Zookeeper / SASL Checksum失败
如何解决产生此错误的问题:
WARN [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@1040] - Client failed to SASL authenticate: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)]
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)]
at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:199)
at org.apache.zookeeper.server.ZooKeeperSaslServer.evaluateResponse(ZooKeeperSaslServer.java:50)
我在AWS EC2实例上设置了Zookeeper。我概述了设置Kerberos和Zookeeper here时遵循的步骤。 Zookeeper似乎正在运作:
zookeeper@zookeeper-server-01:~/zk/zookeeper-3.4.11$ JVMFLAGS="-Djava.security.auth.login.config=/home/zookeeper/jaas/jaas.conf -Dsun.security.krb5.debug=true" bin/zkServer.sh start-foreground
...
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply zookeeper/zookeeper-server-01
2017-12-22 00:21:52,308 [myid:] - INFO [main:Login@297] - Server successfully logged in.
2017-12-22 00:21:52,312 [myid:] - INFO [main:NIOServerCnxnFactory@89] - binding to port 0.0.0.0/0.0.0.0:2181
2017-12-22 00:21:52,313 [myid:] - INFO [Thread-1:Login$1@130] - TGT refresh thread started.
2017-12-22 00:21:52,313 [myid:] - INFO [Thread-1:Login@305] - TGT valid starting at: Fri Dec 22 00:21:52 UTC 2017
2017-12-22 00:21:52,313 [myid:] - INFO [Thread-1:Login@306] - TGT expires: Fri Dec 22 10:21:52 UTC 2017
2017-12-22 00:21:52,314 [myid:] - INFO [Thread-1:Login$1@185] - TGT refresh sleeping until: Fri Dec 22 08:25:59 UTC 2017
但是,当我尝试将zkCli.sh(在不同的EC2实例上运行)连接到它时,服务器会关闭连接并输出上面的校验和错误。
Zookeeper客户端似乎能够连接到Zookeeper服务器:
JVMFLAGS="-Djava.security.auth.login.config=/home/admin/Downloads/zookeeper-3.4.11/conf/zookeeper-test-client-jaas.conf -Dsun.security.krb5.debug=true" bin/zkCli.sh -server zookeeper-server-01.eigenroute.com:2181
Connecting to zookeeper-server-01.eigenroute.com:2181
2017-12-22 00:27:12,779 [myid:] - INFO [main:Environment@100] - Client environment:zookeeper.version=
3.4.11-37e277162d567b55a07d1755f0b31c32e93c01a0, built on 11/01/2017 18:06 GMT
...
2017-12-22 00:27:12,788 [myid:] - INFO [main:Environment@100] - Client environment:user.dir=/home/admin/Downloads/zookeeper-3.4.11
2017-12-22 00:27:12,789 [myid:] - INFO [main:ZooKeeper@441] - Initiating client connection, connectString=zookeeper-server-01.eigenroute.com:2181 sessionTimeout=30000 watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@1de0aca6
Welcome to ZooKeeper!
JLine support is enabled
...
>>> KrbAsReq creating message
[zk: zookeeper-server-01.eigenroute.com:2181(CONNECTING) 0] >>> KrbKdcReq send: kdc=kerberos-server-01.eigenroute.com UDP:88, timeout=30000, number of retries =3, #bytes=166
>>> KDCCommunication: kdc=kerberos-server-01.eigenroute.com UDP:88, timeout=30000,Attempt =1, #bytes=166
>>> KrbKdcReq send: #bytes read=310
>>>Pre-Authentication Data:
...
客户端收到有关需要预授权的错误,但似乎已成功登录(这是否意味着成功通过身份验证?)到... Zookeeper服务器?或者登录Kerberos?:
...
KRBError received: NEEDED_PREAUTH
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23.
