Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 2DF93200D52 for ; Sat, 18 Nov 2017 00:10:16 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 2C6DD160C0A; Fri, 17 Nov 2017 23:10:16 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 72BA1160BFB for ; Sat, 18 Nov 2017 00:10:15 +0100 (CET) Received: (qmail 70109 invoked by uid 500); 17 Nov 2017 23:10:14 -0000 Mailing-List: contact user-help@zookeeper.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@zookeeper.apache.org Delivered-To: mailing list user@zookeeper.apache.org Received: (qmail 70098 invoked by uid 99); 17 Nov 2017 23:10:14 -0000 Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 17 Nov 2017 23:10:14 +0000 Received: from auth2-smtp.messagingengine.com (auth2-smtp.messagingengine.com [66.111.4.228]) by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id 0C29C1A0236 for ; Fri, 17 Nov 2017 23:10:13 +0000 (UTC) Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailauth.nyi.internal (Postfix) with ESMTP id E5C7320BE9 for ; Fri, 17 Nov 2017 18:10:12 -0500 (EST) Received: from web1 ([10.202.2.211]) by compute6.internal (MEProxy); Fri, 17 Nov 2017 18:10:12 -0500 X-ME-Sender: Received: by mailuser.nyi.internal (Postfix, from userid 99) id CCA55957AB; Fri, 17 Nov 2017 18:10:12 -0500 (EST) Message-Id: <1510960212.3586213.1176415192.1DA76F7D@webmail.messagingengine.com> From: Abraham Fine To: user@zookeeper.apache.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="utf-8" X-Mailer: MessagingEngine.com Webmail Interface - ajax-4ef04c51 Date: Fri, 17 Nov 2017 15:10:12 -0800 In-Reply-To: Subject: Re: Zookeeper client reverse lookup issue References: archived-at: Fri, 17 Nov 2017 23:10:16 -0000 Hi Ben- What version of ZooKeeper are you using? In my testing it looks like 3.4 does a reverse lookup when creating the server principal (https://github.com/apache/zookeeper/blob/branch-3.4/src/java/main/org/apache/zookeeper/ClientCnxn.java#L1011) but 3.5/master do not (https://github.com/apache/zookeeper/blob/branch-3.5/src/java/main/org/apache/zookeeper/ClientCnxn.java#L1104). Let me know if that helps. Thanks, Abe On Fri, Nov 17, 2017, at 12:01, Ben Wood wrote: > Hey Folks, > > My team and I are working on a containerized Zookeeper service on top of > DC/OS. We're running into an issue with Kerberos in the following > scenario. > > Simplified, we have a zk server with the DNS address zk-server.dcos (e.g. > the dns address of the ZK task) and actual hostname zk-server.aws > (Shortened here, but really a standard resolvable AWS private dns > address) > and a kafka broker, kafka.dcos. > > We can easily setup our Zookeeper and Kafka services to work together, > until we try to enable Kerberos. ZK itself works just fine with Kerberos, > but the Kafka broker is not able to connect to the ZK server: > > 0. kafka.dcos is started with a zk server list of zk-server.dcos. > 1. kafka.dcos starts up, initializing its ZK client. > 2. kafka.dcos then attempts to retrieve a ticket from the KDC in order to > talk to zk-server.aws, however the only zk principal known to the kdc is > zk-server.dcos. > > From reading the source ( > https://github.com/apache/zookeeper/blob/master/src/java/main/org/apache/zookeeper/client/StaticHostProvider.java#L112) > it appears that the zk client is winding up with the actual hostname of > the > ZK server. > > Being new to the codebase, is this because of a client reverse lookup? Or > because the zk server is telling the client about its hostname? It > appears > to be the former. > > Thanks! > Ben