How to resolve a zookeeper authentication failure when using Kafka with Kerberos - apache-kafka

I am trying to use SASL between my kafka broker and zookeeper. When I start the kafka server
KAFKA_OPTS="-Djava.security.auth.login.config=/home/kafka/kafka/config/kafka_server_jaas.conf -Djava.security.krb5.conf=/etc/krb5.conf" \
./kafka-server-start.sh ../config/server.properties
I get the following error:
INFO TGT refresh thread started. (org.apache.zookeeper.Login)
DEBUG Client principal is "kafkabroker1/kafka.eigenroute.com#EIGENROUTE.COM". (org.apache.zookeeper.Login)
DEBUG Server principal is "krbtgt/EIGENROUTE.COM#EIGENROUTE.COM". (org.apache.zookeeper.Login)
INFO TGT valid starting at: Sat Dec 16 00:32:52 EST 2017 (org.apache.zookeeper.Login)
INFO TGT expires: Sat Dec 16 10:32:52 EST 2017 (org.apache.zookeeper.Login)
INFO TGT refresh sleeping until: Sat Dec 16 08:55:41 EST 2017 (org.apache.zookeeper.Login)
INFO Opening socket connection to server devel-2.sjml.com/173.243.38.81:2181. Will attempt to SASL-authenticate using Login Context section 'Client' (org.apache.zookeeper.ClientCnxn)
DEBUG Closing ZkClient... (org.I0Itec.zkclient.ZkClient)
INFO Terminate ZkClient event thread. (org.I0Itec.zkclient.ZkEventThread)
DEBUG Closing ZooKeeper connected to zookeeper.eigenroute.com:2181 (org.I0Itec.zkclient.ZkConnection)
DEBUG Closing session: 0x0 (org.apache.zookeeper.ZooKeeper)
DEBUG Closing client for session: 0x0 (org.apache.zookeeper.ClientCnxn)
WARN Client session timed out, have not heard from server in 6004ms for sessionid 0x0 (org.apache.zookeeper.ClientCnxn)
DEBUG An exception was thrown while closing send thread for session 0x0 : Client session timed out, have not heard from server in 6004ms for sessionid 0x0 (org.apache.zookeeper.ClientCnxn)
DEBUG Ignoring exception during shutdown input (org.apache.zookeeper.ClientCnxnSocketNIO)
java.net.SocketException: Socket is not connected
My questions are: what is going on? And how to do I fix this?
Below are my configuration files. The first is server.properties:
# server.properties
broker.id=0
delete.topic.enable=true
listeners=SASL_PLAINTEXT://kafka.eigenroute.com:9092
sasl.mechanism.inter.broker.protocol=GSSAPI
sasl.enabled.mechanisms=GSSAPI
sasl.kerberos.service.name=kafkabroker1
inter.broker.listener.name=SASL_PLAINTEXT
authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
super.users=User:kafkabroker1
...
zookeeper.connect=zookeeper.eigenroute.com:2181
zookeeper.connection.timeout.ms=6000
Here is kafka_server_jaas.conf
KafkaServer {
com.sun.security.auth.module.Krb5LoginModule required
refreshKrb5Config=true
useKeyTab=true
storeKey=true
keyTab="/home/kafka/keytabs/kafka_broker1.keytab"
principal="kafkabroker1/kafka.eigenroute.com#EIGENROUTE.COM";
};
Client {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
refreshKrb5Config=true
useKeyTab=true
storeKey=true
keyTab="/home/kafka/keytabs/kafka_broker1.keytab"
principal="kafkabroker1/kafka.eigenroute.com#EIGENROUTE.COM";
};
This is the zookeeper file in /etc/init.d:
#!/bin/bash
export ZOOCFGDIR="/etc/zookeeper/conf/"
export SERVER_JVMFLAGS="-Djava.security.auth.login.config=/etc/zookeeper/conf/zookeeper.jaas -Djava.security.krb5.conf=/etc/krb5.conf"
echo "$#"
/usr/share/java/zookeeper-3.4.10/bin/zkServer.sh $# /etc/zookeeper/conf/zoo.cfg
Here is my zookeeper configuration file zoo.cfg:
tickTime=2000
initLimit=10
syncLimit=5
dataDir=/var/lib/zookeeper
clientPort=2181
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
requireClientAuthScheme=sasl
jaasLoginRenew=3600000
I have enabled useTicketCache=true in the zookeeper.jaas file (does it belong there?):
Server {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
refreshKrb5Config=true
useKeyTab=true
keyTab="/home/kafka/keytabs/zookeeper.keytab"
storeKey=true
principal="zookeeper/zookeeper.eigenroute.com#EIGENROUTE.COM";
};
Finally, the keytab files are all readable:
$ ll /home/kafka/keytabs/
total 24
drwxr-xr-x 2 sjamal sjamal 4096 Dec 12 11:32 .
drwxr-xr-x 10 kafka kafka 4096 Dec 12 11:57 ..
-rw-r--r-- 1 root root 366 Dec 12 11:24 kafka_broker1.keytab
-rw-r--r-- 1 root root 426 Dec 12 11:31 testkafkaconsumer1.keytab
-rw-r--r-- 1 root root 426 Dec 12 11:31 testkafkaproducer1.keytab
-rw-r--r-- 1 root root 370 Dec 12 11:32 zookeeper.keytab
I have consulted the following resources:
apache-kafka-security-authorization-authentication-encryption.
