You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am trying out your cassandra-kerberos authenticator against Cassandra 3.11.4-1.
I am using RedHat's IDM (aka FreeIPA), and I do have the IDM server and client set up correctly.
I can create and obtain a ticket for the user I'm trying to connect with:
Valid starting Expires Service principal
03/02/2019 16:06:24 03/03/2019 16:06:20 krbtgt/JLERM.COM@JLERM.COM
renew until 03/09/2019 16:06:20
I have a Cassandra 3.11 cluster with three nodes as follows
Owns (effective) Host ID Rack
UN 10.176.113.228 193.66 KiB 256 60.4% b111f147-02c2-4942-8b17-82f92fa720af rack1
UN 10.176.113.229 345.28 KiB 256 65.9% 4c666f99-653c-4263-bfe2-0c6ee6b12156 rack1
UN 10.176.113.230 360.59 KiB 256 73.7% 5bfab6fc-bc40-4bbb-bcd2-db556d8c4e18 rack1
I set up all servers with SSL.
Built the cassandra kerberos jar and placed it under /usr/share/cassandra/lib/cassandra-3-11-kerberos-1.0.0.jar.
I created a user 'ldapsearch@JLERM.COM' via cqlsh before switching the authenticator in cassandra.yaml:
CREATE ROLE 'ldapsearch@JLERM.COM' WITH SUPERUSER = true AND LOGIN = true AND PASSWORD = 'password42';
Connection error: ('Unable to connect to any servers', {'10.176.113.228': AuthenticationFailed('Failed to authenticate to 10.176.113.228: Error from server: code=0100 [Bad credentials] message="The SASL server could not evaluate the response sent by the client. The server may not be configured correctly, or the response may be invalid."',)})
I tried different variations in the cqlshrc file, with no luck.
Any ideas or help you can provide?
Thanks,
Julius
The text was updated successfully, but these errors were encountered:
I am trying out your cassandra-kerberos authenticator against Cassandra 3.11.4-1.
I am using RedHat's IDM (aka FreeIPA), and I do have the IDM server and client set up correctly.
I can create and obtain a ticket for the user I'm trying to connect with:
# kinit ldapsearch@JLERM.COM
Password for ldapsearch@JLERM.COM:
[root@jlermdev228 cloud_install]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ldapsearch@JLERM.COM
Valid starting Expires Service principal
03/02/2019 16:06:24 03/03/2019 16:06:20 krbtgt/JLERM.COM@JLERM.COM
renew until 03/09/2019 16:06:20
I have a Cassandra 3.11 cluster with three nodes as follows
Owns (effective) Host ID Rack
UN 10.176.113.228 193.66 KiB 256 60.4% b111f147-02c2-4942-8b17-82f92fa720af rack1
UN 10.176.113.229 345.28 KiB 256 65.9% 4c666f99-653c-4263-bfe2-0c6ee6b12156 rack1
UN 10.176.113.230 360.59 KiB 256 73.7% 5bfab6fc-bc40-4bbb-bcd2-db556d8c4e18 rack1
I set up all servers with SSL.
Built the cassandra kerberos jar and placed it under /usr/share/cassandra/lib/cassandra-3-11-kerberos-1.0.0.jar.
I created a user 'ldapsearch@JLERM.COM' via cqlsh before switching the authenticator in cassandra.yaml:
CREATE ROLE 'ldapsearch@JLERM.COM' WITH SUPERUSER = true AND LOGIN = true AND PASSWORD = 'password42';
I created this file:
# cat /etc/cassandra/conf/cassandra-krb5.properties
service_principal=cassandra/jlermdev228.jlerm.com@JLERM.COM
keytab=/etc/cassandra/jlermdev228.keytab
qop=auth
And created the keytab for the cassandra service on node jlermdev228:
# ls -l /etc/cassandra/jlermdev228.keytab
-r-------- 1 cassandra cassandra 186 Mar 2 16:02 /etc/cassandra/jlermdev228.keytab
I created a cqlshrc:
# cat ~/.cassandra/cqlshrc
[connection]
hostname = jlermdev228.jlerm.com
port = 9042
factory = cqlshlib.kerberos.kerberos_transport_factory
[kerberos]
hostname = jlermdev228.jlerm.com
;;service = cassandra/jlermdev228.jlerm.com@JLERM.COM
service = cassandra
principal = ldapsearch@JLERM.COM
qops = auth-conf
[kerberos_options]
service_principal=cassandra/jlermdev228.jlerm.com@JLERM.COM
keytab=/etc/cassandra/jlermdev228.keytab
[ssl]
certfile = /opt/cloud_install/CA_CLUSTER.pem
validate = false
I get the ticket for user ldapsearch@JLERM.COM as pointed out above.
Then I restart cassandra.
However, when I try to connect, it still prompts for a password:
# cqlsh 10.176.113.228 -u ldapsearch@JLERM.COM --ssl
Password:
I type the password, but get this error:
Connection error: ('Unable to connect to any servers', {'10.176.113.228': AuthenticationFailed('Failed to authenticate to 10.176.113.228: Error from server: code=0100 [Bad credentials] message="The SASL server could not evaluate the response sent by the client. The server may not be configured correctly, or the response may be invalid."',)})
I tried different variations in the cqlshrc file, with no luck.
Any ideas or help you can provide?
Thanks,
Julius
The text was updated successfully, but these errors were encountered: