Hi, We are trying to migrate an unauthenticated zookeeper cluster to a kerberos authenticated one. This <https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+and+SASL> guide was followed for configuring kerberos on zookeeper and this <https://web.ornl.gov/~romeja/HowToKerb.html#Install> guide was followed for setting up a KDC host. The issue right now is that, when zookeeper shell client is used to request for some data, the service ticket which is issued by the KDC is not getting decrypted by the server due to which authentication is failing.
Has anyone faced this issue before? Any help would be appreciated. *Setup:* Principal name is zookeeper/[email protected] for both server and client. *Data request command:* zookeeper-client -server stage-kdc-zk-2face:2181 get /test2 *Stack trace from client:* Exception in thread "main" org.apache.zookeeper.KeeperException$ConnectionLossException: KeeperErrorCode = ConnectionLoss for /test2 at org.apache.zookeeper.KeeperException.create(KeeperException.java:99) at org.apache.zookeeper.KeeperException.create(KeeperException.java:51) at org.apache.zookeeper.ZooKeeper.getData(ZooKeeper.java:1155) at org.apache.zookeeper.ZooKeeper.getData(ZooKeeper.java:1184) at org.apache.zookeeper.ZooKeeperMain.processZKCmd(ZooKeeperMain.java:717) at org.apache.zookeeper.ZooKeeperMain.processCmd(ZooKeeperMain.java:591) at org.apache.zookeeper.ZooKeeperMain.run(ZooKeeperMain.java:354) at org.apache.zookeeper.ZooKeeperMain.main(ZooKeeperMain.java:282) *Error in zookeeper server:* 2020-06-12 18:53:57,510 - WARN [NIOServerCxn.Factory: 0.0.0.0/0.0.0.0:2181:ZooKeeperServer@969] - Client failed to SASL authenticate: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)] *krb5kdc.log:* Jun 12 18:53:57 stage-kdc-zk-2face krb5kdc[1391](info): AS_REQ (2 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) 10.34.169.158: ISSUE: authtime 1591968237, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, zookeeper/[email protected] for krbtgt/[email protected] Jun 12 18:53:57 stage-kdc-zk-2face krb5kdc[1391](info): TGS_REQ (4 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23)}) 10.34.169.158: ISSUE: authtime 1591968237, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, zookeeper/[email protected] for zookeeper/[email protected] -- Thanks, Aparajita ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