Kafka SASL zookeeper authentication (this says to add the zookeeper.set.acl=true to server.properties, but this has no effect on the issue I am experiencing)
https://kafka.apache.org/documentation/#configuration (the official documentation, which could use improvement in some areas)
https://coheigea.blogspot.ca/2017/05/securing-apache-kafka-with-kerberos.html (a set of instructions that I initially started following)
Can someone suggest what the problem might be, and how to fix this? Thanks!
UPDATE: I ran netstat -tulnp | grep 2181 and ps aux | grep zookeeper, the output below shows that Zookeeper is running and listening on port 2181:
root#devel-2:~# netstat -tulnp | grep 2181
tcp6 0 0 :::2181 :::* LISTEN 3366/java
root#devel-2:~# ps aux | grep zookeeper
root 3366 0.0 0.6 3474796 26000 ? Sl Dec16 1:43 java -Dzookeeper.log.dir=. -Dzookeeper.root.logger=INFO,CONSOLE -cp /usr/share/java/zookeeper-3.4.10/bin/../build/classes:/usr/share/java/zookeeper-3.4.10/bin/../build/lib/*.jar:/usr/share/java/zookeeper-3.4.10/bin/../lib/slf4j-log4j12-1.6.1.jar:/usr/share/java/zookeeper-3.4.10/bin/../lib/slf4j-api-1.6.1.jar:/usr/share/java/zookeeper-3.4.10/bin/../lib/netty-3.10.5.Final.jar:/usr/share/java/zookeeper-3.4.10/bin/../lib/log4j-1.2.16.jar:/usr/share/java/zookeeper-3.4.10/bin/../lib/jline-0.9.94.jar:/usr/share/java/zookeeper-3.4.10/bin/../zookeeper-3.4.10.jar:/usr/share/java/zookeeper-3.4.10/bin/../src/java/lib/*.jar:/etc/zookeeper/conf/: -Dsun.security.krb5.debug=true -Dlog4j.configuration=file:/etc/zookeeper/conf/log4j.properties -Djava.security.auth.login.config=/etc/zookeeper/conf/zookeeper.jaas -Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=/etc/zookeeper/conf/jaas.conf -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.local.only=false org.apache.zookeeper.server.quorum.QuorumPeerMain /etc/zookeeper/conf/zoo.cfg
UPDATE: The software versions are:
Kerberos 5 version 1.12.1
Zookeeper 3.4.10
Kafka 0.11.0.0
UPDATE: Below is the content of my /etc/krb5.conf file:
[libdefaults]
default_realm = EIGENROUTE.COM
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
EIGENROUTE.COM = {
kdc = krb.eigenroute.com
admin_server = krb.eigenroute.com
default_domain = eigenroute.com
}
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu:88
kdc = kerberos-1.mit.edu:88
kdc = kerberos-2.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
MEDIA-LAB.MIT.EDU = {
kdc = kerberos.media.mit.edu
admin_server = kerberos.media.mit.edu
}
ZONE.MIT.EDU = {
kdc = casio.mit.edu
kdc = seiko.mit.edu
admin_server = casio.mit.edu
}
MOOF.MIT.EDU = {
kdc = three-headed-dogcow.mit.edu:88
kdc = three-headed-dogcow-1.mit.edu:88
admin_server = three-headed-dogcow.mit.edu
}
CSAIL.MIT.EDU = {
kdc = kerberos-1.csail.mit.edu
kdc = kerberos-2.csail.mit.edu
admin_server = kerberos.csail.mit.edu
default_domain = csail.mit.edu
krb524_server = krb524.csail.mit.edu
}
IHTFP.ORG = {
kdc = kerberos.ihtfp.org
admin_server = kerberos.ihtfp.org
}
GNU.ORG = {
kdc = kerberos.gnu.org
kdc = kerberos-2.gnu.org
kdc = kerberos-3.gnu.org
admin_server = kerberos.gnu.org
}
1TS.ORG = {
kdc = kerberos.1ts.org
admin_server = kerberos.1ts.org
}
GRATUITOUS.ORG = {
kdc = kerberos.gratuitous.org
admin_server = kerberos.gratuitous.org
}
DOOMCOM.ORG = {
kdc = kerberos.doomcom.org
admin_server = kerberos.doomcom.org
}
ANDREW.CMU.EDU = {
kdc = kerberos.andrew.cmu.edu
kdc = kerberos2.andrew.cmu.edu
kdc = kerberos3.andrew.cmu.edu
admin_server = kerberos.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
CS.CMU.EDU = {
kdc = kerberos.cs.cmu.edu
kdc = kerberos-2.srv.cs.cmu.edu
admin_server = kerberos.cs.cmu.edu
}
DEMENTIA.ORG = {
kdc = kerberos.dementix.org
kdc = kerberos2.dementix.org
admin_server = kerberos.dementix.org
}
stanford.edu = {
kdc = krb5auth1.stanford.edu
kdc = krb5auth2.stanford.edu
kdc = krb5auth3.stanford.edu
master_kdc = krb5auth1.stanford.edu
admin_server = krb5-admin.stanford.edu
default_domain = stanford.edu
}
UTORONTO.CA = {
kdc = kerberos1.utoronto.ca
kdc = kerberos2.utoronto.ca
kdc = kerberos3.utoronto.ca
admin_server = kerberos1.utoronto.ca
default_domain = utoronto.ca
}
[domain_realm]
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.slac.stanford.edu = SLAC.STANFORD.EDU
.toronto.edu = UTORONTO.CA
.utoronto.ca = UTORONTO.CA
.eigenroute.com = EIGENROUTE.COM
eigenroute.com = EIGENROUTE.COM
[login]
krb4_convert = true
krb4_get_tickets = false
[logging]
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmin.log
default = FILE:/var/log/kerberos/krb5lib.log

