zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stephane Maarek (JIRA)" <j...@apache.org>
Subject [jira] [Created] (ZOOKEEPER-3206) Can't use Active Directory for Kerberos Authentication
Date Mon, 03 Dec 2018 14:24:00 GMT
Stephane Maarek created ZOOKEEPER-3206:

             Summary: Can't use Active Directory for Kerberos Authentication
                 Key: ZOOKEEPER-3206
                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3206
             Project: ZooKeeper
          Issue Type: Bug
          Components: kerberos
    Affects Versions: 3.4.13
            Reporter: Stephane Maarek

We're using Active Directory, and created service principals this way:

ktpass -princ ZOOKEEPER/host-1@TEST -mapuser zookeeper -mapOp  add -Target TEST
ktpass -princ ZOOKEEPER/host-2@TEST -mapuser zookeeper -mapOp  add -Target TEST
ktpass -princ ZOOKEEPER/host-3@TEST -mapuser zookeeper -mapOp  add -Target TEST

Using this format, one is not able to do {code}kinit ZOOKEEPER/host-1@TEST{code}, but one
is able to do {code}kinit zookeeper@TEST -S ZOOKEEPER/host-1@TEST{code} to obtain a service

In the Kafka project, it is fine for the SASL file to have {code}principal="kafka@TEST"{code},
and automatically it seems it acquires the correct service ticket (I"m not sure how).

In zookeeper, things fail when a client tries to connect, due to this line:

It'd be great for Zookeeper server to have the same kind of mechanism as Kafka for accepting
client connections. This would allow us to have {code}principal="zookeeper@TEST"{code} in
SASL. Otherwise, maybe support a JAAS new option so we can explicitly name the service ?

FYI - trying {code}principal="zookeeper/host-1@TEST"{code} does not work as due to how Active
Directory works, it complains that the credentials cannot be found in the database (as we
try to authenticate using the service name, not the user name)

I'm attaching some documentation I find relevant: https://serverfault.com/questions/682374/client-not-found-in-kerberos-database-while-getting-initial/683058#683058

This message was sent by Atlassian JIRA

View raw message