Thanks Enrico for the quick help. Here’s my krb5.conf:
[libdefaults] default_realm = STREAMANALYTICS dns_lookup_kdc = false dns_lookup_realm = false ticket_lifetime = 86400 renew_lifetime = 604800 forwardable = true default_tgs_enctypes = aes256-cts aes128-cts des3-hmac-sha1 arcfour-hmac des3-hmac-sha1 des-cbc-md5 default_tkt_enctypes = aes256-cts aes128-cts des3-hmac-sha1 arcfour-hmac des3-hmac-sha1 des-cbc-md5 permitted_enctypes = aes256-cts aes128-cts des3-hmac-sha1 arcfour-hmac des3-hmac-sha1 des-cbc-md5 udp_preference_limit = 1 kdc_timeout = 3000 [realms] STREAMANALYTICS = { kdc = ldap0.mydomain.com admin_server = ldap0.mydomain.com } [domain_realm] ;———— I wonder if the default encryption type settings could be the problem. I need to verify if it works with Java 8, because it might be a Java 11 or ZK 3.5 thing. Or both. Andor > On 2019. Oct 29., at 8:42, Enrico Olivelli - Diennea > <enrico.olive...@diennea.com> wrote: > > Andor, > this is a minimal krb5.conf file that is working from jdk8 to jdk13 and > ZooKeeper > > maybe you can compare to your one and start dropping configuration lines that > are not needed. > > Java is adding more and more capabilities to GSSAPI support and this > sometimes leads to behavior changes > > > [libdefaults] > default_realm = MYDOMAIN > > [realms] > MYDOMAIN = { > kdc = kerberos1.mydomain.com > kdc = kerberos2. mydomain.com > kdc = kerberos3. mydomain.com > } > > > > Enrico Olivelli > MagNews Platform Development Manager @ Diennea – MagNews > Tel.: (+39) 0546 066100 - Int. 125 > Viale G.Marconi 30/14 - 48018 Faenza (RA) > > > > Il giorno 28/10/19, 17:56 "Enrico Olivelli" <eolive...@gmail.com> ha scritto: > > Andor > > Il lun 28 ott 2019, 17:44 Andor Molnar <an...@apache.org> ha scritto: > >> Hi, >> >> I’m facing the following error message when trying to run ZooKeeper 3.5.5 >> on Java 11 with Kerberos authentication: >> >> 2019-10-28 16:30:04,811 INFO >> org.apache.zookeeper.server.ServerCnxnFactory: Using >> org.apache.zookeeper.server.NIOServerCnxnFactory as server connection >> factory >> 2019-10-28 16:30:04,823 INFO org.apache.zookeeper.common.X509Util: Setting >> -D jdk.tls.rejectClientInitiatedRenegotiation=true to disable >> client-initiated TLS renegotiation >> 2019-10-28 16:30:05,012 ERROR >> org.apache.zookeeper.server.quorum.QuorumPeerMain: Unexpected exception, >> exiting abnormally >> java.io.IOException: Could not configure server because SASL configuration >> did not allow the ZooKeeper server to authenticate itself properly: >> javax.security.auth.login.LoginException: Message stream modified (41) >> at >> org.apache.zookeeper.server.ServerCnxnFactory.configureSaslLogin(ServerCnxnFactory.java:243) >> at >> org.apache.zookeeper.server.NIOServerCnxnFactory.configure(NIOServerCnxnFactory.java:646) >> at >> org.apache.zookeeper.server.quorum.QuorumPeerMain.runFromConfig(QuorumPeerMain.java:148) >> at >> org.apache.zookeeper.server.quorum.QuorumPeerMain.initializeAndRun(QuorumPeerMain.java:123) >> at >> org.apache.zookeeper.server.quorum.QuorumPeerMain.main(QuorumPeerMain.java:82) >> … >> >> zoo.cfg: >> ———— >> tickTime=2000 >> initLimit=10 >> syncLimit=5 >> >> 4lw.commands.whitelist=conf,cons,crst,dirs,dump,envi,gtmk,ruok,stmk,srst,srvr,stat,wchs,mntr,isro >> dataDir=/var/lib/zookeeper >> dataLogDir=/var/lib/zookeeper >> clientPort=2181 >> maxClientCnxns=60 >> minSessionTimeout=4000 >> maxSessionTimeout=60000 >> autopurge.purgeInterval=24 >> autopurge.snapRetainCount=5 >> quorum.auth.enableSasl=true >> quorum.cnxn.threads.size=20 >> admin.enableServer=false >> admin.serverPort=5181 >> server.1=cdf1-dc1.mydomain.com:3181:4181 >> server.2=cdf1-dc2.mydomain.com:3181:4181 >> server.3=cdf1-dc3.mydomain.com:3181:4181 >> leaderServes=yes >> authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider >> kerberos.removeHostFromPrincipal=true >> kerberos.removeRealmFromPrincipal=true >> quorum.auth.kerberos.servicePrincipal=zookeeper/_HOST >> quorum.auth.learnerRequireSasl=true >> quorum.auth.serverRequireSasl=true >> >> java -version: >> —————— >> openjdk version "11.0.4" 2019-07-16 >> OpenJDK Runtime Environment AdoptOpenJDK (build 11.0.4+11) >> OpenJDK 64-Bit Server VM AdoptOpenJDK (build 11.0.4+11, mixed mode) >> >> >> Has anyone seen this problem before? >> What does the error message mean? >> >> Unfortunately we swallow the original exception in ServerCnxnFactory and >> only log the message without stacktrace. >> > > Did you enable debug? > > https://stackoverflow.com/questions/15382056/enable-detailed-logging-for-kerberos-in-java > > I remember we had some issue while switching from jdk8 to jdk9 > > There were something in krb.conf that was not compatible due to some > stricter condig check but we didn't need that line and we dropped it. > I can check only tomorrow at work. > Unfortunately java Kerberos client is not so verbose. > > Can you share your krb config files? Without hostnames > > Enrico > > >> Thanks, >> Andor >> >> >> > > > > ________________________________ > > CONFIDENTIALITY & PRIVACY NOTICE > This e-mail (including any attachments) is strictly confidential and may also > contain privileged information. If you are not the intended recipient you are > not authorised to read, print, save, process or disclose this message. If you > have received this message by mistake, please inform the sender immediately > and destroy this e-mail, its attachments and any copies. Any use, > distribution, reproduction or disclosure by any person other than the > intended recipient is strictly prohibited and the person responsible may > incur in penalties. > The use of this e-mail is only for professional purposes; there is no > guarantee that the correspondence towards this e-mail will be read only by > the recipient, because, under certain circumstances, there may be a need to > access this email by third subjects belonging to the Company.