Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id E84D2200C38 for ; Wed, 15 Mar 2017 17:43:29 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id E6C2B160B78; Wed, 15 Mar 2017 16:43:29 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 14E73160B60 for ; Wed, 15 Mar 2017 17:43:28 +0100 (CET) Received: (qmail 88035 invoked by uid 500); 15 Mar 2017 16:43:27 -0000 Mailing-List: contact user-help@zookeeper.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@zookeeper.apache.org Delivered-To: mailing list user@zookeeper.apache.org Delivered-To: moderator for user@zookeeper.apache.org Received: (qmail 84638 invoked by uid 99); 15 Mar 2017 16:41:00 -0000 X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.997 X-Spam-Level: * X-Spam-Status: No, score=1.997 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=2, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd4-us-west.apache.org (amavisd-new); dkim=pass (1024-bit key) header.d=pdxinc.onmicrosoft.com IronPort-PHdr: =?us-ascii?q?9a23=3AfnCIDRLxOPzMm//bMtmcpTZWNBhigK39O0sv0rFi?= =?us-ascii?q?tYgXI//xwZ3uMQTl6Ol3ixeRBMOAtKIC1rKempujcFJDyK7JiGoFfp1IWk1Nou?= =?us-ascii?q?QttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBWB6kG1uHQPARjlHRhy?= =?us-ascii?q?Ief4F5bflYK+z+m5+5CVZB9HznLpfKh/Nj2kqgLSu8QOjJEkI744wRvE5HxSdL?= =?us-ascii?q?IF63lvIAeonwz95c624NZb+jhdv7p1zPZJTaj+V7w0Xb1eB3ItNGVjt56jjgXK?= =?us-ascii?q?UQbavihUaW4RiBcdWwU=3D?= X-IPAS-Result: =?us-ascii?q?A2EyAQD5bclYelOjLs9aAxwBAQQBAQoBARcBAQQBAQoBAYJ?= =?us-ascii?q?DYFQQgQoHr0uDHoIPgUsbKCyFdgKCb0EWAQEBAQEBAQEBAQECEAEBCQsMBygkC?= =?us-ascii?q?4IzIA9GJgMDAQEBAQEBAQEBIwEBAQEBAQEBAQEBAQEBAQEBAQEBFQIIBRQTHAE?= =?us-ascii?q?BTBMBATgRARUgSyYBBBsMiVQDFQ6iXQKLAgEBgw0mgmIBAQWEJxiDEQEBAQcBA?= =?us-ascii?q?QEBHAiGTokfDgYSHwsBEgiCBQxcgjGPYIxogVKFJI1AhSWDSYY8kgoBgTwmCmY?= =?us-ascii?q?aLCMWH4JsgjKCD3WGdYEwAYEMAQEB?= X-IronPort-AV: E=Sophos;i="5.36,169,1486447200"; d="scan'208,217";a="41745559" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pdxinc.onmicrosoft.com; s=selector1-pdxinc-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=DimFiH4Glogk58F44i2jDL55Cyw6ZomuySUINNC1BvU=; b=PEkYYLC4r5bTy2Zy6DeWAnAG9ONMftyaH+Uj8horTNMhth7qy3lGL25dyTtVKkVa1xkZrOMDWgFUnBIByTv+vyr76Aj7diaz+hLQP8WGDJ7kbP3JXE2ECPCVihtWCG7MsNiaMP93Z8eUHs8GpKgWbwCubZ0coS3NySIli64AE0o= From: Shrikant Patel To: "user@zookeeper.apache.org" Subject: Help with SASL configuration for Zookeeper on the Microsoft AD. Thread-Topic: Help with SASL configuration for Zookeeper on the Microsoft AD. Thread-Index: AdKdp5n8+ZIx8uYlSOqMm0tJNjTIgw== Date: Wed, 15 Mar 2017 16:40:49 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: zookeeper.apache.org; dkim=none (message not signed) header.d=none;zookeeper.apache.org; dmarc=none action=none header.from=pdxinc.com; x-originating-ip: [63.237.119.62] x-microsoft-exchange-diagnostics: 1;DM5PR02MB2490;7:j8+W7tjGyPp6HaLl5lrmwXzn3DXA2q2OBiQmThQJBq35PNTydwOszVvhx3VI/BcJ5i9PZNLxeWfUFSkVIERyqDsLNnsuZYmN4pXzyBi0sZAHnd6Z3ZQ3gvUmDR4UzmjQS0bNPMRtLHLWHyrOq6/tiOKAW24EH5n4XzFOvulo4z333+SOwCQcJgaVV8T2T1lZuvZSRRVyJ02bptXwWO/rqXIuklt0bMN0w5tIXDOC7pnzPkCaf9jbg0zkNzPe5Qhs+QCkzfZItNX00Yy6yKz8am0aNtLhqicqzvPDS3f5cr2YclgsczdpkyZAcNUfvzYrLwtwT+zdMeXc2+VtcY/ZlA== x-ms-office365-filtering-correlation-id: 21f408cc-d77d-4a8f-78f1-08d46bc2097e x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:DM5PR02MB2490; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(134217032509453)(158342451672863)(21748063052155)(21532816269658); x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(6040375)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6041248)(20161123555025)(20161123562025)(20161123558025)(20161123564025)(20161123560025)(6072148);SRVR:DM5PR02MB2490;BCL:0;PCL:0;RULEID:;SRVR:DM5PR02MB2490; x-forefront-prvs: 