Hi,
I'm very certain this is due to an error in my jaas or krb5 conf files but
I can't seem to figure out where. My jaas.conf looks something like this:
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/etc/zkcli_app_eng.keytab"
storeKey=true
useTicketCache=false
debug=true
principal="[email protected]";
};
But when ZK starts up it sends a TGT request as krbtgt/
[email protected], i.e., it shaves off the AY from the realm name (
BEE.SEE.NET is a valid realm in our setup but not the one I want to use). I
see the following log lines:
msgType is 30
sname is krbtgt/BEE.SEE.NET
realm is AY.BEE.SEE.NET
cname is zkcli
crealm is AY.BEE.SEE.NET
error Message is Server not found in Kerberos database
error code is 7
suSec is 157006
sTime is Tue Aug 16 19:00:48 GMT 2016 1471374048000
cTime is Fri Sep 30 18:19:26 GMT 2016 1475259566000
And a little earlier there was:
Credentials acquireServiceCreds: main loop: [0] tempService=krbtgt/
[email protected]
Realm parseCapaths: no cfg entry
Realm doInitialParse: cRealm=[AY.BEE.SEE.NET], sRealm=[BEE.SEE.NET]
Service ticket not found in the subject
Found ticket for [email protected] to go to krbtgt/
[email protected] expiring on Tue Aug 16 21:00:06 GMT 2016
I looked in the source code and the place I see that might be relevant is
Login.java where we have Login.getTGT() which tries to obtain a TGT by
seeing if there's a ticket in the Subject of the form krbtgt/REALM@REALM.
However, that part doesn't even get called since I don't even see the log
line at the of the Login thread "TGT refresh thread started".
Any help would be much appreciated.
Thanks,
Irfan.