Looking for keys for: zktestclient/eigenroute.com@EIGENROUTE.COM
Added key: 17version: 3
Added key: 18version: 3
Looking for keys for: zktestclient/eigenroute.com@EIGENROUTE.COM
Added key: 17version: 3
Added key: 18version: 3
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=kerberos-server-01.eigenroute.com UDP:88, timeout=30000, number of retries =3, #bytes=253
>>> KDCCommunication: kdc=kerberos-server-01.eigenroute.com UDP:88, timeout=30000,Attempt =1, #bytes=253
>>> KrbKdcReq send: #bytes read=742
>>> KdcAccessibility: remove kerberos-server-01.eigenroute.com
Looking for keys for: zktestclient/eigenroute.com@EIGENROUTE.COM
Added key: 17version: 3
Added key: 18version: 3
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply zktestclient/eigenroute.com
2017-12-22 00:27:13,286 [myid:] - INFO [main-SendThread(35.169.37.216:2181):Login@297] - Client successfully logged in.
...
然后,客户端打开与Zookeeper服务器的套接字连接,并尝试对其进行SASL身份验证:
...
2017-12-22 00:27:13,312 [myid:] - INFO [main-SendThread(35.169.37.216:2181):ClientCnxn$SendThread@103
5] - Opening socket connection to server 35.169.37.216/35.169.37.216:2181. Will attempt to SASL-authen
ticate using Login Context section 'Client'
2017-12-22 00:27:13,317 [myid:] - INFO [main-SendThread(35.169.37.216:2181):ClientCnxn$SendThread@877
] - Socket connection established to 35.169.37.216/35.169.37.216:2181, initiating session
2017-12-22 00:27:13,359 [myid:] - INFO [main-SendThread(35.169.37.216:2181):ClientCnxn$SendThread@1302] - Session establishment complete on server 35.169.37.216/35.169.37.216:2181, sessionid = 0x1000436873a0001, negotiated timeout = 30000
WATCHER::
WatchedEvent state:SyncConnected type:None path:null
Found ticket for zktestclient/eigenroute.com@EIGENROUTE.COM to go to krbtgt/EIGENROUTE.COM@EIGENROUTE.
COM expiring on Fri Dec 22 10:27:13 UTC 2017
Entered Krb5Context.initSecContext with state=STATE_NEW
Found ticket for zktestclient/eigenroute.com@EIGENROUTE.COM to go to krbtgt/EIGENROUTE.COM@EIGENROUTE.
COM expiring on Fri Dec 22 10:27:13 UTC 2017
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbKdcReq send: kdc=kerberos-server-01.eigenroute.com UDP:88, timeout=30000, number of retries =3, #bytes=712
>>> KDCCommunication: kdc=kerberos-server-01.eigenroute.com UDP:88, timeout=30000,Attempt =1, #bytes=712
>>> KrbKdcReq send: #bytes read=678
>>> KdcAccessibility: remove kerberos-server-01.eigenroute.com
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbApReq: APOptions are 00000000 00000000 00000000 00000000
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Krb5Context setting mySeqNumber to: 50687702
Krb5Context setting peerSeqNumber to: 0
Created InitSecContextToken:
0000: 01 00 6E 82 02 6B 30 82 02 67 A0 03 02 01 05 A1 ..n..k0..g......
...
0260: 33 25 94 1F 60 93 E9 CF 7E EF 15 82 F8 6D ED 06 3%..`........m..