02475B2A01 x-forefront-antispam-report: SFV:NSPM;SFS:(10009020)(39450400003)(6506006)(189998001)(6436002)(7736002)(54356999)(606005)(80792005)(2501003)(25786008)(3660700001)(6916009)(5640700003)(102836003)(6116002)(53936002)(790700001)(2906002)(3846002)(2351001)(5890100001)(33656002)(3280700002)(77096006)(66066001)(6306002)(50986999)(122556002)(110136004)(5660300001)(86362001)(236005)(55016002)(74316002)(8936002)(1730700003)(9686003)(2900100001)(9326002)(99286003)(54896002)(81166006)(8676002)(7696004)(7906003)(38730400002)(21314002);DIR:OUT;SFP:1101;SCL:1;SRVR:DM5PR02MB2490;H:DM5PR02MB2492.namprd02.prod.outlook.com;FPR:;SPF:None;MLV:sfv;LANG:en; spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_DM5PR02MB24924E5648188B2C7B427273A2270DM5PR02MB2492namp_" MIME-Version: 1.0 X-OriginatorOrg: pdxinc.com X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Mar 2017 16:40:49.0521 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 1b86eb97-f43d-4829-8971-c02918e1341f X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR02MB2490 archived-at: Wed, 15 Mar 2017 16:43:30 -0000 --_000_DM5PR02MB24924E5648188B2C7B427273A2270DM5PR02MB2492namp_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Has anyone experience with securing Kafka to Zookeeper configuration and se= tting up SASL on Microsoft AD account. We create keytab and principal for Kafka and ZK using https://www.confluent= .io/blog/apache-kafka-security-authorization-authentication-encryption/ We see these principal in our AD. When ZK and Kafka are launched they are a= ble to connect to Kerberos \ AD server using their individual keytabs. But = when Kafka tries to request service ticket for ZK from Kerberos, it errors = out using below error. >>>KRBError: sTime is Fri Feb 10 11:48:41 CST 2017 1486748921000 suSec is 282568 error code is 7 error Message is Server not found in Kerberos database sname is zk/XXXX.XXXXX.com@XXX.COM msgType is 30 (https://issues.apache.org/jira/browse/ZOOKEEPER-1811 , as per this we have= set zookeeper.sasl.client.username so that zk is used for zookeeper name) It seems the issue is we may not setup SPN (servive profile name) correct, = or link the user account\keytab to the SPN. We have spent good amount of time with our IT\AD team on this. We are ready= to provide some monetary incentive to anyone if they help us resolve this = issue. Thanks, Shri This e-mail and its contents (to include attachments) are the property of N= ational Health Systems, Inc., its subsidiaries and affiliates, including bu= t not limited to Rx.com Community Healthcare Network, Inc. and its subsidia= ries, and may contain confidential and proprietary or privileged informatio= n. If you are not the intended recipient of this e-mail, you are hereby not= ified that any unauthorized disclosure, copying, or distribution of this e-= mail or of its attachments, or the taking of any unauthorized action based = on information contained herein is strictly prohibited. Unauthorized use of= information contained herein may subject you to civil and criminal prosecu= tion and penalties. If you are not the intended recipient, please immediate= ly notify the sender by telephone at 800-433-5719 or return e-mail and perm= anently delete the original e-mail. --_000_DM5PR02MB24924E5648188B2C7B427273A2270DM5PR02MB2492namp_--