Kerberos authentication fails to authorize client

[kvch]

Versions

Sarama	Kafka	Go
v1.26.1	v2.2.1	1.13.7

Configuration

What configuration values are you using for Sarama and Kafka?

k.Net.SASL.Enable = true
k.Net.SASL.Mechanism = sarama.SASLTypeGSSAPI
k.Net.SASL.GSSAPI = sarama.GSSAPIConfig{
    AuthType:           KRB5_USER_AUTH,
    KerberosConfigPath: "/etc/krb5.conf",
    ServiceName:        "kafka",
    Username:           "elastic",
    Password:           "changeme",
    Realm:              "ELASTIC",
}

Logs

logs: CLICK ME

Initializing new client
Successfully initialized new client
client/metadata fetching metadata for [test-libbeat-8836471949807889337] from broker kafka_kerberos:9093
Error while performing GSSAPI Kerberos Authentication: unexpected EOF
Closed connection to broker kafka_kerberos:9093
client/metadata got error from broker -1 while fetching metadata: unexpected EOF
client/metadata no available broker to send metadata request to
client/brokers resurrecting 1 dead seed brokers

Problem Description

I am trying to connect to a Kafka via Kerberos. Retrieving the appropriate tickets seems to go without any issues. However, when this function is executed I get "unexpected EOF":
when trying to read the package payload.

I have tried reverting this commit, but the error is still present.

I can connect to the Kafka instance from the Docker container I am using without the Kerberos authentication.

Let me know if I missed anything. Thank you for taking the time to look at my issue.

[kvch]

I've managed to capture the exception from Kafka:

[2020-04-16 13:09:56,429] DEBUG Processor 3 listening to new connection from /172.22.0.6:53112 (kafka.network.Processor)
[2020-04-16 13:09:56,460] DEBUG Received client packet of length 543 starting with bytes 0x6082021b301802010102, process as GSSAPI packet (org.apache.kafka.common.security.authenticator.SaslServerAuthenticator)
[2020-04-16 13:09:56,460] DEBUG First client packet is not a SASL mechanism request, using default mechanism GSSAPI (org.apache.kafka.common.security.authenticator.SaslServerAuthenticator)
[2020-04-16 13:09:56,465] DEBUG Creating SaslServer for kafka/kafka_kerberos@ELASTIC with mechanism GSSAPI (org.apache.kafka.common.security.authenticator.SaslServerAuthenticator)
[2020-04-16 13:09:56,499] DEBUG Set SASL server state to AUTHENTICATE (org.apache.kafka.common.security.authenticator.SaslServerAuthenticator)
[2020-04-16 13:09:56,500] DEBUG [SocketServer brokerId=0] Connection with /172.22.0.6 disconnected (org.apache.kafka.common.network.Selector)
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: DerValue.getOID, not an OID 48]
        at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:199)
        at org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.handleSaslToken(SaslServerAuthenticator.java:349)
        at org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.authenticate(SaslServerAuthenticator.java:256)
        at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:132)
        at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:532)
        at org.apache.kafka.common.network.Selector.poll(Selector.java:467)
        at kafka.network.Processor.poll(SocketServer.scala:689)
        at kafka.network.Processor.run(SocketServer.scala:594)
        at java.lang.Thread.run(Thread.java:748)
Caused by: GSSException: DerValue.getOID, not an OID 48
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:362)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
        at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:167)
        ... 8 more

[huhong118]

Do you have solved the problem？I have the same problem. If you solved the problem, please tell me the solution.Thank you! huhont118@163.com

[alexanderdehes]

Hi, this looks like the same problem I am having.
Problem is that with kafka versin 1.0.0 and higher all messages sent to the kafka broker must be using kafka protocol (wiht its header and API key). In this case a raw GSSAPI request is sent to the broker and rejected.
In my case I was using GSSAPI with a keytab file, but same problem

[kvch]

My workaround is to revert this change: bfff38f#diff-1ff0e08b38d4f797052ed2d9404801d8L6

[alexanderdehes]

Hi @kvch - Yes, this works also for me. Thanks for your comment ;-)
It seems that kafka broker does accept both kafka procol as well as raw request for authentication. The change you are mentioning seems to break the encoding.