Re: Kerberos login error: Message stream modified (41)

[Enrico Olivelli - Diennea]

Andor,
this is a minimal krb5.conf file that is working from jdk8 to jdk13 and 
ZooKeeper

maybe you can compare to your one and start dropping configuration lines that 
are not needed.

Java is adding more and more capabilities to GSSAPI support and this sometimes 
leads to behavior changes


[libdefaults]
 default_realm = MYDOMAIN

[realms]
 MYDOMAIN  = {
  kdc = kerberos1.mydomain.com
  kdc = kerberos2. mydomain.com
  kdc = kerberos3. mydomain.com
 }



Enrico Olivelli
MagNews Platform Development Manager @ Diennea – MagNews
Tel.: (+39) 0546 066100 - Int. 125
Viale G.Marconi 30/14 - 48018 Faenza (RA)



Il giorno 28/10/19, 17:56 "Enrico Olivelli" <eolive...@gmail.com> ha scritto:

    Andor

    Il lun 28 ott 2019, 17:44 Andor Molnar <an...@apache.org> ha scritto:

    > Hi,
    >
    > I’m facing the following error message when trying to run ZooKeeper 3.5.5
    > on Java 11 with Kerberos authentication:
    >
    > 2019-10-28 16:30:04,811 INFO
    > org.apache.zookeeper.server.ServerCnxnFactory: Using
    > org.apache.zookeeper.server.NIOServerCnxnFactory as server connection
    > factory
    > 2019-10-28 16:30:04,823 INFO org.apache.zookeeper.common.X509Util: Setting
    > -D jdk.tls.rejectClientInitiatedRenegotiation=true to disable
    > client-initiated TLS renegotiation
    > 2019-10-28 16:30:05,012 ERROR
    > org.apache.zookeeper.server.quorum.QuorumPeerMain: Unexpected exception,
    > exiting abnormally
    > java.io.IOException: Could not configure server because SASL configuration
    > did not allow the  ZooKeeper server to authenticate itself properly:
    > javax.security.auth.login.LoginException: Message stream modified (41)
    >         at
    > 
org.apache.zookeeper.server.ServerCnxnFactory.configureSaslLogin(ServerCnxnFactory.java:243)
    >         at
    > 
org.apache.zookeeper.server.NIOServerCnxnFactory.configure(NIOServerCnxnFactory.java:646)
    >         at
    > 
org.apache.zookeeper.server.quorum.QuorumPeerMain.runFromConfig(QuorumPeerMain.java:148)
    >         at
    > 
org.apache.zookeeper.server.quorum.QuorumPeerMain.initializeAndRun(QuorumPeerMain.java:123)
    >         at
    > 
org.apache.zookeeper.server.quorum.QuorumPeerMain.main(QuorumPeerMain.java:82)
    > …
    >
    > zoo.cfg:
    > ————
    > tickTime=2000
    > initLimit=10
    > syncLimit=5
    >
    > 
4lw.commands.whitelist=conf,cons,crst,dirs,dump,envi,gtmk,ruok,stmk,srst,srvr,stat,wchs,mntr,isro
    > dataDir=/var/lib/zookeeper
    > dataLogDir=/var/lib/zookeeper
    > clientPort=2181
    > maxClientCnxns=60
    > minSessionTimeout=4000
    > maxSessionTimeout=60000
    > autopurge.purgeInterval=24
    > autopurge.snapRetainCount=5
    > quorum.auth.enableSasl=true
    > quorum.cnxn.threads.size=20
    > admin.enableServer=false
    > admin.serverPort=5181
    > server.1=cdf1-dc1.mydomain.com:3181:4181
    > server.2=cdf1-dc2.mydomain.com:3181:4181
    > server.3=cdf1-dc3.mydomain.com:3181:4181
    > leaderServes=yes
    > authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
    > kerberos.removeHostFromPrincipal=true
    > kerberos.removeRealmFromPrincipal=true
    > quorum.auth.kerberos.servicePrincipal=zookeeper/_HOST
    > quorum.auth.learnerRequireSasl=true
    > quorum.auth.serverRequireSasl=true
    >
    > java -version:
    > ——————
    > openjdk version "11.0.4" 2019-07-16
    > OpenJDK Runtime Environment AdoptOpenJDK (build 11.0.4+11)
    > OpenJDK 64-Bit Server VM AdoptOpenJDK (build 11.0.4+11, mixed mode)
    >
    >
    > Has anyone seen this problem before?
    > What does the error message mean?
    >
    > Unfortunately we swallow the original exception in ServerCnxnFactory and
    > only log the message without stacktrace.
    >

    Did you enable debug?
    
https://stackoverflow.com/questions/15382056/enable-detailed-logging-for-kerberos-in-java

    I remember we had some issue while switching from jdk8 to jdk9

    There were something in krb.conf that was not compatible due to some
    stricter condig check but we didn't need that line and we dropped it.
    I can check only tomorrow at work.
    Unfortunately java Kerberos client is not so verbose.

    Can you share your krb config files? Without hostnames

    Enrico


    > Thanks,
    > Andor
    >
    >
    >



________________________________

CONFIDENTIALITY & PRIVACY NOTICE
This e-mail (including any attachments) is strictly confidential and may also 
contain privileged information. If you are not the intended recipient you are 
not authorised to read, print, save, process or disclose this message. If you 
have received this message by mistake, please inform the sender immediately and 
destroy this e-mail, its attachments and any copies. Any use, distribution, 
reproduction or disclosure by any person other than the intended recipient is 
strictly prohibited and the person responsible may incur in penalties.
The use of this e-mail is only for professional purposes; there is no guarantee 
that the correspondence towards this e-mail will be read only by the recipient, 
because, under certain circumstances, there may be a need to access this email 
by third subjects belonging to the Company.