emasab
commented
4 weeks ago Hi @SolaTian have you installed cyrus-sasl-gssapi in client machine too?
Open SolaTian opened 1 month ago
emasab
commented
4 weeks ago Hi @SolaTian have you installed cyrus-sasl-gssapi in client machine too?
SolaTian
commented
3 weeks ago Hi @SolaTian have you installed
cyrus-sasl-gssapiin client machine too?
I'm really sorry, I don't quite understand what you said about installing cyrus-sasl-gssapi on the client machine. Do you mean that I need to do additional operations besides cross compiling the cyrus-sasl library and linking it to librdkafka? Is cyrus-sasl-gssapi a tool generated after cross compiling cyrus-sasl?
AudriusButkevicius
commented
3 weeks ago Side question. Seems that confluent shipped 2.4.0 deb's have been compiled without gssapi support. 2.3.0 still has it. Is that intended?
emasab
commented
3 weeks ago Given there was a pipeline migration, 2.4.0 version of Debian packages was compiled without libsasl2 support, it's fixed now in deb version 2.4.0-3
AudriusButkevicius
commented
3 weeks ago Thanks for the clarification, and sorry for hijacking the thread.
emasab
commented
3 weeks ago @SolaTian about 2.3.0: cyrus-sasl-gssapi is a plugin for the GSSAPI SASL mechanism that is dynamically loaded so you have to install the rpm package
https://rpmfind.net/linux/rpm2html/search.php?query=cyrus-sasl-gssapi(x86-64)
SolaTian
commented
3 weeks ago @SolaTian about 2.3.0:
cyrus-sasl-gssapiis a plugin for the GSSAPI SASL mechanism that is dynamically loaded so you have to install the rpm package https://rpmfind.net/linux/rpm2html/search.php?query=cyrus-sasl-gssapi(x86-64)
@emasab Thank you very much. I cross compiled the cyrus sasl2.1.27 library. Is the plugin name generated in the cross compilation environment libgssapiv2. soor some other dynamic libraries? And I had already linked the static library libgssapiv2. a generated by cross compilation, but still reported an error that does not support GSSAPI. Is it necessary to load the dynamic library libgssapiv2. so on the client machine
emasab
commented
2 weeks ago Is it necessary to load the dynamic library libgssapiv2. so on the client machine
Exactly the .so is dynamically loaded by libsasl2
Read the FAQ first: https://github.com/confluentinc/librdkafka/wiki/FAQ
Do NOT create issues for questions, use the discussion forum: https://github.com/confluentinc/librdkafka/discussions
Description
%7|1716569607.172|APIVERSION|rdkafka#producer-1| [thrd:sasl_plaintext://11.82.37.28:21007/bootstrap]: sasl_plaintext://11.82.37.28:21007/bootstrap: Feature IdempotentProducer: InitProducerId (0..0) supported by broker %7|1716569607.172|APIVERSION|rdkafka#producer-1| [thrd:sasl_plaintext://11.82.37.28:21007/bootstrap]: sasl_plaintext://11.82.37.28:21007/bootstrap: Enabling feature IdempotentProducer %7|1716569607.172|APIVERSION|rdkafka#producer-1| [thrd:sasl_plaintext://11.82.37.28:21007/bootstrap]: sasl_plaintext://11.82.37.28:21007/bootstrap: Feature ZSTD: Produce (7..7) NOT supported by broker %7|1716569607.172|APIVERSION|rdkafka#producer-1| [thrd:sasl_plaintext://11.82.37.28:21007/bootstrap]: sasl_plaintext://11.82.37.28:21007/bootstrap: Feature ZSTD: Fetch (10..10) NOT supported by broker %7|1716569607.172|APIVERSION|rdkafka#producer-1| [thrd:sasl_plaintext://11.82.37.28:21007/bootstrap]: sasl_plaintext://11.82.37.28:21007/bootstrap: Disabling feature ZSTD %7|1716569607.172|APIVERSION|rdkafka#producer-1| [thrd:sasl_plaintext://11.82.37.28:21007/bootstrap]: sasl_plaintext://11.82.37.28:21007/bootstrap: Feature SaslAuthReq: SaslHandshake (1..1) supported by broker %7|1716569607.172|APIVERSION|rdkafka#producer-1| [thrd:sasl_plaintext://11.82.37.28:21007/bootstrap]: sasl_plaintext://11.82.37.28:21007/bootstrap: Feature SaslAuthReq: SaslAuthenticate (0..1) supported by broker %7|1716569607.172|APIVERSION|rdkafka#producer-1| [thrd:sasl_plaintext://11.82.37.28:21007/bootstrap]: sasl_plaintext://11.82.37.28:21007/bootstrap: Enabling feature SaslAuthReq %7|1716569607.172|FEATURE|rdkafka#producer-1| [thrd:sasl_plaintext://11.82.37.28:21007/bootstrap]: sasl_plaintext://11.82.37.28:21007/bootstrap: Updated enabled protocol features to MsgVer1,ApiVersion,BrokerBalancedConsumer,ThrottleTime,Sasl,SaslHandshake,BrokerGroupCoordinator,LZ4,OffsetTime,MsgVer2,IdempotentProducer,SaslAuthReq %7|1716569607.172|AUTH|rdkafka#producer-1| [thrd:sasl_plaintext://11.82.37.28:21007/bootstrap]: sasl_plaintext://11.82.37.28:21007/bootstrap: Auth in state APIVERSION_QUERY (handshake supported) %7|1716569607.172|STATE|rdkafka#producer-1| [thrd:sasl_plaintext://11.82.37.28:21007/bootstrap]: sasl_plaintext://11.82.37.28:21007/bootstrap: Broker changed state APIVERSION_QUERY -> AUTH_HANDSHAKE %7|1716569607.172|BROADCAST|rdkafka#producer-1| [thrd:sasl_plaintext://11.82.37.28:21007/bootstrap]: Broadcasting state change %7|1716569607.172|SEND|rdkafka#producer-1| [thrd:sasl_plaintext://11.82.37.28:21007/bootstrap]: sasl_plaintext://11.82.37.28:21007/bootstrap: Sent SaslHandshakeRequest (v1, 29 bytes @ 0, CorrId 3) %7|1716569607.177|RECV|rdkafka#producer-1| [thrd:sasl_plaintext://11.82.37.28:21007/bootstrap]: sasl_plaintext://11.82.37.28:21007/bootstrap: Received SaslHandshakeResponse (v1, 14 bytes, CorrId 3, rtt 5.23ms) %7|1716569607.177|SASLMECHS|rdkafka#producer-1| [thrd:sasl_plaintext://11.82.37.28:21007/bootstrap]: sasl_plaintext://11.82.37.28:21007/bootstrap: Broker supported SASL mechanisms: GSSAPI %7|1716569607.177|AUTH|rdkafka#producer-1| [thrd:sasl_plaintext://11.82.37.28:21007/bootstrap]: sasl_plaintext://11.82.37.28:21007/bootstrap: Auth in state AUTH_HANDSHAKE (handshake supported) %7|1716569607.177|STATE|rdkafka#producer-1| [thrd:sasl_plaintext://11.82.37.28:21007/bootstrap]: sasl_plaintext://11.82.37.28:21007/bootstrap: Broker changed state AUTH_HANDSHAKE -> AUTH_REQ %7|1716569607.177|BROADCAST|rdkafka#producer-1| [thrd:sasl_plaintext://11.82.37.28:21007/bootstrap]: Broadcasting state change %7|1716569607.177|SASL|rdkafka#producer-1| [thrd:sasl_plaintext://11.82.37.28:21007/bootstrap]: sasl_plaintext://11.82.37.28:21007/bootstrap: Initializing SASL client: service name kafka, hostname 11.82.37.28, mechanisms GSSAPI, provider Cyrus %7|1716569607.178|SASL|rdkafka#producer-1| [thrd:sasl_plaintext://11.82.37.28:21007/bootstrap]: sasl_plaintext://11.82.37.28:21007/bootstrap: My supported SASL mechanisms: EXTERNAL %2|1716569607.178|LIBSASL|rdkafka#producer-1| [thrd:sasl_plaintext://11.82.37.28:21007/bootstrap]: sasl_plaintext://11.82.37.28:21007/bootstrap: Cyrus/libsasl2 is missing a GSSAPI module: make sure the libsasl2-modules-gssapi-mit or cyrus-sasl-gssapi packages are installed %7|1716569607.178|FAIL|rdkafka#producer-1| [thrd:sasl_plaintext://11.82.37.28:21007/bootstrap]: sasl_plaintext://11.82.37.28:21007/bootstrap: Failed to initialize SASL authentication: SASL handshake failed (start (-4)): SASL(-4): no mechanism available: No worthy mechs found (after 0ms in state AUTH_REQ) (_AUTHENTICATION) %3|1716569607.178|FAIL|rdkafka#producer-1| [thrd:sasl_plaintext://11.82.37.28:21007/bootstrap]: sasl_plaintext://11.82.37.28:21007/bootstrap: Failed to initialize SASL authentication: SASL handshake failed (start (-4)): SASL(-4): no mechanism available: No worthy mechs found (after 0ms in state AUTH_REQ)
How to reproduce
I configured the Kerberos with the option
--with-gss_impl=mit --enable-plain --enable-gssapi --with-dblib=no --without-des --without-saslauthd(cyrus-sasl-2.1.27),but when I try to get Authentication, it indicate thatMy supported SASL mechanisms: EXTERNAL,Cyrus/libsasl2 is missing a GSSAPI module.why's that?Checklist
IMPORTANT: We will close issues where the checklist has not been completed.
Please provide the following information:
<librdkafka-2.3.0><2.3.0><message.max.bytes = 8388608; debug = generic,broker,topic,metadata,feature,queue,msg,protocol,cgrp,security,fetch,interceptor,plugin,consumer,admin,eos,mock,assignor,conf,all; socket.timeout.ms = 5000; api.version.request = true; security.protocol = sasl_plaintext; sasl.mechanisms = GSSAPI; sasl.kerberos.service.name = Kerberos_Service_Name; sasl.kerberos.principal = Kerberos_Principal; sasl.kerberos.kinit.cmd = kinit -k -t "%{sasl.kerberos.keytab}" %{sasl.kerberos.principal}; sasl.kerberos.keytab = /etc/user.keytab; queue.buffering.max.messages = 3; queue.buffering.max.ms = 10;><Ubuntu>debug = generic,broker,topic,metadata,feature,queue,msg,protocol,cgrp,security,fetch,interceptor,plugin,consumer,admin,eos,mock,assignor,conf,all) from librdkafka