//server is using a JAAS-authenticated subject: determine service principal name and hostname from kafka server's subject.
elevated privilege authentication implements thru kafka-subject so when you establish your kerberos sasl server authenticator SaslServerAuthenticator(String node, final Subject subject, KerberosShortNamer kerberosNameParser, String host, int maxReceiveSize) what did you set your kafka-subject to? hint:if your subject does not have permission it will fail auth https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/single-signon.html M- Single Sign-on Using Kerberos in Java - Oracle<https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/single-signon.html> docs.oracle.com Mayank Upadhyay Ram Marti ABSTRACT. A significant enhancement to the Java security architecture is the capability to achieve single sign-on using Kerberos Version 5 ... ________________________________ From: HE Ye <ye...@alcatel-lucent.com> Sent: Friday, November 4, 2016 5:34 AM To: users@kafka.apache.org; yassine chantit Subject: RE: SASL error when tring to connect kafka to kerberos server Hi, This is my server.properties (It works fine in SSL mode) listeners=PLAINTEXT://10.160.32.151:9092,SSL://10.160.32.151:9093,SASL_SSL://10.160.32.151:9094 ssl.keystore.location=/root/server.keystore.jks ssl.keystore.password=test1234 ssl.key.password=test1234 ssl.truststore.location=/root/server.truststore.jks ssl.truststore.password=test1234 security.inter.broker.protocol=SASL_SSL sasl.mechanism.inter.broker.protocol=GSSAPI sasl.enabled.mechanisms=GSSAPI sasl.kerberos.service.name=kafka Thanks, Ye -----Original Message----- From: Yacine Chantit [mailto:yaschan...@yahoo.fr.INVALID] Sent: Friday, November 04, 2016 5:21 PM To: users@kafka.apache.org; yassine chantit <yaschan...@yahoo.fr> Subject: Re: SASL error when tring to connect kafka to kerberos server Are you specifying the option << —security-protocol SASL_PLAINTEXT >> in your command as well? > Le 4 nov. 2016 à 08:56, yassine chantit <yaschan...@yahoo.fr.INVALID> a écrit > : > > Hi,Did you have in your jaas conf a section to configure zookeeper client to > use kerberos as well ?Something like this : Client { > com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true > keyTab="/path/to/client/keytab" storeKey=true > useTicketCache=true principal="yourzookeeperclient";}; > > > Le Vendredi 4 novembre 2016 8h47, HE Ye <ye...@alcatel-lucent.com> a écrit > : > > > > > Hello expert, > > I need help with the following error. I was tring to connect kafka to > kerveros server to verify SASL. I see this error when ZkClient tries to > authenticate with the zookeeper server. In the Kerberos logs I see tickets > being exchanged. I followed everything in documentation. Couldn't figure out > why it failed. > > zookeeper log: > > [2016-11-03 09:01:01,149] INFO Accepted socket connection from > /127.0.0.1:55176 (org.apache.zookeeper.server.NIOServerCnxnFactory) > [2016-11-03 09:01:01,154] INFO Client attempting to establish new session at > /127.0.0.1:55176 (org.apache.zookeeper.server.ZooKeeperServer) > [2016-11-03 09:01:01,159] INFO Established session 0x1582a4ef33d0005 with > negotiated timeout 6000 for client /127.0.0.1:55176 > (org.apache.zookeeper.server.ZooKeeperServer) > [2016-11-03 09:01:01,182] ERROR cnxn.saslServer is null: cnxn object did not > initialize its saslServer properly. > (org.apache.zookeeper.server.ZooKeeperServer) > [2016-11-03 09:01:01,550] WARN caught end of stream exception > (org.apache.zookeeper.server.NIOServerCnxn) > EndOfStreamException: Unable to read additional data from client sessionid > 0x1582a4ef33d0005, likely