kerberos身份验证失败,因为supported_enctypes?

时间:2019-01-24 07:58:16

标签: apache-kafka kerberos mit-kerberos

我遇到了与Kerberos相关的问题(在这种情况下,我试图将其与kafka一起使用)。

首先,我的kdc.conf文件如下:

[kdcdefaults]
  kdc_ports = 88
  kdc_tcp_ports = 88
  default_realm=KAFKA.SECURE
[realms]
  KAFKA.SECURE = {
    acl_file = /var/kerberos/krb5kdc/kadm5.acl
    dict_file = /usr/share/dict/words
    admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
    supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
    # supported_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
  }

基于此配置,我创建了一个名为admin的用户主体和一个名为kafka的服务主体。

kinit -kt admin.user.keytab admin成功获取票证:

Credentials cache: API:A96189DD-B94C-41F4-BD65-B4C0C1C1F522
        Principal: admin@KAFKA.SECURE

  Issued                Expires               Principal
Jan 24 09:49:06 2019  Jan 25 09:49:06 2019  krbtgt/KAFKA.SECURE@KAFKA.SECURE

这是在krb5kdc端记录的内容:

Jan 24 07:49:06 ip-aaa.bbb.ccc.ddd.compute.internal krb5kdc[1075](info): AS_REQ (4 etypes {18 17 16 23}) 195.97.116.228: ISSUE: authtime 1548316146, etypes {rep=18 tkt=18 ses=18}, admin@KAFKA.SECURE for krbtgt/KAFKA.SECURE@KAFKA.SECURE
Jan 24 07:49:06 ip-aaa.bbb.ccc.ddd.compute.internal krb5kdc[1075](info): closing down fd 13

然后,我正在尝试启动kafka客户端:

kafka/bin/kafka-console-producer.sh --broker-list xxx.xxx.xxx.xxx.amazon.com:9094 --topic kafka-security-topic --producer.config krb5/kafka_client_kerberos.properties

Java config name: null
Native config name: /Library/Preferences/edu.mit.Kerberos
Loaded from native config
>>>KinitOptions cache name is /tmp/krb5cc_501
>> Acquire default native Credentials
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23.
>>> Found no TGT's in LSA
org.apache.kafka.common.KafkaException: Failed to construct kafka producer
    at org.apache.kafka.clients.producer.KafkaProducer.<init>(KafkaProducer.java:433)
    at org.apache.kafka.clients.producer.KafkaProducer.<init>(KafkaProducer.java:291)
    at kafka.producer.NewShinyProducer.<init>(BaseProducer.scala:40)
    at kafka.tools.ConsoleProducer$.main(ConsoleProducer.scala:49)
    at kafka.tools.ConsoleProducer.main(ConsoleProducer.scala)
Caused by: org.apache.kafka.common.KafkaException: javax.security.auth.login.LoginException: Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. not available to garner  authentication information from the user

krb5kdc服务器端没有任何记录。

现在,如果我转到上面的kdc.conf文件并将supported_enctypes切换到安全性较低的算法des3-hmac-sha1 des-cbc-crc des-cbc-md5,请创建新的KDC用户主体admin-less和{{ 1}}这个用户-> kinit命令成功!

我已经尝试了OSX和CentOS(客户端)。 KDC在Amazon的CentOS计算机上。

这里有什么问题的想法吗?

0 个答案:

没有答案
相关问题
最新问题