS config files look like? As I said above, hopefully you've long since found your problem and this might be helpful for someone else down the road. But if you're still working on this, feel free to attach more information and maybe we can figure it out. Best, Jason On Thu, May 24, 2018 at 2:44 PM, adfel70 <adfe...@gmail.com> wrote: > Hi, > We are trying to configure Kerberos auth for Solr 6.5.1. > We went over the steps as described through Sorl’s ref guide, but after > restart we are getting the following error: > > org.apache.zookeeper.client.ZookeeperSaslClient; An error: > (java.security.PrivilegedActionException: javax.security.sasl. > SaslException: > GSS initiate failed [Caused by GSSException: No valid credentials provided > (Mechanism level: Server not found in Kerberos database (7))] occurred when > evaluating Zookeeper Quorum Member’s received SASL token. Zookeeper Client > will go to AUTH_FAILED state. > > We tested both of our keytab files (Zookeeper’s and Solr’s) using kinit and > everything looks fine. > > Our Zookeeper does not configured with Kerberos yet and ‘ruok’ command > response with ‘imok’ as expected. > > When examing Zokeeper’s logs we see the following: > Successfully logged in. > TGT refresh thread started. > TGT valid starting at: Thu May 21:39:10 ... > TGT expires: Fri May 25 07:39:44 ... > TGT refresh sleeping until: Fri May 25 05:55:44 ... > > Any idea what we can do? > Thanks. > > > > -- > Sent from: http://lucene.472066.n3.nabble.com/Solr-User-f472068.html >
