Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SASL GSSAPI Cannot contact any KDC for realm #21

Open
elainel8 opened this issue Dec 5, 2023 · 1 comment
Open

SASL GSSAPI Cannot contact any KDC for realm #21

elainel8 opened this issue Dec 5, 2023 · 1 comment

Comments

@elainel8
Copy link

elainel8 commented Dec 5, 2023
edited
Loading

Hi,
Sorry, if I'm not providing the right detail, I'm fairly new at this and it's the first time I'm trying to consume from kafka through kerberos authentication.
I used the code under example.erl as a reference to built mine.

That realm is defined under my krb5.conf, which is located under /etc/
I have also set this environment variable: export KAFKA_OPTS="-Djava.security.krb5.conf=/etc/krb5.conf"
Do I need to load this file somewhere else?

After running the last line of code, I get the error below:

   {{sasl_auth_error,{sasl_fail,<<"SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Cannot contact any KDC for realm 'BELLDEV.DEV.BCE.CA')">>}},
    [{kpro_sasl,auth,7,
               [{file,"/home/med/bm/ossfm/server/fm/_build/default/lib/kafka_protocol/src/kpro_sasl.erl"},
                {line,43}]},
    {kpro_connection,init_connection,2,
                     [{file,"/home/med/bm/ossfm/server/fm/_build/default/lib/kafka_protocol/src/kpro_connection.erl"},
                      {line,240}]},
    {kpro_connection,init,4,
                     [{file,"/home/med/bm/ossfm/server/fm/_build/default/lib/kafka_protocol/src/kpro_connection.erl"},
                      {line,170}]},
    {proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,247}]}]}}],
[{brod_client,ensure_metadata_connection,1,
              [{file,"/home/med/bm/ossfm/server/fm/_build/default/lib/brod/src/brod_client.erl"},
               {line,554}]},
 {brod_client,handle_info,2,
              [{file,"/home/med/bm/ossfm/server/fm/_build/default/lib/brod/src/brod_client.erl"},
               {line,300}]},
 {gen_server,try_dispatch,4,[{file,"gen_server.erl"},{line,616}]},
 {gen_server,handle_msg,6,[{file,"gen_server.erl"},{line,686}]},
 {proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,247}]}]}

Config =
    [
      {ssl, true},
      {sasl, {callback, brod_gssapi, {gssapi, <<"FileKeytab.keytab">>, <<"[email protected]">>}}}
    ].
Args =
    [
      {bootstrap_endpoints, [{"server_name", port}]},
      {topic, <<"topic_name">>},
      {partition, all},
      {config, Config},
      {begin_offset, latest},
      {client_id, test_kafka}
    ].

Bootstrap_endpoints = proplists:get_value(bootstrap_endpoints, Args),
Topic = proplists:get_value(topic, Args),
Config = proplists:get_value(config, Args),
Partition = proplists:get_value(partition, Args),
Begin_offset = proplists:get_value(begin_offset, Args),
Client_id = proplists:get_value(client_id, Args).

{ok, _} = application:ensure_all_started(brod).
ok = application:load(brod_gssapi).
application:set_env(brod_gssapi,default_handshake_vsn,1).
ok = brod:start_client(Bootstrap_endpoints, Client_id, Config).

Thank you!
@kjellwinblad
Copy link
Contributor

Hi @elainel8,

First of all, since you asked the question a couple of months ago, I want to apologize for late response and ask if you have already resolved the issue by yourself or if you are still having problems?

That realm is defined under my krb5.conf, which is located under /etc/
I have also set this environment variable: export KAFKA_OPTS="-Djava.security.krb5.conf=/etc/krb5.conf"
Do I need to load this file somewhere else?

Yes, this file is needed also by the Kerberos KDC. It should be picked up automatically if it is located in location that the Kerberos expect (please see the documentation of your Kerberos library).

It might also be useful to look at our docker compose file that we use to set up a Kerberos and Kafka environment to perform continues testing: https://github.com/emqx/emqx/blob/master/.ci/docker-compose-file/docker-compose-kafka.yaml .

The error message "SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot contact any KDC for realm 'BELLDEV.DEV.BCE.CA')" suggests that the Kerberos authentication process is failing due to an inability to contact the Key Distribution Center (KDC) for your specified realm.

Here are some things that you can check:

  • Verify that the Key Distribution Center (KDC) for the realm 'BELLDEV.DEV.BCE.CA' is reachable from your machines. For example using ping.

  • Double-check your /etc/krb5.conf file to ensure the realm and KDC are correctly specified. Make sure there are no typos or incorrect configurations.

  • Confirm that the keytab file and principal are correctly configured: https://stackoverflow.com/questions/63723556/keytab-file-authentication-check

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kjellwinblad @elainel8