I have a Java application that connects to Kafka through KafkaAdminClient. I'm using SASL authentication with GSSAPI mechanism (Kerberos). I am providing the krb5.conf, jaas.conf, principal, and keytab. When the application starts, if I provide the correct principal and keytab, and the first authentication attempt is successful, every subsequent attempt will remain successful, even if I change the principal/keytab to be incorrect. The reverse scenario is also true; if the principal in the first attempt is incorrect, causing a failure, every subsequent attempt also fails even after I correct the principal. I realize this is because Kerberos caches credentials; I'm wondering how to clear the cache without restarting the app. Can I force the principal to log off after a period of time?
I have tried setting various properties in the conf files with no luck. This is what I have:
jaas.conf
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
renewTicket=false
useKeyTab=true
storeKey=false
useTicketCache=false
remewTGT=false
refreshKrb5Config=true
keyTab="/tmp/keytab.keytab"
principal="***"
serviceName="kafka";
};
Client {
com.sun.security.auth.module.Krb5LoginModule required
renewTicket=false
useKeyTab=true
storeKey=false
useTicketCache=false
remewTGT=false
refreshKrb5Config=true
keyTab="/tmp/keytab.keytab"
principal="***"
serviceName="zookeeper";
};
krb5.conf
[libdefaults]
forwardable = true
default_realm = foo.bar.com
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
default_ccache_name = /tmp/krb5cc_%{uid}
rdns = false
ignore_acceptor_hostname = true
udp_preference_limit = 1
#default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
#default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
[domain_realm]
******.*****.*****.****.com = foo.bar.com
[logging]
default = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
kdc = FILE:/var/log/krb5kdc.log
[realms]
foo.bar.com = {
kdc = ******.*****.*****.****.com
admin_server = ********.******.******.*****.com
admin_server = ********.******.******.*****.com
}
This application is deployed to PCF and I cannot ssh into the instance, so doing a klist purge is not an option. Is there another way to make Kerberos forget previous logins? Any suggestions are greatly appreciated.
Related
I have installed MITKDC. I am enabling Kerberos using Existing MIT KDC From Ambari. While creating principals I am getting below error.
Failed to create principal, trinitylocal-071819#HUB.LOCAL - Failed to create a service principal for trinitylocal-071819#HUB.LOCAL
STDOUT: Authenticating as principal admin/admin#HUB.LOCAL with existing credentials.
STDERR: WARNING: no policy specified for trinitylocal-071819#HUB.LOCAL; defaulting to no policy
add_principal: Insufficient access to lock the database while creating "trinitylocal-071819#HUB.LOCAL".Administration credentials NOT DESTROYED.
I am able to create principals using kadmin.local.below commands also working. I am able to login to Kinit admin/admin also.
Klist command I have tried and I am able to log in.
Below are my krb5.conf and kdc.conf.
Below is my krb5.conf
[libdefaults]
renew_lifetime = 7d
forwardable = true
default_realm = HUB.LOCAL
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
default_ccache_name = /tmp/krb5cc_%{uid}
#default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
#default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
[logging]
default = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
kdc = FILE:/var/log/krb5kdc.log
[realms]
HUB.LOCAL = {
admin_server = HOSTNAME
kdc = HOSTNAME
}
Below is my kdc.conf
[kdcdefaults]
kdc_ports = 750,88
[realms]
EXAMPLE.COM = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth
}
Solved it is Installation Issue. I didn't give proper REALM
I'm have installed krb5-appl-server and krb5-workstation; also config the krb5.conf in /etc/krb5.conf in KDC server
I have created a user root/admin in KDC
But when i'm on application server, type :
kadmin -p root/admin
they say : "missing parameters in krb5.conf required for kadmin client while initializing kadmin interface"
What's missing in krb5.conf ???
In krb5.conf in application :
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = test.com
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.COM = {
kdc = 10.85.0.20:88
admin_server = 10.85.0.20:749
}
[domain_realm]
server.test.com = test.com
client.test.com = test.com
Tks :D
The first thing is that case matters in realm names so test.com and TEST.COM are not the same realm. Secondly, you don't have an admin server defined for the default realm in your krb5.conf
default_realm = test.com
The default_realm should match at least one realm in the realm section and should be the same as the realm name you used in setting up the server.
missing parameters in krb5.conf required for kadmin client while initializing kadmin interface is very misleading.
I was met with same mistake and found the error had nothing to do with the krb5.conf. Maybe the errror lies in your command line. In my case, I sent a wrong realm name to -r parameter.When I set it right, the error was gone.