Related

Kafka SASL Auth with Kerberos: How to clear credentials cache

I have a Java application that connects to Kafka through KafkaAdminClient. I'm using SASL authentication with GSSAPI mechanism (Kerberos). I am providing the krb5.conf, jaas.conf, principal, and keytab. When the application starts, if I provide the correct principal and keytab, and the first authentication attempt is successful, every subsequent attempt will remain successful, even if I change the principal/keytab to be incorrect. The reverse scenario is also true; if the principal in the first attempt is incorrect, causing a failure, every subsequent attempt also fails even after I correct the principal. I realize this is because Kerberos caches credentials; I'm wondering how to clear the cache without restarting the app. Can I force the principal to log off after a period of time?
I have tried setting various properties in the conf files with no luck. This is what I have:
jaas.conf
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
renewTicket=false
useKeyTab=true
storeKey=false
useTicketCache=false
remewTGT=false
refreshKrb5Config=true
keyTab="/tmp/keytab.keytab"
principal="***"
serviceName="kafka";
};
Client {
com.sun.security.auth.module.Krb5LoginModule required
renewTicket=false
useKeyTab=true
storeKey=false
useTicketCache=false
remewTGT=false
refreshKrb5Config=true
keyTab="/tmp/keytab.keytab"
principal="***"
serviceName="zookeeper";
};
krb5.conf
[libdefaults]
forwardable = true
default_realm = foo.bar.com
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
default_ccache_name = /tmp/krb5cc_%{uid}
rdns = false
ignore_acceptor_hostname = true
udp_preference_limit = 1
#default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
#default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
[domain_realm]
******.*****.*****.****.com = foo.bar.com
[logging]
default = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
kdc = FILE:/var/log/krb5kdc.log
[realms]
foo.bar.com = {
kdc = ******.*****.*****.****.com
admin_server = ********.******.******.*****.com
admin_server = ********.******.******.*****.com
}
This application is deployed to PCF and I cannot ssh into the instance, so doing a klist purge is not an option. Is there another way to make Kerberos forget previous logins? Any suggestions are greatly appreciated.