0270: 43 C
2017-12-22 00:27:13,405 [myid:] - INFO [main-SendThread(35.169.37.216:2181):ClientCnxn$SendThread@1161] - Unable to read additional data from server sessionid 0x1000436873a0001, likely server has closed socket, closing socket connection and attempting reconnect
WATCHER::
WatchedEvent state:Disconnected type:None path:null
因此,SASL身份验证不是完全失败,但Zookeeper服务器会关闭连接(由于校验和失败)。
更新#1。在回应T-Heron的评论时,客户端计算机上nslookup zookeeper-server-01.eigenroute.com的结果是:
Server: 172.31.0.2
Address: 172.31.0.2#53
Non-authoritative answer:
Name: zookeeper-server-01.eigenroute.com
Address: 35.169.37.216
zookeeper-server-01.eigenroute.com的DNS条目是:
zookeeper-server-01.eigenroute.com 30 minutes A
35.169.37.216
在客户端计算机上,/etc/hosts包含:
127.0.1.1 ip-172-31-95-211.ec2.internal ip-172-31-95-211
127.0.0.1 localhost
34.239.197.36 kerberos-server-02
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
(kerberos-server-02被错误命名,它不是KDC,当我评论此行时结果是相同的)并且在ZooKeeper服务器上,zookeeper-server-01.eigenroute.com,/etc/hosts包含:< / p>
127.0.1.1 ip-172-31-88-14.ec2.internal ip-172-31-88-14
127.0.0.1 localhost
34.225.180.212 kerberos-server-01
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
(kerberos-server-01的条目不需要在那里 - 当我删除它时,结果是相同的)。
有人可以解释如何解决校验和失败吗?谢谢!
1 个答案:
答案 0 :(得分:2)
我的KDC有以下原则:
zookeeper/35.169.37.216@EIGENROUTE.COM
zookeeper/zookeeper-server-01.eigenroute.com@EIGENROUTE.COM
在ZooKeeper服务器的JAAS配置中,我的主机名是zookeeper-server-01.eigenroute.com,我使用了为zookeeper/zookeeper-server-01.eigenroute.com@EIGENROUTE.COM创建的密钥表。
当我为zookeeper/35.169.37.216@EIGENROUTE.COM创建密钥表并在ZooKeeper服务器的JAAS配置中使用此密钥表时,一切正常 - 来自客户端的SASL身份验证成功。
我宁愿在Kerberos主体的名称中使用完全限定的域名(zookeeper-server-01.eigenroute.com),而不是IP地址。如果有人能告诉我如何让它工作,我会接受这个答案。在此之前,这就足够了。
更新:我明白了。 Zookeeper客户端从-server参数获取FQDN,查找此FQDN的IP地址,并从此创建InetSocketAddress对象(org.apache.zookeeper.client.StaticHostProvider)。然后,要获取主机名,它会调用.getHostName(org.apache.zookeeper.ClientCnxn.SendThread.startConnect)。在我的本地计算机上,它返回:
ec2-35-169-37-216.compute-1.amazonaws.com
在我的客户端AWS EC2实例上,返回:
35.169.37.216
而是我期望它返回FQDN。这就是为什么在我的AWS EC2客户端计算机上,ZooKeeper客户端尝试获取票证:
zookeeper/35.169.37.216@EIGENROUTE.COM
在我的本地计算机上,ZooKeeper客户端尝试获取以下票证:
zookeeper/ec2-35-169-37-216.compute-1.amazonaws.com@EIGENROUTE.COM
所以我需要AWS来确保35.169.37.216上的反向DNS查找产生zookeeper-server-01.eigenroute.com。到目前为止我找到的解决方案是to ask AWS to set up the mapping for the reverse DNS。
理想情况下,ZooKeeper可以选择跳过此反向DNS查询,只使用FQDN作为主机名(也许它确实如此,我还没有找到它)。
相关问题
最新问题
- 我写了这段代码,但我无法理解我的错误
- 我无法从一个代码实例的列表中删除 None 值,但我可以在另一个实例中。为什么它适用于一个细分市场而不适用于另一个细分市场?
- 是否有可能使 loadstring 不可能等于打印?卢阿
- java中的random.expovariate()
- Appscript 通过会议在 Google 日历中发送电子邮件和创建活动
- 为什么我的 Onclick 箭头功能在 React 中不起作用?
- 在此代码中是否有使用“this”的替代方法?
- 在 SQL Server 和 PostgreSQL 上查询,我如何从第一个表获得第二个表的可视化
- 每千个数字得到
- 更新了城市边界 KML 文件的来源?