**
[realms]
EXAMPLE.COM = {
kdc = 10.85.0.20:88
admin_server = 10.85.0.20:749
}
**
I believe you should've replaced the EXAMPLE.COM with TEST.COM
I have some trouble in getting my kadmin to work. Everything is fine in kadmin.local, but whenever I use kadmin, it seems it is using the kadm5.acl file, but isn't.
I have in this file:
$ cat /var/kerberos/krb5kdc/kadm5.acl
*/admin#HADOOP.COM *
kadmin can connect to the kdc server correctly, and dns lookup and reverse dns is working also.
My krb5.conf is like this:
$ cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 750,88
[realms]
HADOOP.COM = {
admin_keytab = FILE: /var/kerberos/krb5kdc/kadm5.keytab
kadmind_port = 749
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
database_name = /var/kerberos/krb5kdc/principal
acl_file = /var/kerberos/krb5kdc/kadm5.acl
#key_stash_file = /var/kerberos/krb5kdc/.k5.HADOOP.COM
}
and $ cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = HADOOP.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
HADOOP.COM = {
kdc = evl2400469.eu.verio.net:88
admin_server = evl2400469.eu.verio.net:749
default_domain = hadoop.com
}
[domain_realm]
.hadoop.com = HADOOP.COM
hadoop.com = HADOOP.COM
So when I try to perform an operation such as add a principal, or get the list of principals I get :
kadmin: listprincs
get_principals: Operation requires ``list'' privilege while retrieving list.
kadmin: getprivs
current privileges: GET ADD MODIFY DELETE
I really don't know where is the problem in my configuration.
I even tried to get a ticket before using kadmin console:
$ klist
Ticket cache: FILE:/tmp/krb5cc_0 Default principal:
kadmin/admin#HADOOP.COM
Valid starting Expires Service principal 05/21/14
10:13:34 05/21/14 13:13:34 krbtgt/HADOOP.COM#HADOOP.COM
renew until 05/22/14 10:13:34
Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached
Thanks a lot for your help on that :)
Try editing /var/kerberos/krb5kdc/kadm5.acl with
*/admin#HADOOP.COM *
The kadmind daemon needs to be restarted in order for changes in the ACL file to become active:
service kadmind restart
I'm trying to get the kb5 file to run so that I can setup AD login for my box. when I run a kinit command I get an error stating that
"Improper format of Kerberos configuraiton file while initilizing Kerberos 5 library"
I'm relatively new to setting up AD on a Linux box, thus I'm unsure about the proper syntax for this configuration file
anything with a * is the local domain that I've just commented out. so it's BOXNAME.SOMETHING.LOCAL
BOXNAME is just the name of the box in the configuration file.
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_relam = BOXNAME.*****
[realms]
nwcvco01.***** {
kdc = [IPADDRESS]
default_domain = BOXNAME.*****
}
[domain_realm]
.***** = BOXNAME.*****
***** = BOXNAME.*****
default_realm
is spelled incorrectly as
default_relam
Kerberos is not very tolerant of errors in krb5.conf.
I have searched many blog posts but could not get any solution.
I have seen many posts with a similar kind of error but in their case Server Name:
HTTP/Domain Name
I was able to get ticket for the user to go to the server.
But I really dont know why I am getting this kind of error with Server Name as null.
The error is
KRBError:
sTime is Tue Oct 20 10:11:30 EDT 2009 1256047890000
suSec is 548720
error code is 7
error Message is Server not found in Kerberos database
realm is XXX.YYY.COM
sname is HTTP/null
msgType is 30
My Config files are like below:
login.config
com.sun.security.jgss.login {
com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=true doNotPrompt=false
debug=true;
};
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=true
debug=true;
};
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required client=TRUE useKeyTab=true
storeKey=true
doNotPrompt=true
principal="HTTP/xxx.yyy.zz.com#YYY.ZZ.COM"
isInitiator=false debug=true;
};
krb5.config
[libdefaults]
default_realm = XXX.YYY.COM udp_preference_limit = 1
default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
[realms]
YYY.ZZ.COM= {
admin_server =xxx.yyy.zz.com
kdc = xxx.yyy.zz.com
default_domain = yyy.zz.com
master_kdc = xxx.yyy.zz.com
}
[domain_realm]
.yyy.zz.com= YYY.ZZ.COM
yyy.zz.com= YYY.ZZ.COM
Could anyone help me with this?
Thanks in Advance
This open source project http://spnego.sourceforge.net has some documentation and examples. I think it might be what you need.