CODEWITHSUNDEEP
securityapache-kafkaapache-zookeeperkerberossasl
Stephane Maarek
Stephane Maarek

Reputation: 5352

Kerberos JAAS with Service name

I'm trying to set up Zookeeper / Kafka Kerberos authentication but my keytab were created in an interesting way:

ktpass -princ zookeeper/hostname@TEST -mapuser zookeeper -mapOp add -Target TEST

so it turns out I can do this

kinit zookeeper@TEST

or this:

kinit zookeeper@TEST -S zookeeper/hostname@TEST

but I can't do this:

kinit zookeeper/hostname@TEST
kinit: Client 'zookeeper/hostname@TEST' not found in Kerberos Database while getting initial credentials

So this JAAS file will work:

Server {
       com.sun.security.auth.module.Krb5LoginModule required
       useKeyTab=true
       keyTab="/path/to/server/keytab"
       storeKey=true
       useTicketCache=false
       principal="zookeeper@TEST";
};

but this one won't:

Server {
       com.sun.security.auth.module.Krb5LoginModule required
       useKeyTab=true
       keyTab="/path/to/server/keytab"
       storeKey=true
       useTicketCache=false
       principal="zookeeper/hostname@TEST";
};

So how can I make this work using a JAAS file? I couldn't find an option to have multiple principals or to specify a service name like for kinit?

Upvotes: 1

Views: 1008

Answers (1)

Gery
Gery

Reputation: 649

Assuming you're using Active Directory, you need to map your User Principal Name zookeeper to a Service Principal Name

setspn -s zookeeper/localhost@TEST zookeeper

More details here

And you still use zookeeper@TEST as principal in your JAAS file.

Upvotes: 1

Related Questions