We Keep Coding

Kafka SASL Auth with Kerberos: How to clear credentials cache

I have a Java application that connects to Kafka through KafkaAdminClient. I'm using SASL authentication with GSSAPI mechanism (Kerberos). I am providing the krb5.conf, jaas.conf, principal, and keytab. When the application starts, if I provide the correct principal and keytab, and the first authentication attempt is successful, every subsequent attempt will remain successful, even if I change the principal/keytab to be incorrect. The reverse scenario is also true; if the principal in the first attempt is incorrect, causing a failure, every subsequent attempt also fails even after I correct the principal. I realize this is because Kerberos caches credentials; I'm wondering how to clear the cache without restarting the app. Can I force the principal to log off after a period of time?
I have tried setting various properties in the conf files with no luck. This is what I have:
jaas.conf
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
renewTicket=false
useKeyTab=true
storeKey=false
useTicketCache=false
remewTGT=false
refreshKrb5Config=true
keyTab="/tmp/keytab.keytab"
principal="***"
serviceName="kafka";
};
Client {
com.sun.security.auth.module.Krb5LoginModule required
renewTicket=false
useKeyTab=true
storeKey=false
useTicketCache=false
remewTGT=false
refreshKrb5Config=true
keyTab="/tmp/keytab.keytab"
principal="***"
serviceName="zookeeper";
};
krb5.conf
[libdefaults]
forwardable = true
default_realm = foo.bar.com
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
default_ccache_name = /tmp/krb5cc_%{uid}
rdns = false
ignore_acceptor_hostname = true
udp_preference_limit = 1
#default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
#default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
[domain_realm]
******.*****.*****.****.com = foo.bar.com
[logging]
default = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
kdc = FILE:/var/log/krb5kdc.log
[realms]
foo.bar.com = {
kdc = ******.*****.*****.****.com
admin_server = ********.******.******.*****.com
admin_server = ********.******.******.*****.com
}
This application is deployed to PCF and I cannot ssh into the instance, so doing a klist purge is not an option. Is there another way to make Kerberos forget previous logins? Any suggestions are greatly appreciated.

Ambari Failed to create principals while installing Kerberos

I have installed MITKDC. I am enabling Kerberos using Existing MIT KDC From Ambari. While creating principals I am getting below error.
Failed to create principal, trinitylocal-071819#HUB.LOCAL - Failed to create a service principal for trinitylocal-071819#HUB.LOCAL
STDOUT: Authenticating as principal admin/admin#HUB.LOCAL with existing credentials.
STDERR: WARNING: no policy specified for trinitylocal-071819#HUB.LOCAL; defaulting to no policy
add_principal: Insufficient access to lock the database while creating "trinitylocal-071819#HUB.LOCAL".Administration credentials NOT DESTROYED.
I am able to create principals using kadmin.local.below commands also working. I am able to login to Kinit admin/admin also.
Klist command I have tried and I am able to log in.
Below are my krb5.conf and kdc.conf.
Below is my krb5.conf
[libdefaults]
renew_lifetime = 7d
forwardable = true
default_realm = HUB.LOCAL
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
default_ccache_name = /tmp/krb5cc_%{uid}
#default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
#default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
[logging]
default = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
kdc = FILE:/var/log/krb5kdc.log
[realms]
HUB.LOCAL = {
admin_server = HOSTNAME
kdc = HOSTNAME
}
Below is my kdc.conf
[kdcdefaults]
kdc_ports = 750,88
[realms]
EXAMPLE.COM = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth
}

Solved it is Installation Issue. I didn't give proper REALM

JAAS auth kerberos error "java.net.SocketTimeoutException: Receive timed out"

