kafka4beam / brod_gssapi

SASL GSSAPI auth backend for brod (https://github.com/klarna/brod)
Apache License 2.0
1 stars 8 forks source link

SASL GSSAPI Cannot contact any KDC for realm #21

Open elainel8 opened 11 months ago

elainel8 commented 11 months ago

Hi, Sorry, if I'm not providing the right detail, I'm fairly new at this and it's the first time I'm trying to consume from kafka through kerberos authentication. I used the code under example.erl as a reference to built mine.

That realm is defined under my krb5.conf, which is located under /etc/ I have also set this environment variable: export KAFKA_OPTS="-Djava.security.krb5.conf=/etc/krb5.conf" Do I need to load this file somewhere else?

After running the last line of code, I get the error below:

   {{sasl_auth_error,{sasl_fail,<<"SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Cannot contact any KDC for realm 'BELLDEV.DEV.BCE.CA')">>}},
    [{kpro_sasl,auth,7,
               [{file,"/home/med/bm/ossfm/server/fm/_build/default/lib/kafka_protocol/src/kpro_sasl.erl"},
                {line,43}]},
    {kpro_connection,init_connection,2,
                     [{file,"/home/med/bm/ossfm/server/fm/_build/default/lib/kafka_protocol/src/kpro_connection.erl"},
                      {line,240}]},
    {kpro_connection,init,4,
                     [{file,"/home/med/bm/ossfm/server/fm/_build/default/lib/kafka_protocol/src/kpro_connection.erl"},
                      {line,170}]},
    {proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,247}]}]}}],
[{brod_client,ensure_metadata_connection,1,
              [{file,"/home/med/bm/ossfm/server/fm/_build/default/lib/brod/src/brod_client.erl"},
               {line,554}]},
 {brod_client,handle_info,2,
              [{file,"/home/med/bm/ossfm/server/fm/_build/default/lib/brod/src/brod_client.erl"},
               {line,300}]},
 {gen_server,try_dispatch,4,[{file,"gen_server.erl"},{line,616}]},
 {gen_server,handle_msg,6,[{file,"gen_server.erl"},{line,686}]},
 {proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,247}]}]}
Config =
    [
      {ssl, true},
      {sasl, {callback, brod_gssapi, {gssapi, <<"FileKeytab.keytab">>, <<"username@BELL.CORP.BCE.CA">>}}}
    ].
Args =
    [
      {bootstrap_endpoints, [{"server_name", port}]},
      {topic, <<"topic_name">>},
      {partition, all},
      {config, Config},
      {begin_offset, latest},
      {client_id, test_kafka}
    ].

Bootstrap_endpoints = proplists:get_value(bootstrap_endpoints, Args),
Topic = proplists:get_value(topic, Args),
Config = proplists:get_value(config, Args),
Partition = proplists:get_value(partition, Args),
Begin_offset = proplists:get_value(begin_offset, Args),
Client_id = proplists:get_value(client_id, Args).

{ok, _} = application:ensure_all_started(brod).
ok = application:load(brod_gssapi).
application:set_env(brod_gssapi,default_handshake_vsn,1).
ok = brod:start_client(Bootstrap_endpoints, Client_id, Config).

Thank you!

kjellwinblad commented 8 months ago

Hi @elainel8,

First of all, since you asked the question a couple of months ago, I want to apologize for late response and ask if you have already resolved the issue by yourself or if you are still having problems?

That realm is defined under my krb5.conf, which is located under /etc/ I have also set this environment variable: export KAFKA_OPTS="-Djava.security.krb5.conf=/etc/krb5.conf" Do I need to load this file somewhere else?

Yes, this file is needed also by the Kerberos KDC. It should be picked up automatically if it is located in location that the Kerberos expect (please see the documentation of your Kerberos library).

It might also be useful to look at our docker compose file that we use to set up a Kerberos and Kafka environment to perform continues testing: https://github.com/emqx/emqx/blob/master/.ci/docker-compose-file/docker-compose-kafka.yaml .

The error message "SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot contact any KDC for realm 'BELLDEV.DEV.BCE.CA')" suggests that the Kerberos authentication process is failing due to an inability to contact the Key Distribution Center (KDC) for your specified realm.

Here are some things that you can check: