search

danielqsj / kafka_exporter

Kafka exporter for Prometheus
Apache License 2.0
2.1k stars 602 forks source link

Kafka GSSAPI Kerberos Authentication: wrong Token ID. Expected 0504, was 6030 #339

Open ilyadiff opened 1 year ago

ilyadiff commented 1 year ago

Hello. I ran into a problem connecting kafka-exporter to Kafka with Kerberos auth

/usr/local/bin/kafka_exporter \
--kafka.server="kafka-host.domain.local:9092" \
--sasl.enabled \
--sasl.kerberos-auth-type="keytabAuth" \
--sasl.service-name="kafka" \
--sasl.mechanism="gssapi" \
--sasl.kerberos-config-path="/etc/krb5.conf" \
--sasl.realm="DOMAIN.LOCAL" \
--sasl.username="Username123" \
--log.enable-sarama \
--kafka.version="1.0.2" \
--sasl.keytab-path="/etc/kafka-exporter/keytabfile.keytab" \
--sasl.disable-PA-FX-FAST

I have a valid keytab, recieve a valid ticket and I can connect to kafka via kafka-client (for test) But when I connect via kafka-exporter I have an error in log below

[sarama] 2022/09/29 14:57:28 Error while performing GSSAPI Kerberos Authentication: wrong Token ID. Expected 0504, was 6030
[sarama] 2022/09/29 14:57:28 Closed connection to broker kafka-host.domain.local:9092
[sarama] 2022/09/29 14:57:28 client/metadata got error from broker -1 while fetching metadata: wrong Token ID. Expected 0504, was 6030
[sarama] 2022/09/29 14:57:28 client/metadata no available broker to send metadata request to
[sarama] 2022/09/29 14:57:28 client/brokers resurrecting 1 dead seed brokers
[sarama] 2022/09/29 14:57:28 Closing Client
F0929 14:57:28.828568   15038 kafka_exporter.go:893] Error Init Kafka Client: kafka: client has run out of available brokers to talk to: wrong Token ID. Expected 0504, was 6030

Looks like a problem similar to the tickets about incorrect Kerberos auth working for golang applications. Related search across related issues in Sarama & gokrb5 libraries repositories shows me some solutions but they didn't work for me. I also tried to specify many options with different encryption types in /etc/krb5.conf, but that also did not help. Tried to run on different versions of Kafka - 1.0.2 and 2.8.1. It does not affect the result.

/etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = DOMAIN.LOCAL
default_domain = domain.local
#default_tgs_enctypes = rc4-hmac
#default_tkt_enctypes = rc4-hmac
#permitted_enctypes = rc4-hmac

[realms]
DOMAIN.LOCAL = {
  kdc = kdc-srv.domain.local
  admin_server = kdc-srv.domain.local
}

[domain_realm]
domain.local = DOMAIN.LOCAL
kdc-srv.local = DOMAIN.LOCAL

Any help is welcome. I still don't understand what exactly is the reason.