client has closed socket > at > org.apache.zookeeper.server.NIOServerCnxn.doIO(NIOServerCnxn.java:228) > at > org.apache.zookeeper.server.NIOServerCnxnFactory.run(NIOServerCnxnFactory.java:208) > at java.lang.Thread.run(Thread.java:745) > [2016-11-03 09:01:01,551] INFO Closed socket connection for client > /127.0.0.1:55176 which had sessionid 0x1582a4ef33d0005 > (org.apache.zookeeper.server.NIOServerCnxn) > [2016-11-03 09:01:09,004] INFO Expiring session 0x1582a4ef33d0005, timeout of > 6000ms exceeded (org.apache.zookeeper.server.ZooKeeperServer) > [2016-11-03 09:01:09,006] INFO Processed session termination for sessionid: > 0x1582a4ef33d0005 (org.apache.zookeeper.server.PrepRequestProcessor) > > kafka log: > [2016-11-03 09:01:01,118] INFO TGT valid starting at: Thu Nov 03 > 09:00:54 CDT 2016 (org.apache.zookeeper.Login) > [2016-11-03 09:01:01,119] INFO TGT expires: Fri Nov 04 > 09:00:54 CDT 2016 (org.apache.zookeeper.Login) > [2016-11-03 09:01:01,119] INFO TGT refresh sleeping until: Fri Nov 04 > 04:53:02 CDT 2016 (org.apache.zookeeper.Login) > [2016-11-03 09:01:01,151] INFO Socket connection established to > localhost.localdomain/127.0.0.1:2181, initiating session > (org.apache.zookeeper.ClientCnxn) > [2016-11-03 09:01:01,161] INFO Session establishment complete on server > localhost.localdomain/127.0.0.1:2181, sessionid = 0x1582a4ef33d0005, > negotiated timeout = 6000 (org.apache.zookeeper.ClientCnxn) > [2016-11-03 09:01:01,163] INFO zookeeper state changed (SyncConnected) > (org.I0Itec.zkclient.ZkClient) > [2016-11-03 09:01:01,182] ERROR SASL authentication failed using login > context 'Client'. (org.apache.zookeeper.client.ZooKeeperSaslClient) > [2016-11-03 09:01:01,183] INFO zookeeper state changed (AuthFailed) > (org.I0Itec.zkclient.ZkClient) > [2016-11-03 09:01:01,183] INFO Terminate ZkClient event thread. > (org.I0Itec.zkclient.ZkEventThread) > [2016-11-03 09:01:01,184] FATAL Fatal error during KafkaServer startup. > Prepare to shutdown (kafka.server.KafkaServer) > org.I0Itec.zkclient.exception.ZkAuthFailedException: Authentication failure > at org.I0Itec.zkclient.ZkClient.waitForKeeperState(ZkClient.java:946) > at org.I0Itec.zkclient.ZkClient.waitUntilConnected(ZkClient.java:923) > at org.I0Itec.zkclient.ZkClient.connect(ZkClient.java:1230) > at org.I0Itec.zkclient.ZkClient.<init>(ZkClient.java:156) > at org.I0Itec.zkclient.ZkClient.<init>(ZkClient.java:130) > at kafka.utils.ZkUtils$.createZkClientAndConnection(ZkUtils.scala:75) > at kafka.utils.ZkUtils$.apply(ZkUtils.scala:57) > at kafka.server.KafkaServer.initZk(KafkaServer.scala:294) > at kafka.server.KafkaServer.startup(KafkaServer.scala:180) > at > kafka.server.KafkaServerStartable.startup(KafkaServerStartable.scala:37) > at kafka.Kafka$.main(Kafka.scala:67) > at kafka.Kafka.main(Kafka.scala) > [2016-11-03 09:01:01,193] INFO shutting down (kafka.server.KafkaServer) > [2016-11-03 09:01:01,199] INFO shut down completed (kafka.server.KafkaServer) > > Kerberos logs > > Nov 03 09:00:54 YeTarget51-0-0-1 krb5kdc[1178](info): AS_REQ (4 etypes {18 17 > 16 23}) 10.160.32.151: ISSUE: authtime 1478181654, etypes {rep=18 tkt=18 > ses=18}, kafka/kaf...@example.com<mailto:kafka/kaf...@example.com> for > krbtgt/example....@example.com<mailto:krbtgt/example....@example.com> > Nov 03 09:00:54 YeTarget51-0-0-1 krb5kdc[1178](info): TGS_REQ (4 etypes {18 > 17 16 23}) 10.160.32.151: ISSUE: authtime 1478181654, etypes {rep=18 tkt=18 > ses=18}, kafka/kaf...@example.com<mailto:kafka/kaf...@example.com> for > zookeeper/localhost.localdom...@example.com<mailto:zookeeper/localhost.localdom...@example.com> > > > Thanks, > Ye > >
