Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Multi binder Multi Cluster kerberos jaas configuration fails with KRBError
See original GitHub issueEnvironment:
Multi binder kerberos setup as explained at https://kafka.apache.org/documentation/#security_client_staticjaas
Spring Configuration:
binders:
kafka1:
type: kafka
environment:
spring:
cloud:
stream:
kafka:
binder.brokers: broker1:port
binder.jaas.loginModule: com.sun.security.auth.module.Krb5LoginModule
binder.configuration.sasl.kerberos.service.name: svc_name_1
binder.configuration.security.protocol: SASL_SSL
binder.configuration.ssl.truststore.type: JKS
binder.configuration.ssl.truststore.location: [hidden]
binder.configuration.ssl.truststore.password: [hidden]
kafka2:
type: kafka
environment:
spring:
cloud:
stream:
kafka:
binder.brokers: broker2:port
binder.jaas.loginModule: com.sun.security.auth.module.Krb5LoginModule
binder.configuration.sasl.kerberos.service.name: svc_name_2
binder.configuration.security.protocol: SASL_SSL
binder.configuration.ssl.truststore.type: JKS
binder.configuration.ssl.truststore.location: [hidden]
binder.configuration.ssl.truststore.password: [hidden]
Error:
Entered Krb5Context.initSecContext with state=STATE_NEW Service ticket not found in the subject
Credentials serviceCredsSingle: same realm Using builtin default etypes for default_tgs_enctypes default etypes for default_tgs_enctypes: 18 17 16 23. EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType CksumType: sun.security.krb5.internal.crypto.HmacSha1Aes256CksumType EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType getKDCFromDNS using UDP KrbKdcReq send: kdc=[hidden]. TCP:88, timeout=30000, number of retries =3, #bytes=1530 KDCCommunication: kdc=[hidden]. TCP:88, timeout=30000,Attempt =1, #bytes=1530 DEBUG: TCPClient reading 125 bytes KrbKdcReq send: #bytes read=125 KdcAccessibility: remove [hidden].:88 KDCRep: init() encoding tag is 126 req type is 13 KRBError: sTime is Thu Jun 25 15:11:36 EDT 2020 1593112296000 suSec is 187798 error code is 7 error Message is Server not found in Kerberos database sname is svc_name_1/broker2 msgType is 30
Findings:
The service name from the first broker stays for all binders. The service name of the second binder should replace the first one.
Issue Analytics
- State:
- Created 3 years ago
- Reactions:2
- Comments:15 (6 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I have not received much attention via webchat. Created https://issues.apache.org/jira/browse/KAFKA-10276 couple of weeks back no movement yet.
I am going to close this issue through some documentation updates. Feel free to re-open if you are still facing issues.