Uploaded image for project: 'ZooKeeper'
  1. ZooKeeper
  2. ZOOKEEPER-3206

Can't use Active Directory for Kerberos Authentication

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.4.13
    • Fix Version/s: None
    • Component/s: kerberos
    • Labels:
      None

      Description

      We're using Active Directory, and created service principals this way:

      ktpass -princ ZOOKEEPER/host-1@TEST -mapuser zookeeper -mapOp  add -Target TEST
      ktpass -princ ZOOKEEPER/host-2@TEST -mapuser zookeeper -mapOp  add -Target TEST
      ktpass -princ ZOOKEEPER/host-3@TEST -mapuser zookeeper -mapOp  add -Target TEST
      

      Using this format, one is not able to do

      kinit ZOOKEEPER/host-1@TEST

      , but one is able to do

      kinit zookeeper@TEST -S ZOOKEEPER/host-1@TEST

      to obtain a service ticket.

      In the Kafka project, it is fine for the JAAS file to have

      principal="kafka@TEST"

      , and automatically it seems it acquires the correct service ticket (I"m not sure how).

      In zookeeper, things fail when a client tries to connect, due to this line:
      https://github.com/apache/zookeeper/blob/master/zookeeper-server/src/main/java/org/apache/zookeeper/util/SecurityUtils.java#L170

      It'd be great for Zookeeper server to have the same kind of mechanism as Kafka for accepting client connections. This would allow us to have

      principal="zookeeper@TEST"

      in JAAS. Otherwise, maybe support a JAAS new option so we can explicitly name the service ?

      FYI - trying

      principal="zookeeper/host-1@TEST"

      does not work as due to how Active Directory works, it complains that the credentials cannot be found in the database (as we try to authenticate using the service name, not the user name)

      I'm attaching some documentation I find relevant: https://serverfault.com/questions/682374/client-not-found-in-kerberos-database-while-getting-initial/683058#683058

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              stephane.maarek@gmail.com Stephane Maarek
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: