Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kerberos client error #38

Closed
alexanderdehes opened this issue Mar 22, 2020 · 5 comments
Closed

Kerberos client error #38

alexanderdehes opened this issue Mar 22, 2020 · 5 comments

Comments

@alexanderdehes
Copy link

Kerberos authentication fails with error:
{"level":"info","msg":"Kerberos client error: [Root cause: KRBMessage_Handling_Error] KRBMessage_Handling_Error: AS Exchange Error: AS_REP is not valid or client password/keytab incorrect \u003c KRBMessage_Handling_Error: clock skew with KDC too large. Greater than 300 seconds","source":"sarama","time":"2020-03-21T14:03:55Z"}

Environment variables used:
ENV VERSION 1.0.0
ENV KAFKA_BROKERS xx144eza:6668,xx144ey9:6668
ENV KAFKA_SASL_ENABLED true
ENV KAFKA_SASL_GSSAPI_AUTH_TYPE KEYTAB_AUTH
ENV KAFKA_SASL_GSSAPI_KEY_TAB_PATH /app/kerberos/testuser.keytab
ENV KAFKA_SASL_MECHANISM GSSAPI
ENV KAFKA_SASL_GSSAPI_SERVICE_NAME=kafka
ENV KAFKA_SASL_GSSAPI_REALM=DTA.KLM.COM
ENV KAFKA_SASL_GSSAPI_KERBEROS_CONFIG_PATH=/app/kerberos/krb5.conf
ENV KAFKA_SASL_GSSAPI_USERNAME testuser
ENV LOG_LEVEL debug

client and its password are for sure correct:
keytab and krb5.conf do work on system where they are used by kinit and/or from java application using JAAS config.

clock skew?? : From the same container I can authentiate using kinit

Also tried to use USER_AUTH: instead of keytab and this gave the same error

Could this be an issue in the underlying sarama library in kerberos GSSAPI handling?

Any help would be very much appreciated.
@weeco
Copy link
Contributor

weeco commented Mar 22, 2020

Hi @alexanderdehes ,
unfortunately I don't have a kerberized Kafka cluster to test against, hence that was merged untested. I am not well versed with Kerberos either, but it looked easy to implement because I just needed to pass all options to sarama as shown here: https://github.com/cloudworkz/kafka-minion/blob/master/kafka/connection_helper.go#L74-L87

Do you see any obvious issues here?
Other than that we could probably submit an issue at sarama and ask them for help. I found one who mentioned the same root cause KRBMessage_Handling_Error: IBM/sarama#1519

@alexanderdehes
Copy link
Author

Hi @weeco I have not seen any obvious issues in the kafka minion part so I also suspect that the problem is either in sarama or maybe even in jcmturner/gokrb5. In gokrb5 the actual error is raised (complaining about clock skew).

@Sergeyemcev
Copy link

Hello !
I get same error if try kerberos:
"Kerberos client error: [Root cause: Decrypting_Error] KRBMessage_Handling_Error: AS Exchange Error: AS_REP is not valid or client password/keytab incorrect \u003c Decrypting_Error: error decrypting EncPart of AS_REP \u003c Decrypting_Error: error decrypting AS_REP encrypted part

@weeco
Copy link
Contributor

weeco commented Apr 15, 2020

@alexanderdehes @Sergeyemcev Have you guys figured it out or created an issue in the upstream repository (sarama) ?

@alexanderdehes alexanderdehes mentioned this issue Apr 15, 2020
Closed
@weeco
Copy link
Contributor

weeco commented Feb 18, 2021

I just pushed the code for v2.0.0 (still to be tagged/released). This release use a new kafka client which also has Kerberos support. Do you mind trying it with this library? I'll close this issue for now, but I'm happy to reopen if the issue remains

@weeco weeco closed this as completed Feb 18, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@alexanderdehes @weeco @Sergeyemcev