zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Irfan Hamid <iha...@salesforce.com>
Subject ZK 3.4.6 creating malformed TGT
Date Tue, 16 Aug 2016 19:11:37 GMT
Hi,

I'm very certain this is due to an error in my jaas or krb5 conf files but
I can't seem to figure out where. My jaas.conf looks something like this:

Client {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  keyTab="/etc/zkcli_app_eng.keytab"
  storeKey=true
  useTicketCache=false
  debug=true
  principal="zkcli@AY.BEE.SEE.NET";
};

But when ZK starts up it sends a TGT request as krbtgt/
BEE.SEE.NET@AY.BEE.SEE.NET, i.e., it shaves off the AY from the realm name (
BEE.SEE.NET is a valid realm in our setup but not the one I want to use). I
see the following log lines:
         msgType is 30
         sname is krbtgt/BEE.SEE.NET
         realm is AY.BEE.SEE.NET
         cname is zkcli
         crealm is AY.BEE.SEE.NET
         error Message is Server not found in Kerberos database
         error code is 7
         suSec is 157006
         sTime is Tue Aug 16 19:00:48 GMT 2016 1471374048000
         cTime is Fri Sep 30 18:19:26 GMT 2016 1475259566000


And a little earlier there was:
Credentials acquireServiceCreds: main loop: [0] tempService=krbtgt/
BEE.SEE.NET@AY.BEE.SEE.NET
Realm parseCapaths: no cfg entry
Realm doInitialParse: cRealm=[AY.BEE.SEE.NET], sRealm=[BEE.SEE.NET]
Service ticket not found in the subject
Found ticket for zkcli@AY.BEE.SEE.NET to go to krbtgt/
AY.BEE.SEE.NET@AY.BEE.SEE.NET expiring on Tue Aug 16 21:00:06 GMT 2016

I looked in the source code and the place I see that might be relevant is
Login.java where we have Login.getTGT() which tries to obtain a TGT by
seeing if there's a ticket in the Subject of the form krbtgt/REALM@REALM.
However, that part doesn't even get called since I don't even see the log
line at the of the Login thread "TGT refresh thread started".

Any help would be much appreciated.

Thanks,
Irfan.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message