Ambari Failed to create principals while installing Kerberos

I have installed MITKDC. I am enabling Kerberos using Existing MIT KDC From Ambari. While creating principals I am getting below error.
Failed to create principal, trinitylocal-071819#HUB.LOCAL - Failed to create a service principal for trinitylocal-071819#HUB.LOCAL
STDOUT: Authenticating as principal admin/admin#HUB.LOCAL with existing credentials.
STDERR: WARNING: no policy specified for trinitylocal-071819#HUB.LOCAL; defaulting to no policy
add_principal: Insufficient access to lock the database while creating "trinitylocal-071819#HUB.LOCAL".Administration credentials NOT DESTROYED.
I am able to create principals using kadmin.local.below commands also working. I am able to login to Kinit admin/admin also.
Klist command I have tried and I am able to log in.
Below are my krb5.conf and kdc.conf.
Below is my krb5.conf
[libdefaults]
renew_lifetime = 7d
forwardable = true
default_realm = HUB.LOCAL
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
default_ccache_name = /tmp/krb5cc_%{uid}
#default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
#default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
[logging]
default = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
kdc = FILE:/var/log/krb5kdc.log
[realms]
HUB.LOCAL = {
admin_server = HOSTNAME
kdc = HOSTNAME
}
Below is my kdc.conf
[kdcdefaults]
kdc_ports = 750,88
[realms]
EXAMPLE.COM = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth
}

Solved it is Installation Issue. I didn't give proper REALM

JAAS auth kerberos error "java.net.SocketTimeoutException: Receive timed out"

i have installed a kerberos server.
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = SNSPRJ.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
SNSPRJ.COM = {
kdc = kerberos.snsprj.com
admin_server = kerberos.snsprj.com
}
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
.snsprj.com = SNSPRJ.COM
snsprj.com = SNSPRJ.COM
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
SNSPRJ.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
~
In the kerberos client ,i use kinit xiaoxiao/admin#SNSPRJ.COM and it's see ok
[root#bogon ~]# kinit xiaoxiao/admin#SNSPRJ.COM
Password for xiaoxiao/admin#SNSPRJ.COM:
[root#bogon ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: xiaoxiao/admin#SNSPRJ.COM
Valid starting Expires Service principal
08/24/2017 13:51:18 08/25/2017 13:51:17 krbtgt/SNSPRJ.COM#SNSPRJ.COM
[root#bogon ~]#
but when i use JAAS to auth kerberos server some error message occur :
java.net.SocketTimeoutException: Receive timed out
i have tey telnet 192.168.1.196 88 it's ok.
bogon:jaas0822 skh$ telnet 192.168.1.196 88
Trying 192.168.1.196...
Connected to bogon.
Escape character is '^]'.
JAAS Authentication:http://docs.oracle.com/javase/1.5.0/docs/guide/security/jgss/tutorials/AcnOnly.html
my code:
import javax.security.auth.login.*;
import com.sun.security.auth.callback.TextCallbackHandler;
/**
* This JaasAcn application attempts to authenticate a user
* and reports whether or not the authentication was successful.
*
* Created by skh on 2017/8/22.
*/
public class JaasAcn {
public static void main(String[] args) {
String path = "/workspace/idea/ssm/src/test/java/com/snsprj/jaas0822/";
System.setProperty("java.security.auth.login.config", path + "jaas.conf");
// System.setProperty("java.security.krb5.conf", path + "krb5.conf");
System.setProperty("java.security.krb5.realm", "SNSPRJ.COM");
System.setProperty("java.security.krb5.kdc", "kerberos.snsprj.com");
System.setProperty("java.security.krb5.debug", "true");
// Obtain a LoginContext, needed for authentication. Tell it
// to use the LoginModule implementation specified by the
// entry named "JaasSample" in the JAAS login configuration
// file and to also use the specified CallbackHandler.
LoginContext lc = null;
try {
lc = new LoginContext("JaasSample", new TextCallbackHandler());
// attempt authentication
try {
lc.login();
} catch (LoginException le) {
le.printStackTrace();
System.err.println("Authentication failed:");
System.err.println(" " + le.getMessage());
System.exit(-1);
}
} catch (LoginException le) {
System.err.println("Cannot create LoginContext. " + le.getMessage());
} catch (SecurityException se) {
System.err.println("Cannot create LoginContext. " + se.getMessage());
System.exit(-1);
}
System.out.println("Authentication succeeded!");
}
}
is something worry? anyone can help me ,think you very much!

