Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Hello,
I'm trying to make a SASL_SSL GSSAPI authentication working with a Kafka target but I get the following error when I test the connection:
00016339: 2021-05-25T16:59:07:853020 [SERVER ]V: initializing kerberos. (queue_imp.c:836)
00016339: 2021-05-25T16:59:07:853049 [SERVER ]V: kafka_kerberos_init: -> (kafka_kerberos.c:28)
00016339: 2021-05-25T16:59:07:853152 [SERVER ]V: get env value (kafka_kerberos.c:43)
00016339: 2021-05-25T16:59:07:853243 [SERVER ]V: get ticket file (kafka_kerberos.c:45)
00016339: 2021-05-25T16:59:07:853327 [SERVER ]V: inside kafkakrb_get_ticket_cache_file (kafka_kerberos.c:229)
00016339: 2021-05-25T16:59:07:853415 [SERVER ]T: Kafka Kerberos cache file: '/data/attunity_replicate_data/tmp/kafka.ticket' (kafka_kerberos.c:240)
00016339: 2021-05-25T16:59:07:853488 [SERVER ]V: set new value (kafka_kerberos.c:48)
00016339: 2021-05-25T16:59:07:853502 [SERVER ]V: kafka_kerberos_init: <- (kafka_kerberos.c:54)
00016339: 2021-05-25T16:59:07:853517 [SERVER ]V: allocating message tracker. (queue_imp.c:839)
00016339: 2021-05-25T16:59:07:859396 [SERVER ]T: kafka publish option is 0 (queue_imp.c:851)
00016339: 2021-05-25T16:59:07:859457 [SERVER ]V: running on design mode; limiting queue client timeout if applicable (queue_imp.c:895)
00016339: 2021-05-25T16:59:07:859466 [SERVER ]V: allocating client. (queue_imp.c:906)
00016339: 2021-05-25T16:59:07:859482 [SERVER ]V: configuring kafka client (kafka_client.c:515)
00016339: 2021-05-25T16:59:07:859537 [SERVER ]V: configuring timeout for kafka client - design mode (kafka_client.c:571)
00016339: 2021-05-25T16:59:07:859547 [SERVER ]V: setting 'metadata.request.timeout.ms' to '50000' (kafka_client.c:395)
00016339: 2021-05-25T16:59:07:859584 [SERVER ]V: setting 'socket.timeout.ms' to '50000' (kafka_client.c:401)
00016339: 2021-05-25T16:59:07:859599 [SERVER ]V: kafkac_set_main_handle_security_protocol: -> (kafka_client.c:413)
00016339: 2021-05-25T16:59:07:859614 [SERVER ]T: changing security.protocol default value (kafka_client.c:422)
00016339: 2021-05-25T16:59:07:859622 [SERVER ]T: set security.protocol=SASL_SSL (kafka_client.c:442)
00016339: 2021-05-25T16:59:07:859631 [SERVER ]V: kafkac_set_main_handle_sasl_mechanisms_property: -> (kafka_client.c:452)
00016339: 2021-05-25T16:59:07:859639 [SERVER ]T: set sasl.mechanisms to GSSAPI (kafka_client.c:456)
00016339: 2021-05-25T16:59:07:859648 [SERVER ]V: kafkac_set_main_handle_sasl_mechanisms_property: <- (kafka_client.c:479)
00016339: 2021-05-25T16:59:07:859687 [SERVER ]T: RDKAFKA - 7 - SASL: [thrd:app]: Selected provider Cyrus for SASL mechanism GSSAPI (kafka_client.c:184)
00016339: 2021-05-25T16:59:07:859718 [SERVER ]T: RDKAFKA - 7 - SASLREFRESH: [thrd:app]: Refreshing Kerberos ticket with command: kinit -R -t "/etc/security/keytabs/dev_attunity.keytab" -k dev_attunity@BIGEYS.PRIV || kinit -t "/etc/security/keytabs/dev_attunity.keytab" -k dev_attunity@BIGEYS.PRIV (kafka_client.c:184)
00016339: 2021-05-25T16:59:07:871142 [SERVER ]T: RDKAFKA - 3 - SASLREFRESH: [thrd:app]: Kerberos ticket refresh failed: kinit -R -t "/etc/security/keytabs/dev_attunity.keytab" -k dev_attunity@BIGEYS.PRIV || kinit -t "/etc/security/keytabs/dev_attunity.keytab" -k dev_attunity@BIGEYS.PRIV: exited with code 127 (kafka_client.c:184)
Of course, later in the logs I get:
00016347: 2021-05-25T16:59:07:903408 [SERVER ]T: RDKAFKA - 3 - FAIL: [thrd:sasl_ssl://XXXXXXXXXX:6668/bootstrap]: sasl_ssl://XXXXXXXXX:6668/bootstrap: Failed to initialize SASL authentication: SASL handshake failed (start (-1)): SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available) (after 1ms in state AUTH_REQ) [1022601] (kafka_client.c:179
If I run this command `kinit -R -t "/etc/security/keytabs/dev_attunity.keytab" -k dev_attunity@BIGEYS.PRIV || kinit -t "/etc/security/keytabs/dev_attunity.keytab" -k dev_attunity@BIGEYS.PRIV` manually as the Qlick replicate user, it works.
What could be the problem ?
Best,
Jerome
Ok I reply my own question because I finally found the root cause. I was saying the the kinit command was working using the attunity user but this was before sourcing the arep_login.sh script!
[attunity@ ~]$ source /opt/attunity/replicate/bin/arep_login.sh
[attunity@ ~]$ kinit -R -t "/etc/security/keytabs/dev_attunity.keytab" -k dev_attunity@BIGEYS.PRIV || kinit -t "/etc/security/keytabs/dev_attunity.keytab" -k dev_attunity@BIGEYS.PRIV
kinit: relocation error: kinit: symbol krb5_get_init_creds_opt_set_pac_request, version krb5_3_MIT not defined in file libkrb5.so.3 with link time reference
kinit: relocation error: kinit: symbol krb5_get_init_creds_opt_set_pac_request, version krb5_3_MIT not defined in file libkrb5.so.3 with link time reference
Best,
Jerome