zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eugene Koontz <ekoo...@hiro-tan.org>
Subject Re: Kerberos SASL broken unless 0.0.0.0 as "this" quorum server address
Date Tue, 15 Mar 2016 06:16:34 GMT
Hi Irfan and Patrick and the zk user list,

I would want to turn on DEBUG for log4j.properties on the server
(org.apache.zookeeper.server) and the client
(org.apache.zookeeper.client) and look for sasl-related logs when a
client initiates a connection; the log statements related to this are
interested will be in:

https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zookeeper/server/ZooKeeperSaslServer.java

https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zookeeper/client/ZooKeeperSaslClient.java

Irfan, you wrote:

"However, if I change the server.x for the local server in each zoo.cfg
with 0.0.0.0:2888:3888 and then it works."

This is surprising to me; I don't believe zoo.cfg is used by clients in
any way. So it's odd that the clients would start working due to any
change to zoo.cfg.

That makes me think that it is a server-related configuration problem;
what does your jaas.conf look like that your ZK server is using?

There should be a line like:

  principal="zookeeper/<hostname>";

Maybe the hostname that the ZK server is getting from the OS is starting
with does not match this configured <hostname>.

-Eugene



On 14/03/16 9:27 AM, Irfan Hamid wrote:
> When I initially got the error, my digging through the Internets led me
> to
> http://stackoverflow.com/questions/30940981/zookeeper-error-cannot-open-channel-to-x-at-election-address
> which gave me the idea to use 0.0.0.0 as the local address.
> 
> Irfan.
> 
> On Mon, Mar 14, 2016 at 9:12 AM, Patrick Hunt <phunt@apache.org
> <mailto:phunt@apache.org>> wrote:
> 
>     Hm, that's very odd. I've never seen that. Eugene do you have any
>     insight?
> 
>     Patrick
> 
>     On Thu, Mar 10, 2016 at 9:33 AM, Irfan Hamid <ihamid@salesforce.com
>     <mailto:ihamid@salesforce.com>> wrote:
>     > Yup. It works perfectly fine without Kerberos. I was having issues
>     with the
>     > Kerberos not working due to the machine resolving itself as localhost
>     > instead of its FQDN and I modified /etc/hosts. Although I've got
>     it back to
>     > its original state this issue persists. I'll try and install it
>     onto VMs to
>     > see if that helps.
>     >
>     > Thanks,
>     > Irfan.
>     >
>     > On Thu, Mar 10, 2016 at 7:21 AM, Patrick Hunt <phunt@apache.org
>     <mailto:phunt@apache.org>> wrote:
>     >
>     >> Have you tried running without Kerberos? Does it work in that
>     >> simplified scenario? You might start there to minimize variables,
>     then
>     >> turn on kerberos once you're confident the base system is working.
>     >>
>     >> Patrick
>     >>
>     >> On Wed, Mar 9, 2016 at 1:52 PM, Irfan Hamid
>     <ihamid@salesforce.com <mailto:ihamid@salesforce.com>> wrote:
>     >> > I did modify my /etc/hosts file for testing, that might be
>     messing things
>     >> > up perhaps. And no, I didn't want to multicast my auth request.
>     >> >
>     >> > Thanks,
>     >> > Irfan.
>     >> >
>     >> > On Wed, Mar 9, 2016 at 9:09 AM, Martin Gainty
>     <mgainty@hotmail.com <mailto:mgainty@hotmail.com>>
>     >> wrote:
>     >> >
>     >> >> so you are contacting all IPv4 addresses on the local
>     machine..did you
>     >> >> want to multicast your Kerberos authentication request?
>     >> >> perhaps its time to use a Kerberos Authentication Test Tool to
the
>     >> >> specific IP and Port you want to connect to
>     >> >>
>     >> >>
>     >>
>     http://blog.michelbarneveld.nl/michel/archive/2009/12/05/kerberos-authentication-tester.aspx
>     >> >> Anyone have ideas for testing Kerberos Authentication?
>     >> >> Martin
>     >> >> ______________________________________________
>     >> >>
>     >> >>
>     >> >>
>     >> >> > From: phunt@apache.org <mailto:phunt@apache.org>
>     >> >> > Date: Wed, 9 Mar 2016 08:47:14 -0800
>     >> >> > Subject: Re: Kerberos SASL broken unless 0.0.0.0 as "this"
>     quorum
>     >> server
>     >> >> address
>     >> >> > To: user@zookeeper.apache.org <mailto:user@zookeeper.apache.org>
>     >> >> >
>     >> >> > I've never heard of such an issue. Sounds environmental to
>     me. I'm not
>     >> >> > sure what you're trying to use this with but HBase has a
>     pretty good
>     >> >> > setup guide http://hbase.apache.org/0.94/book/zk.sasl.auth.html
>     >> >> >
>     >> >> > Patrick
>     >> >> >
>     >> >> > On Tue, Mar 8, 2016 at 1:19 PM, Irfan Hamid
>     <ihamid@salesforce.com <mailto:ihamid@salesforce.com>>
>     >> >> wrote:
>     >> >> > > Any info in this issue would be much appreciated.
>     >> >> > >
>     >> >> > > TIA,
>     >> >> > > Irfan.
>     >> >> > >
>     >> >> > > On Thu, Mar 3, 2016 at 1:28 PM, Irfan Hamid
>     <ihamid@salesforce.com <mailto:ihamid@salesforce.com>>
>     >> >> wrote:
>     >> >> > >
>     >> >> > >> Hi,
>     >> >> > >>
>     >> >> > >> I have a Kerberised setup with 3 ZK quorum servers
(3.4.6
>     running
>     >> on
>     >> >> JRE
>     >> >> > >> 8u66). If I set all zoo.cfg server.n to the FQDN
of the
>     servers,
>     >> they
>     >> >> can
>     >> >> > >> connect to each other fine. However, clients cannot
>     connect to any
>     >> of
>     >> >> the
>     >> >> > >> quorum servers and error out with:
>     >> >> > >>
>     >> >> > >> `Unable to read additional data from server sessionid
>     0x0, likely
>     >> >> server
>     >> >> > >> has closed socket, closing socket connection and
attempting
>     >> reconnect
>     >> >> > >>
>     >> >> > >> However, if I change the server.x for the local server
in
>     each
>     >> zoo.cfg
>     >> >> > >> with 0.0.0.0:2888:3888 and then it works.
>     >> >> > >>
>     >> >> > >> Is this standard practice for Kerberos configuration
or
>     is this
>     >> >> pointing
>     >> >> > >> to a problem in my setup?
>     >> >> > >>
>     >> >> > >> Thanks,
>     >> >> > >> Irfan.
>     >> >> > >>
>     >> >>
>     >> >>
>     >>
> 
> 

Mime
View raw message