i have installed a kerberos server.
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = SNSPRJ.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
SNSPRJ.COM = {
kdc = kerberos.snsprj.com
admin_server = kerberos.snsprj.com
}
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
.snsprj.com = SNSPRJ.COM
snsprj.com = SNSPRJ.COM
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
SNSPRJ.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
~
In the kerberos client ,i use kinit xiaoxiao/admin#SNSPRJ.COM and it's see ok
[root#bogon ~]# kinit xiaoxiao/admin#SNSPRJ.COM
Password for xiaoxiao/admin#SNSPRJ.COM:
[root#bogon ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: xiaoxiao/admin#SNSPRJ.COM
Valid starting Expires Service principal
08/24/2017 13:51:18 08/25/2017 13:51:17 krbtgt/SNSPRJ.COM#SNSPRJ.COM
[root#bogon ~]#
but when i use JAAS to auth kerberos server some error message occur :
java.net.SocketTimeoutException: Receive timed out
i have tey telnet 192.168.1.196 88 it's ok.
bogon:jaas0822 skh$ telnet 192.168.1.196 88
Trying 192.168.1.196...
Connected to bogon.
Escape character is '^]'.
JAAS Authentication:http://docs.oracle.com/javase/1.5.0/docs/guide/security/jgss/tutorials/AcnOnly.html
my code:
import javax.security.auth.login.*;
import com.sun.security.auth.callback.TextCallbackHandler;
/**
* This JaasAcn application attempts to authenticate a user
* and reports whether or not the authentication was successful.
*
* Created by skh on 2017/8/22.
*/
public class JaasAcn {
public static void main(String[] args) {
String path = "/workspace/idea/ssm/src/test/java/com/snsprj/jaas0822/";
System.setProperty("java.security.auth.login.config", path + "jaas.conf");
// System.setProperty("java.security.krb5.conf", path + "krb5.conf");
System.setProperty("java.security.krb5.realm", "SNSPRJ.COM");
System.setProperty("java.security.krb5.kdc", "kerberos.snsprj.com");
System.setProperty("java.security.krb5.debug", "true");
// Obtain a LoginContext, needed for authentication. Tell it
// to use the LoginModule implementation specified by the
// entry named "JaasSample" in the JAAS login configuration
// file and to also use the specified CallbackHandler.
LoginContext lc = null;
try {
lc = new LoginContext("JaasSample", new TextCallbackHandler());
// attempt authentication
try {
lc.login();
} catch (LoginException le) {
le.printStackTrace();
System.err.println("Authentication failed:");
System.err.println(" " + le.getMessage());
System.exit(-1);
}
} catch (LoginException le) {
System.err.println("Cannot create LoginContext. " + le.getMessage());
} catch (SecurityException se) {
System.err.println("Cannot create LoginContext. " + se.getMessage());
System.exit(-1);
}
System.out.println("Authentication succeeded!");
}
}
is something worry? anyone can help me ,think you very much!

Solution :use TCP
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = SNSPRJ.COM
default_ccache_name = KEYRING:persistent:%{uid}
# insert by xiaohb 20170824 start
udp_preference_limit = 1
# insert by xiaohb 20170824 end

Kerberos 5 Application Server

I'm have installed krb5-appl-server and krb5-workstation; also config the krb5.conf in /etc/krb5.conf in KDC server
I have created a user root/admin in KDC
But when i'm on application server, type :
kadmin -p root/admin
they say : "missing parameters in krb5.conf required for kadmin client while initializing kadmin interface"
What's missing in krb5.conf ???
In krb5.conf in application :
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = test.com
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.COM = {
kdc = 10.85.0.20:88
admin_server = 10.85.0.20:749
}
[domain_realm]
server.test.com = test.com
client.test.com = test.com
Tks :D

The first thing is that case matters in realm names so test.com and TEST.COM are not the same realm. Secondly, you don't have an admin server defined for the default realm in your krb5.conf
default_realm = test.com
The default_realm should match at least one realm in the realm section and should be the same as the realm name you used in setting up the server.

missing parameters in krb5.conf required for kadmin client while initializing kadmin interface is very misleading.
I was met with same mistake and found the error had nothing to do with the krb5.conf. Maybe the errror lies in your command line. In my case, I sent a wrong realm name to -r parameter.When I set it right, the error was gone.

**
[realms]
EXAMPLE.COM = {
kdc = 10.85.0.20:88
admin_server = 10.85.0.20:749
}
**
I believe you should've replaced the EXAMPLE.COM with TEST.COM

Kerberos: kadmin not working properly

I have some trouble in getting my kadmin to work. Everything is fine in kadmin.local, but whenever I use kadmin, it seems it is using the kadm5.acl file, but isn't.
I have in this file:
$ cat /var/kerberos/krb5kdc/kadm5.acl
*/admin#HADOOP.COM *
kadmin can connect to the kdc server correctly, and dns lookup and reverse dns is working also.
My krb5.conf is like this:
$ cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 750,88
[realms]
HADOOP.COM = {
admin_keytab = FILE: /var/kerberos/krb5kdc/kadm5.keytab
kadmind_port = 749
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
database_name = /var/kerberos/krb5kdc/principal
acl_file = /var/kerberos/krb5kdc/kadm5.acl
#key_stash_file = /var/kerberos/krb5kdc/.k5.HADOOP.COM
}
and $ cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = HADOOP.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
HADOOP.COM = {
kdc = evl2400469.eu.verio.net:88
admin_server = evl2400469.eu.verio.net:749
default_domain = hadoop.com
}
[domain_realm]
.hadoop.com = HADOOP.COM
hadoop.com = HADOOP.COM
So when I try to perform an operation such as add a principal, or get the list of principals I get :
kadmin: listprincs
get_principals: Operation requires ``list'' privilege while retrieving list.
kadmin: getprivs
current privileges: GET ADD MODIFY DELETE
I really don't know where is the problem in my configuration.
I even tried to get a ticket before using kadmin console:
$ klist
Ticket cache: FILE:/tmp/krb5cc_0 Default principal:
kadmin/admin#HADOOP.COM
Valid starting Expires Service principal 05/21/14
10:13:34 05/21/14 13:13:34 krbtgt/HADOOP.COM#HADOOP.COM
renew until 05/22/14 10:13:34
Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached
Thanks a lot for your help on that :)

Try editing /var/kerberos/krb5kdc/kadm5.acl with
*/admin#HADOOP.COM *
The kadmind daemon needs to be restarted in order for changes in the ACL file to become active:
service kadmind restart