Integrating Kerberos with a Java application using JAAS

Aparajita Singh Fri, 12 Jun 2020 08:34:43 -0700

Hi,

We are trying to migrate an unauthenticated zookeeper cluster to a kerberos
authenticated one. This
<https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+and+SASL>
guide
was followed for configuring kerberos on zookeeper and this
<https://web.ornl.gov/~romeja/HowToKerb.html#Install> guide was
followed for setting up a KDC host.
The issue right now is that, when zookeeper shell client is used to request
for some data, the service ticket which is issued by the KDC is not getting
decrypted by the server due to which authentication is failing.


Has anyone faced this issue before? Any help would be appreciated.

*Setup:*
Principal name is zookeeper/stage-kdc-zk-2f...@stage.fdp.kafka for both
server and client.

*Data request command:*
zookeeper-client -server stage-kdc-zk-2face:2181 get /test2

*Stack trace from client:*
Exception in thread "main"
org.apache.zookeeper.KeeperException$ConnectionLossException:
KeeperErrorCode = ConnectionLoss for /test2
at org.apache.zookeeper.KeeperException.create(KeeperException.java:99)
at org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
at org.apache.zookeeper.ZooKeeper.getData(ZooKeeper.java:1155)
at org.apache.zookeeper.ZooKeeper.getData(ZooKeeper.java:1184)
at org.apache.zookeeper.ZooKeeperMain.processZKCmd(ZooKeeperMain.java:717)
at org.apache.zookeeper.ZooKeeperMain.processCmd(ZooKeeperMain.java:591)
at org.apache.zookeeper.ZooKeeperMain.run(ZooKeeperMain.java:354)
at org.apache.zookeeper.ZooKeeperMain.main(ZooKeeperMain.java:282)

*Error in zookeeper server:*
2020-06-12 18:53:57,510 - WARN  [NIOServerCxn.Factory:
0.0.0.0/0.0.0.0:2181:ZooKeeperServer@969] - Client failed to SASL
authenticate: javax.security.sasl.SaslException: GSS initiate failed
[Caused by GSSException: Failure unspecified at GSS-API level (Mechanism
level: Invalid argument (400) - Cannot find key of appropriate type to
decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)]

*krb5kdc.log:*
Jun 12 18:53:57 stage-kdc-zk-2face krb5kdc[1391](info): AS_REQ (2 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) 10.34.169.158:
ISSUE: authtime 1591968237, etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
zookeeper/stage-kdc-zk-2f...@stage.fdp.kafka for
krbtgt/stage.fdp.ka...@stage.fdp.kafka
Jun 12 18:53:57 stage-kdc-zk-2face krb5kdc[1391](info): TGS_REQ (4 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23)}) 10.34.169.158:
ISSUE: authtime 1591968237, etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
zookeeper/stage-kdc-zk-2f...@stage.fdp.kafka for
zookeeper/stage-kdc-zk-2f...@stage.fdp.kafka

-- 
Thanks,
Aparajita
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Integrating Kerberos with a Java application using JAAS

Reply via email to