[
https://issues.apache.org/jira/browse/KUDU-3297?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alexey Serbin reassigned KUDU-3297:
-----------------------------------
Assignee: Alexey Serbin
> KRPC connection negotiation fails with RedHat/CentOS
> cyrus-sasl-gssapi-2.1.27-5 for secure clusters
> ---------------------------------------------------------------------------------------------------
>
> Key: KUDU-3297
> URL: https://issues.apache.org/jira/browse/KUDU-3297
> Project: Kudu
> Issue Type: Bug
> Components: client, master, rpc, tserver
> Affects Versions: 1.3.0, 1.3.1, 1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.8.0, 1.7.1,
> 1.9.0, 1.10.0, 1.10.1, 1.11.0, 1.12.0, 1.11.1, 1.13.0, 1.14.0, 1.15.0
> Reporter: Alexey Serbin
> Assignee: Alexey Serbin
> Priority: Critical
>
> With the recent CentOS/RedHat 8 update on the {{cyrus-sasl-gssapi}} package,
> Kudu servers and C++ clients can no longer negotiate connections when GSSAPI
> is involved (that's so for secure clusters where Kerberos-based
> authentication is a must). In other words, when the {{cyrus-sasl-gssapi}}
> package is upgraded up to {{2.1.27-5}} version, secure Kudu clusters are no
> longer functional.
> The issue manifests itself by failed RPC connection negotiation with the
> following error logged along with the full connection negotiation trace:
> {noformat}
> Runtime error: SASL(-15): mechanism too weak for this user: Unable to find a
> callback: 32775"
> {noformat}
> The breaking change is in the following pull request for cyrus-sasl which has
> been pulled into the {{cyrus-sasl-gssapi-2.1.27-5}} package:
> https://github.com/cyrusimap/cyrus-sasl/pull/603 This patch is named as
> {{cyrus-sasl-2.1.27-Add-support-for-setting-max-ssf-0-to-GSS-SPNEGO.patch}}
> in the SRPM for the {{cyrus-sasl}} package.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
