zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Enrico Olivelli <eolive...@gmail.com>
Subject Re: Kerberos login error: Message stream modified (41)
Date Mon, 28 Oct 2019 16:55:50 GMT
Andor

Il lun 28 ott 2019, 17:44 Andor Molnar <andor@apache.org> ha scritto:

> Hi,
>
> I’m facing the following error message when trying to run ZooKeeper 3.5.5
> on Java 11 with Kerberos authentication:
>
> 2019-10-28 16:30:04,811 INFO
> org.apache.zookeeper.server.ServerCnxnFactory: Using
> org.apache.zookeeper.server.NIOServerCnxnFactory as server connection
> factory
> 2019-10-28 16:30:04,823 INFO org.apache.zookeeper.common.X509Util: Setting
> -D jdk.tls.rejectClientInitiatedRenegotiation=true to disable
> client-initiated TLS renegotiation
> 2019-10-28 16:30:05,012 ERROR
> org.apache.zookeeper.server.quorum.QuorumPeerMain: Unexpected exception,
> exiting abnormally
> java.io.IOException: Could not configure server because SASL configuration
> did not allow the  ZooKeeper server to authenticate itself properly:
> javax.security.auth.login.LoginException: Message stream modified (41)
>         at
> org.apache.zookeeper.server.ServerCnxnFactory.configureSaslLogin(ServerCnxnFactory.java:243)
>         at
> org.apache.zookeeper.server.NIOServerCnxnFactory.configure(NIOServerCnxnFactory.java:646)
>         at
> org.apache.zookeeper.server.quorum.QuorumPeerMain.runFromConfig(QuorumPeerMain.java:148)
>         at
> org.apache.zookeeper.server.quorum.QuorumPeerMain.initializeAndRun(QuorumPeerMain.java:123)
>         at
> org.apache.zookeeper.server.quorum.QuorumPeerMain.main(QuorumPeerMain.java:82)
> …
>
> zoo.cfg:
> ————
> tickTime=2000
> initLimit=10
> syncLimit=5
>
> 4lw.commands.whitelist=conf,cons,crst,dirs,dump,envi,gtmk,ruok,stmk,srst,srvr,stat,wchs,mntr,isro
> dataDir=/var/lib/zookeeper
> dataLogDir=/var/lib/zookeeper
> clientPort=2181
> maxClientCnxns=60
> minSessionTimeout=4000
> maxSessionTimeout=60000
> autopurge.purgeInterval=24
> autopurge.snapRetainCount=5
> quorum.auth.enableSasl=true
> quorum.cnxn.threads.size=20
> admin.enableServer=false
> admin.serverPort=5181
> server.1=cdf1-dc1.mydomain.com:3181:4181
> server.2=cdf1-dc2.mydomain.com:3181:4181
> server.3=cdf1-dc3.mydomain.com:3181:4181
> leaderServes=yes
> authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
> kerberos.removeHostFromPrincipal=true
> kerberos.removeRealmFromPrincipal=true
> quorum.auth.kerberos.servicePrincipal=zookeeper/_HOST
> quorum.auth.learnerRequireSasl=true
> quorum.auth.serverRequireSasl=true
>
> java -version:
> ——————
> openjdk version "11.0.4" 2019-07-16
> OpenJDK Runtime Environment AdoptOpenJDK (build 11.0.4+11)
> OpenJDK 64-Bit Server VM AdoptOpenJDK (build 11.0.4+11, mixed mode)
>
>
> Has anyone seen this problem before?
> What does the error message mean?
>
> Unfortunately we swallow the original exception in ServerCnxnFactory and
> only log the message without stacktrace.
>

Did you enable debug?
https://stackoverflow.com/questions/15382056/enable-detailed-logging-for-kerberos-in-java

I remember we had some issue while switching from jdk8 to jdk9

There were something in krb.conf that was not compatible due to some
stricter condig check but we didn't need that line and we dropped it.
I can check only tomorrow at work.
Unfortunately java Kerberos client is not so verbose.

Can you share your krb config files? Without hostnames

Enrico


> Thanks,
> Andor
>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message