Integrating Kerberos with a Java application using JAAS

Aparajita Singh aparajita.1194 at gmail.com
Fri Jun 12 10:05:50 EDT 2020


Hi,

We are trying to migrate an unauthenticated zookeeper cluster to a kerberos
authenticated one. This
<https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+and+SASL>
guide
was followed for configuring kerberos on zookeeper and this
<https://web.ornl.gov/~romeja/HowToKerb.html#Install> guide was
followed for setting up a KDC host.
The issue right now is that, when zookeeper shell client is used to request
for some data, the service ticket which is issued by the KDC is not getting
decrypted by the server due to which authentication is failing.

Has anyone faced this issue before? Any help would be appreciated.

*Setup:*
Principal name is zookeeper/stage-kdc-zk-2face at stage.fdp.kafka for both
server and client.

*Data request command:*
zookeeper-client -server stage-kdc-zk-2face:2181 get /test2

*Stack trace from client:*
Exception in thread "main"
org.apache.zookeeper.KeeperException$ConnectionLossException:
KeeperErrorCode = ConnectionLoss for /test2
at org.apache.zookeeper.KeeperException.create(KeeperException.java:99)
at org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
at org.apache.zookeeper.ZooKeeper.getData(ZooKeeper.java:1155)
at org.apache.zookeeper.ZooKeeper.getData(ZooKeeper.java:1184)
at org.apache.zookeeper.ZooKeeperMain.processZKCmd(ZooKeeperMain.java:717)
at org.apache.zookeeper.ZooKeeperMain.processCmd(ZooKeeperMain.java:591)
at org.apache.zookeeper.ZooKeeperMain.run(ZooKeeperMain.java:354)
at org.apache.zookeeper.ZooKeeperMain.main(ZooKeeperMain.java:282)

*Error in zookeeper server:*
2020-06-12 18:53:57,510 - WARN  [NIOServerCxn.Factory:
0.0.0.0/0.0.0.0:2181:ZooKeeperServer at 969] - Client failed to SASL
authenticate: javax.security.sasl.SaslException: GSS initiate failed
[Caused by GSSException: Failure unspecified at GSS-API level (Mechanism
level: Invalid argument (400) - Cannot find key of appropriate type to
decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)]

*krb5kdc.log:*
Jun 12 18:53:57 stage-kdc-zk-2face krb5kdc[1391](info): AS_REQ (2 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) 10.34.169.158:
ISSUE: authtime 1591968237, etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
zookeeper/stage-kdc-zk-2face at stage.fdp.kafka for
krbtgt/stage.fdp.kafka at stage.fdp.kafka
Jun 12 18:53:57 stage-kdc-zk-2face krb5kdc[1391](info): TGS_REQ (4 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23)}) 10.34.169.158:
ISSUE: authtime 1591968237, etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
zookeeper/stage-kdc-zk-2face at stage.fdp.kafka for
zookeeper/stage-kdc-zk-2face at stage.fdp.kafka

-- 
Thanks,
Aparajita


More information about the Kerberos mailing list