Hi,
Thanks for reply.
I configured kafka_server_jaas.conf as written in the documentation:
KafkaServer {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
useTicketCache=false
keyTab="/root/downloads/kafka_2.11-0.10.0.0/config/kafka_server1.keytab"
principal="kafka/kaf...@example.com";
};
// Zookeeper client authentication
Client {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true;
useKeyTab=true
storeKey=true
//useTicketCache=false
keyTab="/root/downloads/kafka_2.11-0.10.0.0/config/kafka_server1.keytab"
principal="kafka/kaf...@example.com";
};
Regards,
Ye
-----Original Message-----
From: yassine chantit [mailto:yaschan...@yahoo.fr.INVALID]
Sent: Friday, November 04, 2016 4:57 PM
To: users@kafka.apache.org
Subject: Re: SASL error when tring to connect kafka to kerberos server
Hi,Did you have in your jaas conf a section to configure zookeeper client to
use kerberos as well ?Something like this : Client {
com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true
keyTab="/path/to/client/keytab" storeKey=true useTicketCache=true
principal="yourzookeeperclient";};
Le Vendredi 4 novembre 2016 8h47, HE Ye <ye...@alcatel-lucent.com> a écrit :
Hello expert,
I need help with the following error. I was tring to connect kafka to kerveros
server to verify SASL. I see this error when ZkClient tries to authenticate
with the zookeeper server. In the Kerberos logs I see tickets being exchanged.
I followed everything in documentation. Couldn't figure out why it failed.
zookeeper log:
[2016-11-03 09:01:01,149] INFO Accepted socket connection from /127.0.0.1:55176
(org.apache.zookeeper.server.NIOServerCnxnFactory)
[2016-11-03 09:01:01,154] INFO Client attempting to establish new session at
/127.0.0.1:55176 (org.apache.zookeeper.server.ZooKeeperServer)
[2016-11-03 09:01:01,159] INFO Established session 0x1582a4ef33d0005 with
negotiated timeout 6000 for client /127.0.0.1:55176
(org.apache.zookeeper.server.ZooKeeperServer)
[2016-11-03 09:01:01,182] ERROR cnxn.saslServer is null: cnxn object did not
initialize its saslServer properly.
(org.apache.zookeeper.server.ZooKeeperServer)
[2016-11-03 09:01:01,550] WARN caught end of stream exception
(org.apache.zookeeper.server.NIOServerCnxn)
EndOfStreamException: Unable to read additional data from client sessionid
0x1582a4ef33d0005, likely client has closed socket
at
org.apache.zookeeper.server.NIOServerCnxn.doIO(NIOServerCnxn.java:228)
at
org.apache.zookeeper.server.NIOServerCnxnFactory.run(NIOServerCnxnFactory.java:208)
at java.lang.Thread.run(Thread.java:745)
[2016-11-03 09:01:01,551] INFO Closed socket connection for client
/127.0.0.1:55176 which had sessionid 0x1582a4ef33d0005
(org.apache.zookeeper.server.NIOServerCnxn)
[2016-11-03 09:01:09,004] INFO Expiring session 0x1582a4ef33d0005, timeout of
6000ms exceeded (org.apache.zookeeper.server.ZooKeeperServer)
[2016-11-03 09:01:09,006] INFO Processed session termination for sessionid:
0x1582a4ef33d0005 (org.apache.zookeeper.server.PrepRequestProcessor)
kafka log:
[2016-11-03 09:01:01,118] INFO TGT valid starting at: Thu Nov 03
09:00:54 CDT 2016 (org.apache.zookeeper.Login)
[2016-11-03 09:01:01,119] INFO TGT expires: Fri Nov 04
09:00:54 CDT 2016 (org.apache.zookeeper.Login)
[2016-11-03 09:01:01,119] INFO TGT refresh sleeping until: Fri Nov 04 04:53:02
CDT 2016 (org.apache.zookeeper.Login)
[2016-11-03 09:01:01,151] INFO Socket connection established to
localhost.localdomain/127.0.0.1:2181, initiating session
(org.apache.zookeeper.ClientCnxn)
[2016-11-03 09:01:01,161] INFO Session establishment complete on server
localhost.localdomain/127.0.0.1:2181, sessionid = 0x1582a4ef33d0005, negotiated
timeout = 6000 (org.apache.zookeeper.ClientCnxn)
[2016-11-03 09:01:01,163] INFO zookeeper state changed (SyncConnected)
(org.I0Itec.zkclient.ZkClient)
[2016-11-03 09:01:01,182] ERROR SASL authentication failed using login context
'Client'. (org.apache.zookeeper.client.ZooKeeperSaslClient)
[2016-11-03 09:01:01,183] INFO zookeeper state changed (AuthFailed)
(org.I0Itec.zkclient.ZkClient)
[2016-11-03 09:01:01,183] INFO Terminate ZkClient event thread.
(org.I0Itec.zkclient.ZkEventThread)
[2016-11-03 09:01:01,184] FATAL Fatal error during KafkaServer startup. Prepare
to shutdown (kafka.server.KafkaServer)
org.I0Itec.zkclient.exception.ZkAuthFailedException: Authentication failure
at org.I0Itec.zkclient.ZkClient.waitForKeeperState(ZkClient.java:946)
at org.I0Itec.zkclient.ZkClient.waitUntilConnected(ZkClient.java:923)
at org.I0Itec.zkclient.ZkClient.connect(ZkClient.java:1230)
at org.I0Itec.zkclient.ZkClient.<init>(ZkClient.java:156)
at org.I0Itec.zkclient.ZkClient.<init>(ZkClient.java:130)
at kafka.utils.ZkUtils$.createZkClientAndConnection(ZkUtils.scala:75)
at kafka.utils.ZkUtils$.apply(ZkUtils.scala:57)
at kafka.server.KafkaServer.initZk(KafkaServer.scala:294)
at kafka.server.KafkaServer.startup(KafkaServer.scala:180)
at
kafka.server.KafkaServerStartable.startup(KafkaServerStartable.scala:37)
at kafka.Kafka$.main(Kafka.scala:67)
at kafka.Kafka.main(Kafka.scala)
[2016-11-03 09:01:01,193] INFO shutting down (kafka.server.KafkaServer)
[2016-11-03 09:01:01,199] INFO shut down completed (kafka.server.KafkaServer)
Kerberos logs
Nov 03 09:00:54 YeTarget51-0-0-1 krb5kdc[1178](info): AS_REQ (4 etypes {18 17
16 23}) 10.160.32.151: ISSUE: authtime 1478181654, etypes {rep=18 tkt=18
ses=18}, kafka/kaf...@example.com<mailto:kafka/kaf...@example.com> for
krbtgt/example....@example.com<mailto:krbtgt/example....@example.com>
Nov 03 09:00:54 YeTarget51-0-0-1 krb5kdc[1178](info): TGS_REQ (4 etypes {18 17
16 23}) 10.160.32.151: ISSUE: authtime 1478181654, etypes {rep=18 tkt=18
ses=18}, kafka/kaf...@example.com<mailto:kafka/kaf...@example.com> for
zookeeper/localhost.localdom...@example.com<mailto:zookeeper/localhost.localdom...@example.com>
Thanks,
Ye
