zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Patrick Hunt <ph...@apache.org>
Subject Re: ZK 3.4.6 creating malformed TGT
Date Thu, 18 Aug 2016 02:56:00 GMT
I'm not an expert but I believe this indicates an environmental issue, see
"service ticket not found in the subject" here:
https://steveloughran.gitbooks.io/kerberos_and_hadoop/content/sections/errors.html

Patrick


On Tue, Aug 16, 2016 at 12:11 PM, Irfan Hamid <ihamid@salesforce.com> wrote:

> Hi,
>
> I'm very certain this is due to an error in my jaas or krb5 conf files but
> I can't seem to figure out where. My jaas.conf looks something like this:
>
> Client {
>   com.sun.security.auth.module.Krb5LoginModule required
>   useKeyTab=true
>   keyTab="/etc/zkcli_app_eng.keytab"
>   storeKey=true
>   useTicketCache=false
>   debug=true
>   principal="zkcli@AY.BEE.SEE.NET";
> };
>
> But when ZK starts up it sends a TGT request as krbtgt/
> BEE.SEE.NET@AY.BEE.SEE.NET, i.e., it shaves off the AY from the realm
> name (
> BEE.SEE.NET is a valid realm in our setup but not the one I want to use).
> I
> see the following log lines:
>          msgType is 30
>          sname is krbtgt/BEE.SEE.NET
>          realm is AY.BEE.SEE.NET
>          cname is zkcli
>          crealm is AY.BEE.SEE.NET
>          error Message is Server not found in Kerberos database
>          error code is 7
>          suSec is 157006
>          sTime is Tue Aug 16 19:00:48 GMT 2016 1471374048000
>          cTime is Fri Sep 30 18:19:26 GMT 2016 1475259566000
>
>
> And a little earlier there was:
> Credentials acquireServiceCreds: main loop: [0] tempService=krbtgt/
> BEE.SEE.NET@AY.BEE.SEE.NET
> Realm parseCapaths: no cfg entry
> Realm doInitialParse: cRealm=[AY.BEE.SEE.NET], sRealm=[BEE.SEE.NET]
> Service ticket not found in the subject
> Found ticket for zkcli@AY.BEE.SEE.NET to go to krbtgt/
> AY.BEE.SEE.NET@AY.BEE.SEE.NET expiring on Tue Aug 16 21:00:06 GMT 2016
>
> I looked in the source code and the place I see that might be relevant is
> Login.java where we have Login.getTGT() which tries to obtain a TGT by
> seeing if there's a ticket in the Subject of the form krbtgt/REALM@REALM.
> However, that part doesn't even get called since I don't even see the log
> line at the of the Login thread "TGT refresh thread started".
>
> Any help would be much appreciated.
>
> Thanks,
> Irfan.
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message