Authentication failure, by kerberos sasl

[LipsonX]

Read the FAQ first: https://github.com/edenhill/librdkafka/wiki/FAQ

Description

sasl Authentication failure. I also try to set sasl.kerberos.kinit.cmd or unset, but it is uesless. so i don't konw what that problem. help pls T_T

How to reproduce

1. yum install -y krb5-workstation cyrus-sasl-devel
2. /etc/hosts hosts name has been config
3. /etc/krb5.conf has been config exactly
4. kafka java demo can be run without any problem.(see log)

kinit bash result:

[archforce@Coer-cq-1449 build]$ kinit -R -t /home/archforce/kafka2rmq/DisRiskFW.keytab -k DisRiskFW@TDH || kinit -t /home/archforce/kafka2rmq/DisRiskFW.keytab -k DisRiskFW@TDH [archforce@Coer-cq-1449 build]$ klist Ticket cache: FILE:/tmp/krb5cc_3435 Default principal: DisRiskFW@TDH

Valid starting Expires Service principal 09/22/2020 09:51:40 09/23/2020 09:51:40 krbtgt/TDH@TDH renew until 09/29/2020 09:51:40

my librdkafka c++ demo log:

''' [archforce@Coer-cq-1449 build]$ /home/archforce/kafka2rmq/build/risk_kafka2ami [2020-09-21 18:46:37.834] [info] work dir: /home/archforce/kafka2rmq/build [2020-09-21 18:46:37.835] [info] ldrdkafka version:1.5.0 [2020-09-21 18:46:37.835] [info] set kafka global conf: group.id[console-consumer-92819] OK. [2020-09-21 18:46:37.835] [info] set kafka global conf: statistics.interval.ms[0] OK. [2020-09-21 18:46:37.835] [info] set kafka global conf: metadata.broker.list[zszq-tdh1:9092,zszq-tdh2:9092] OK. [2020-09-21 18:46:37.835] [info] set kafka global conf: security.protocol[SASL_PLAINTEXT] OK. [2020-09-21 18:46:37.835] [info] set kafka global conf: sasl.mechanism[GSSAPI] OK. [2020-09-21 18:46:37.835] [info] set kafka global conf: sasl.kerberos.service.name[kafka] OK. [2020-09-21 18:46:37.835] [info] set kafka global conf: sasl.kerberos.keytab[/home/archforce/kafka2rmq/DisRiskFW.keytab] OK. [2020-09-21 18:46:37.835] [info] set kafka global conf: sasl.kerberos.principal[DisRiskFW@TDH] OK. [2020-09-21 18:46:37.835] [info] set kafka global conf: sasl.kerberos.kinit.cmd[kinit -R -t /home/archforce/kafka2rmq/DisRiskFW.keytab -k DisRiskFW@TDH || kinit -t /home/archforce/kafka2rmq/DisRiskFW.keytab -k DisRiskFW@TDH] OK. [2020-09-21 18:46:37.847] [info] Created kafka consumer rdkafka#consumer-1 ... [2020-09-21 18:46:37.848] [info] Subscribe kafka topics SRC.CtsStock63 ... [2020-09-21 18:46:37.848] [info] Kafka_Consumer Init OK...... [2020-09-21 18:46:37.852] [error] RdKafka::Event::EVENT_ERROR Local: Authentication failure,(sasl_plaintext://zszq-tdh1:9092/bootstrap: Failed to initialize SASL authentication: SASL handshake failed (start (-4)): SASL(-4): no mechanism available: No worthy mechs found (after 0ms in state AUTH_LEGACY)) [2020-09-21 18:46:38.156] [error] RdKafka::Event::EVENT_ERROR Local: Authentication failure,(sasl_plaintext://zszq-tdh1:9092/bootstrap: Failed to initialize SASL authentication: SASL handshake failed (start (-4)): SASL(-4): no mechanism available: No worthy mechs found (after 0ms in state AUTH_LEGACY, 1 identical error(s) suppressed)) [2020-09-21 18:46:38.856] [error] RdKafka::Event::EVENT_ERROR Local: Authentication failure,(sasl_plaintext://zszq-tdh2:9092/bootstrap: Failed to initialize SASL authentication: SASL handshake failed (start (-4)): SASL(-4): no mechanism available: No worthy mechs found (after 0ms in state AUTH_LEGACY)) [2020-09-21 18:46:38.856] [error] RdKafka::Event::EVENT_ERROR Local: All broker connections are down,(2/2 brokers are down) [2020-09-21 18:46:38.856] [error] RdKafka::ERR__ALL_BROKERS_DOWN.... '''

kafka java demo log:

''' [archforce@Coer-cq-1449 bin]$ export KAFKA_OPTS="-Djava.security.auth.login.config=/home/archforce/TDH-Client/kafka/bin/jaas.conf -Djava.security.krb5.conf=/et c/krb5.conf" [archforce@Coer-cq-1449 bin]$ cat jaas.conf KafkaServer { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/home/archforce/kafka2rmq/DisRiskFW.keytab" storeKey=true useTicketCache=false principal="DisRiskFW@TDH"; };

KafkaClient { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/home/archforce/kafka2rmq/DisRiskFW.keytab" storeKey=true useTicketCache=false principal="DisRiskFW@TDH"; };

// Zookeeper client authentication Client { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true useTicketCache=false keyTab="/home/archforce/kafka2rmq/DisRiskFW.keytab" principal="DisRiskFW@TDH"; }; [archforce@Coer-cq-1449 bin]$ ./kafka-console-consumer.sh --bootstrap-server zszq-tdh1:9092 --topic SRC.CtsStock63 --consumer-property security.protocol=SASL_ PLAINTEXT --consumer-property sasl.mechanism=GSSAPI --consumer-property sasl.kerberos.service.name=kafka --from-beginning {"magic": "atMSG", "type": "DT", "headers": null, "messageSchemaId":.... (data item) '''

IMPORTANT: Always try to reproduce the issue on the latest released version (see https://github.com/edenhill/librdkafka/releases), if it can't be reproduced on the latest version the issue has been fixed.

Checklist

IMPORTANT: We will close issues where the checklist has not been completed.

Please provide the following information:

• [x] librdkafka version (release number or git tag): 1.5.0
• [x] Apache Kafka version: 0.10.2
• [x] librdkafka client configuration: 'sasl.mechanism=GSSAPI;sasl.kerberos.keytab=DisRiskFW.keytab;sasl.kerberos.principal=DisRiskFW@TDH;security.protocol=SASL_PLAINTEXT;topics=SRC.CtsStock63;metadata.broker.list=zszq-tdh1:9092,zszq-tdh2:9092`
• [x] Operating system: RHEL 7.2
• [ ] Provide logs (with debug=.. as necessary) from librdkafka
• [x] Provide broker log excerpts
• [ ] Critical issue

[LipsonX]

got it, need install cyrus-sasl-gssapi