Zookeeper configures the pit of kerberos authentication 04/22 Update SLTechnology News&Howtos

Zookeeper configures the pit of kerberos authentication

2025-04-22 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Internet Technology >

Shulou(Shulou.com)06/03 Report--

After zookeeper is configured with kerberos, the zkCli.sh connection authentication fails.

Connection command: zkCli.sh

The error is as follows:

WatchedEvent state:SyncConnected type:None path:null2017-08-21 10 ERROR 11V 42054 [myid:]-ERROR [main-SendThread (localhost:2181): ZooKeeperSaslClient@308]-An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7)-LOOKING_UP_SERVER)]) occurred when evaluating Zookeeper Quorum Member's received SASL token. Zookeeper Client will go to AUTH_FAILED state.2017-08-21 10 ERROR 11main-SendThread 42054 [myid:]-ERROR [main-SendThread (localhost:2181): ClientCnxn$SendThread@1072]-SASL authentication with Zookeeper Quorum member failed: javax.security.sasl.SaslException: An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7)-LOOKING_UP_SERVER)]) occurred when evaluating Zookeeper Quorum Member's received SASL token. Zookeeper Client will go to AUTH_FAILED state.

After searching for a long time, I finally found a clue in kdc's log, as follows

Aug 21 10:11:42 master krb5kdc [21935] (info): TGS_REQ (6 etypes {18 17 16 23 13}) 192.168.100.144: LOOKING_UP_SERVER: authtime 0, zkcli@NETEASE.COM for zookeeper/localhost@NETEASE.COM, Server not found in Kerberos database

Reason analysis: 1. In the authentication request of zookeeper, the default principall of zookeeper should be zookeeper/@.

2. When using zkCli.sh method to request, the default host should be localhost.

Therefore, it is found that the client request is authenticated with the principal of zookeeper/localhost@NETEASE.COM in kdc, but there is no such principal in the database of kerberos.

Solution: use zkCli.sh-server host:port access. At the same time, the principal in the sever part of the zookeeper configuration file must be zookeeper/@.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.