zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shrikant Patel <SPa...@pdxinc.com>
Subject Help with SASL configuration for Zookeeper on the Microsoft AD.
Date Wed, 15 Mar 2017 16:40:49 GMT
Hi

Has anyone experience with securing Kafka to Zookeeper configuration and setting up SASL on
Microsoft AD account.

We create keytab and principal for Kafka and ZK using https://www.confluent.io/blog/apache-kafka-security-authorization-authentication-encryption/

We see these principal in our AD. When ZK and Kafka are launched they are able to connect
to Kerberos \ AD server using their individual keytabs. But when Kafka tries to request service
ticket for ZK from Kerberos, it errors out using below error.

>>>KRBError:
         sTime is Fri Feb 10 11:48:41 CST 2017 1486748921000
         suSec is 282568
         error code is 7
         error Message is Server not found in Kerberos database
         sname is zk/XXXX.XXXXX.com@XXX.COM
         msgType is 30

(https://issues.apache.org/jira/browse/ZOOKEEPER-1811 , as per this we have set zookeeper.sasl.client.username
so that zk is used for zookeeper name)

It seems the issue is we may not setup SPN (servive profile name) correct, or link the user
account\keytab to the SPN.

We have spent good amount of time with our IT\AD team on this. We are ready to provide some
monetary incentive to anyone if they help us resolve this issue.

Thanks,
Shri

This e-mail and its contents (to include attachments) are the property of National Health
Systems, Inc., its subsidiaries and affiliates, including but not limited to Rx.com Community
Healthcare Network, Inc. and its subsidiaries, and may contain confidential and proprietary
or privileged information. If you are not the intended recipient of this e-mail, you are hereby
notified that any unauthorized disclosure, copying, or distribution of this e-mail or of its
attachments, or the taking of any unauthorized action based on information contained herein
is strictly prohibited. Unauthorized use of information contained herein may subject you to
civil and criminal prosecution and penalties. If you are not the intended recipient, please
immediately notify the sender by telephone at 800-433-5719 or return e-mail and permanently
delete the original e-mail.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message