Solution :use TCP
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = SNSPRJ.COM
default_ccache_name = KEYRING:persistent:%{uid}
# insert by xiaohb 20170824 start
udp_preference_limit = 1
# insert by xiaohb 20170824 end

Kerberos 5 Application Server

I'm have installed krb5-appl-server and krb5-workstation; also config the krb5.conf in /etc/krb5.conf in KDC server
I have created a user root/admin in KDC
But when i'm on application server, type :
kadmin -p root/admin
they say : "missing parameters in krb5.conf required for kadmin client while initializing kadmin interface"
What's missing in krb5.conf ???
In krb5.conf in application :
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = test.com
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.COM = {
kdc = 10.85.0.20:88
admin_server = 10.85.0.20:749
}
[domain_realm]
server.test.com = test.com
client.test.com = test.com
Tks :D

The first thing is that case matters in realm names so test.com and TEST.COM are not the same realm. Secondly, you don't have an admin server defined for the default realm in your krb5.conf
default_realm = test.com
The default_realm should match at least one realm in the realm section and should be the same as the realm name you used in setting up the server.

missing parameters in krb5.conf required for kadmin client while initializing kadmin interface is very misleading.
I was met with same mistake and found the error had nothing to do with the krb5.conf. Maybe the errror lies in your command line. In my case, I sent a wrong realm name to -r parameter.When I set it right, the error was gone.

**
[realms]
EXAMPLE.COM = {
kdc = 10.85.0.20:88
admin_server = 10.85.0.20:749
}
**
I believe you should've replaced the EXAMPLE.COM with TEST.COM

Kerberos: kadmin not working properly

I have some trouble in getting my kadmin to work. Everything is fine in kadmin.local, but whenever I use kadmin, it seems it is using the kadm5.acl file, but isn't.
I have in this file:
$ cat /var/kerberos/krb5kdc/kadm5.acl
*/admin#HADOOP.COM *
kadmin can connect to the kdc server correctly, and dns lookup and reverse dns is working also.
My krb5.conf is like this:
$ cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 750,88
[realms]
HADOOP.COM = {
admin_keytab = FILE: /var/kerberos/krb5kdc/kadm5.keytab
kadmind_port = 749
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
database_name = /var/kerberos/krb5kdc/principal
acl_file = /var/kerberos/krb5kdc/kadm5.acl
#key_stash_file = /var/kerberos/krb5kdc/.k5.HADOOP.COM
}
and $ cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = HADOOP.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
HADOOP.COM = {
kdc = evl2400469.eu.verio.net:88
admin_server = evl2400469.eu.verio.net:749
default_domain = hadoop.com
}
[domain_realm]
.hadoop.com = HADOOP.COM
hadoop.com = HADOOP.COM
So when I try to perform an operation such as add a principal, or get the list of principals I get :
kadmin: listprincs
get_principals: Operation requires ``list'' privilege while retrieving list.
kadmin: getprivs
current privileges: GET ADD MODIFY DELETE
I really don't know where is the problem in my configuration.
I even tried to get a ticket before using kadmin console:
$ klist
Ticket cache: FILE:/tmp/krb5cc_0 Default principal:
kadmin/admin#HADOOP.COM
Valid starting Expires Service principal 05/21/14
10:13:34 05/21/14 13:13:34 krbtgt/HADOOP.COM#HADOOP.COM
renew until 05/22/14 10:13:34
Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached
Thanks a lot for your help on that :)

Try editing /var/kerberos/krb5kdc/kadm5.acl with
*/admin#HADOOP.COM *
The kadmind daemon needs to be restarted in order for changes in the ACL file to become active:
service kadmind restart