CODEWITHSUNDEEP
kerberosapache-zookeeper
Tao Xiao
Tao Xiao

Reputation: 31

Can not start Secure ZooKeeper

I installed Kerberos for CDH 5.3.2 following this official document.

Also I followed ZooKeeper Authentication to configure a secure ZooKeeper, where I did the following :
1). created principals for each ZK server and exported their keytab files;
2). configured related files, like zoo.cfg,jaas.conf and java.env;

But when I tried to start ZK Cluster it failed. I checked the log files and it reported the following exceptions:

2015-09-22 15:19:08,232 ERROR org.apache.zookeeper.server.quorum.QuorumPeerMain: Unexpected exception, exiting abnormally java.io.IOException: Could not configure server because SASL configuration did not allow the ZooKeeper server to authenticate itself properly: javax.security.auth.login.LoginException: Checksum failed at org.apache.zookeeper.server.ServerCnxnFactory.configureSaslLogin(ServerCnxnFactory.java:207) at org.apache.zookeeper.server.NIOServerCnxnFactory.configure(NIOServerCnxnFactory.java:87) at org.apache.zookeeper.server.quorum.QuorumPeerMain.runFromConfig(QuorumPeerMain.java:135) at org.apache.zookeeper.server.quorum.QuorumPeerMain.initializeAndRun(QuorumPeerMain.java:116) at org.apache.zookeeper.server.quorum.QuorumPeerMain.main(QuorumPeerMain.java:79)


Check sum failed. I've no idea what that means.


I'm sure my Kerberized CDH is running OK because I can access HDFS and submit YARN job as corresponding principals. Besides, I can get ticket for zookeeper's principals by the command kinit -k -t <path-to-keytab> <zookeeper/FQDN@REALM>.

So what caused the problem? Any suggestion would be appreciated.

Upvotes: 0

Views: 8726

Answers (2)

user6690143
user6690143

Reputation: 1

As pointed in https://community.cloudera.com/t5/Cloudera-Manager-Installation/Kerberos-Authentication-Wizard-failing-to-generate-workable/m-p/25748#M4011, Cloudera manager tries to use tcp but the KDC by default is configured to work with udp only! For reference: https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/kdc_conf.html

To resolve: in your kdc.conf add kdc_tcp_ports = 88 below kdc_ports = ... (88 is the default tcp port for kerberos) and restart the service: service krb5-kdc restart. Now manually start zookeeper and the rest of the services.

Upvotes: 0

bbary
bbary

Reputation: 27

I had the same issue. I resolved it by regenerating zookeeper keytabs in kerberos administration over Cloddra Manager. I did this in 5.5.1 version of CDH.

I hope this will help someone

Upvotes: 0

Related Questions