From dev-return-76448-archive-asf-public=cust-asf.ponee.io@zookeeper.apache.org Mon Dec 3 15:25:05 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 37B87180645 for ; Mon, 3 Dec 2018 15:25:05 +0100 (CET) Received: (qmail 71322 invoked by uid 500); 3 Dec 2018 14:25:04 -0000 Mailing-List: contact dev-help@zookeeper.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@zookeeper.apache.org Delivered-To: mailing list dev@zookeeper.apache.org Received: (qmail 71311 invoked by uid 99); 3 Dec 2018 14:25:04 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 03 Dec 2018 14:25:04 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id BD8CC18C07C for ; Mon, 3 Dec 2018 14:25:03 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -110.301 X-Spam-Level: X-Spam-Status: No, score=-110.301 tagged_above=-999 required=6.31 tests=[ENV_AND_HDR_SPF_MATCH=-0.5, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id b5OrZv3UarpT for ; Mon, 3 Dec 2018 14:25:01 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 1ADE95F3EC for ; Mon, 3 Dec 2018 14:25:01 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 5391BE0115 for ; Mon, 3 Dec 2018 14:25:00 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 07F8221095 for ; Mon, 3 Dec 2018 14:25:00 +0000 (UTC) Date: Mon, 3 Dec 2018 14:25:00 +0000 (UTC) From: "Stephane Maarek (JIRA)" To: dev@zookeeper.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (ZOOKEEPER-3206) Can't use Active Directory for Kerberos Authentication MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/ZOOKEEPER-3206?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Stephane Maarek updated ZOOKEEPER-3206: --------------------------------------- Description: We're using Active Directory, and created service principals this way: {code} ktpass -princ ZOOKEEPER/host-1@TEST -mapuser zookeeper -mapOp add -Target TEST ktpass -princ ZOOKEEPER/host-2@TEST -mapuser zookeeper -mapOp add -Target TEST ktpass -princ ZOOKEEPER/host-3@TEST -mapuser zookeeper -mapOp add -Target TEST {code} Using this format, one is not able to do {code}kinit ZOOKEEPER/host-1@TEST{code}, but one is able to do {code}kinit zookeeper@TEST -S ZOOKEEPER/host-1@TEST{code} to obtain a service ticket. In the Kafka project, it is fine for the JAAS file to have {code}principal="kafka@TEST"{code}, and automatically it seems it acquires the correct service ticket (I"m not sure how). In zookeeper, things fail when a client tries to connect, due to this line: https://github.com/apache/zookeeper/blob/master/zookeeper-server/src/main/java/org/apache/zookeeper/util/SecurityUtils.java#L170 It'd be great for Zookeeper server to have the same kind of mechanism as Kafka for accepting client connections. This would allow us to have {code}principal="zookeeper@TEST"{code} in JAAS. Otherwise, maybe support a JAAS new option so we can explicitly name the service ? FYI - trying {code}principal="zookeeper/host-1@TEST"{code} does not work as due to how Active Directory works, it complains that the credentials cannot be found in the database (as we try to authenticate using the service name, not the user name) I'm attaching some documentation I find relevant: https://serverfault.com/questions/682374/client-not-found-in-kerberos-database-while-getting-initial/683058#683058 was: We're using Active Directory, and created service principals this way: {code} ktpass -princ ZOOKEEPER/host-1@TEST -mapuser zookeeper -mapOp add -Target TEST ktpass -princ ZOOKEEPER/host-2@TEST -mapuser zookeeper -mapOp add -Target TEST ktpass -princ ZOOKEEPER/host-3@TEST -mapuser zookeeper -mapOp add -Target TEST {code} Using this format, one is not able to do {code}kinit ZOOKEEPER/host-1@TEST{code}, but one is able to do {code}kinit zookeeper@TEST -S ZOOKEEPER/host-1@TEST{code} to obtain a service ticket. In the Kafka project, it is fine for the SASL file to have {code}principal="kafka@TEST"{code}, and automatically it seems it acquires the correct service ticket (I"m not sure how). In zookeeper, things fail when a client tries to connect, due to this line: https://github.com/apache/zookeeper/blob/master/zookeeper-server/src/main/java/org/apache/zookeeper/util/SecurityUtils.java#L170 It'd be great for Zookeeper server to have the same kind of mechanism as Kafka for accepting client connections. This would allow us to have {code}principal="zookeeper@TEST"{code} in SASL. Otherwise, maybe support a JAAS new option so we can explicitly name the service ? FYI - trying {code}principal="zookeeper/host-1@TEST"{code} does not work as due to how Active Directory works, it complains that the credentials cannot be found in the database (as we try to authenticate using the service name, not the user name) I'm attaching some documentation I find relevant: https://serverfault.com/questions/682374/client-not-found-in-kerberos-database-while-getting-initial/683058#683058 > Can't use Active Directory for Kerberos Authentication > ------------------------------------------------------ > > Key: ZOOKEEPER-3206 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3206 > Project: ZooKeeper > Issue Type: Bug > Components: kerberos > Affects Versions: 3.4.13 > Reporter: Stephane Maarek > Priority: Major > > We're using Active Directory, and created service principals this way: > {code} > ktpass -princ ZOOKEEPER/host-1@TEST -mapuser zookeeper -mapOp add -Target TEST > ktpass -princ ZOOKEEPER/host-2@TEST -mapuser zookeeper -mapOp add -Target TEST > ktpass -princ ZOOKEEPER/host-3@TEST -mapuser zookeeper -mapOp add -Target TEST > {code} > Using this format, one is not able to do {code}kinit ZOOKEEPER/host-1@TEST{code}, but one is able to do {code}kinit zookeeper@TEST -S ZOOKEEPER/host-1@TEST{code} to obtain a service ticket. > In the Kafka project, it is fine for the JAAS file to have {code}principal="kafka@TEST"{code}, and automatically it seems it acquires the correct service ticket (I"m not sure how). > In zookeeper, things fail when a client tries to connect, due to this line: > https://github.com/apache/zookeeper/blob/master/zookeeper-server/src/main/java/org/apache/zookeeper/util/SecurityUtils.java#L170 > It'd be great for Zookeeper server to have the same kind of mechanism as Kafka for accepting client connections. This would allow us to have {code}principal="zookeeper@TEST"{code} in JAAS. Otherwise, maybe support a JAAS new option so we can explicitly name the service ? > FYI - trying {code}principal="zookeeper/host-1@TEST"{code} does not work as due to how Active Directory works, it complains that the credentials cannot be found in the database (as we try to authenticate using the service name, not the user name) > I'm attaching some documentation I find relevant: https://serverfault.com/questions/682374/client-not-found-in-kerberos-database-while-getting-initial/683058#683058 -- This message was sent by Atlassian JIRA (v7.6.3#76005)