We're using Active Directory, and created service principals this way:
Using this format, one is not able to do
, but one is able to do
to obtain a service ticket.
In the Kafka project, it is fine for the JAAS file to have
, and automatically it seems it acquires the correct service ticket (I"m not sure how).
In zookeeper, things fail when a client tries to connect, due to this line:
It'd be great for Zookeeper server to have the same kind of mechanism as Kafka for accepting client connections. This would allow us to have
in JAAS. Otherwise, maybe support a JAAS new option so we can explicitly name the service ?
FYI - trying
does not work as due to how Active Directory works, it complains that the credentials cannot be found in the database (as we try to authenticate using the service name, not the user name)
I'm attaching some documentation I find relevant: https://serverfault.com/questions/682374/client-not-found-in-kerberos-database-while-getting-initial/683058#683058