spring-cloud-stream-binder-kafka: Multi binder Multi Cluster kerberos jaas configuration fails with KRBError

Environment:

Multi binder kerberos setup as explained at https://kafka.apache.org/documentation/#security_client_staticjaas

Spring Configuration:

binders:
    kafka1:
      type: kafka
      environment:
         spring:
           cloud:
             stream:
              kafka:
                binder.brokers: broker1:port
                binder.jaas.loginModule: com.sun.security.auth.module.Krb5LoginModule
                binder.configuration.sasl.kerberos.service.name: svc_name_1
                binder.configuration.security.protocol: SASL_SSL
                binder.configuration.ssl.truststore.type: JKS
                binder.configuration.ssl.truststore.location: [hidden]
                binder.configuration.ssl.truststore.password: [hidden]
    kafka2:
      type: kafka
      environment:
        spring:
          cloud:
            stream:
              kafka:
                binder.brokers: broker2:port
                binder.jaas.loginModule: com.sun.security.auth.module.Krb5LoginModule
                binder.configuration.sasl.kerberos.service.name: svc_name_2
                binder.configuration.security.protocol: SASL_SSL
                binder.configuration.ssl.truststore.type: JKS
				binder.configuration.ssl.truststore.location: [hidden]
                binder.configuration.ssl.truststore.password: [hidden]

Error:

Entered Krb5Context.initSecContext with state=STATE_NEW Service ticket not found in the subject

Credentials serviceCredsSingle: same realm Using builtin default etypes for default_tgs_enctypes default etypes for default_tgs_enctypes: 18 17 16 23. EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType CksumType: sun.security.krb5.internal.crypto.HmacSha1Aes256CksumType EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType getKDCFromDNS using UDP KrbKdcReq send: kdc=[hidden]. TCP:88, timeout=30000, number of retries =3, #bytes=1530 KDCCommunication: kdc=[hidden]. TCP:88, timeout=30000,Attempt =1, #bytes=1530 DEBUG: TCPClient reading 125 bytes KrbKdcReq send: #bytes read=125 KdcAccessibility: remove [hidden].:88 KDCRep: init() encoding tag is 126 req type is 13 KRBError: sTime is Thu Jun 25 15:11:36 EDT 2020 1593112296000 suSec is 187798 error code is 7 error Message is Server not found in Kerberos database sname is svc_name_1/broker2 msgType is 30

Findings:

The service name from the first broker stays for all binders. The service name of the second binder should replace the first one.

About this issue

Original URL
State: closed
Created 4 years ago
Reactions: 2
Comments: 15 (6 by maintainers)

Commits related to this issue

Adding docs for multi binder JAAS configuration Adding documentation for connecting to multiple Kafka clusters with separate JAAS configuraiton from within a single application. Resolves https://git... — committed to sobychacko/spring-cloud-stream-binder-kafka by sobychacko 3 years ago
Adding docs for multi binder JAAS configuration Adding documentation for connecting to multiple Kafka clusters with separate JAAS configuraiton from within a single application. Resolves https://git... — committed to spring-cloud/spring-cloud-stream-binder-kafka by sobychacko 3 years ago

Most upvoted comments

I have not received much attention via webchat. Created https://issues.apache.org/jira/browse/KAFKA-10276 couple of weeks back no movement yet.

winkidzz on Jul 23, 2020