Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve the support of gssapi/sasl, fully realize wraptoken. #460

Open
kirbyzhou opened this issue Mar 16, 2022 · 5 comments · May be fixed by #498
Open

Improve the support of gssapi/sasl, fully realize wraptoken. #460

kirbyzhou opened this issue Mar 16, 2022 · 5 comments · May be fixed by #498

Comments

@kirbyzhou
Copy link

kirbyzhou commented Mar 16, 2022
edited
Loading

Now, wrapToken.go only supports Wrap Tokens v2 defined in

https://datatracker.ietf.org/doc/html/rfc4121#section-4.2.6
The Kerberos Version 5 GSS-API Mechanism: Version 2

for Backwards Compatibility Considerations, is should implement Wrap Tokens v1 defined in rfc1964
see https://datatracker.ietf.org/doc/html/rfc4121#section-6 for backword compatibility
see https://datatracker.ietf.org/doc/html/rfc1964#section-1.2.2 for old format

Now, if we encounter kerberos which use rc4, errors will happen like that:

2022/03/16 18:36:59 failed to init session context while performing kerberos authentication, err: wrong Token ID. Expected 0504, was 6030
2022/03/16 18:36:59 failed to authorize with kerberos, err: wrong Token ID. Expected 0504, was 6030, zookeeper server: kb01.sa:2181
2022/03/16 18:36:59 error in resending auth creds: wrong Token ID. Expected 0504, was 6030
@kirbyzhou kirbyzhou mentioned this issue Mar 17, 2022
Open
@zhuliquan
Copy link

@jcmturner I think you should make unwrap more compatiable, like java implements:
gokrb5 implements:

gokrb5/gssapi/wrapToken.go

Line 132 in 663478b

func (wt *WrapToken) Unmarshal(b []byte, expectFromAcceptor bool) error {

java implements:
https://github.com/openjdk/jdk/blob/jdk-11+0/src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5Context.java#L1051

@doddys
Copy link

doddys commented Apr 14, 2022

I am also having this issues

@kirbyzhou
Copy link
Author

set the following lines in /etc/krb5.conf can easily reproduce the problem

[libdefaults]
default_tkt_enctypes = arcfour-hmac 
default_tgs_enctypes = arcfour-hmac

2022/07/25 17:38:37 connected to 10.120.238.27:2181
2022/07/25 17:38:37 authenticated: id=75784111401558642, timeout=10000
2022/07/25 17:38:37 failed to init session context while performing kerberos authentication, err: wrong Token ID. Expected 0504, was 6030
2022/07/25 17:38:37 failed to authorize with kerberos, err: wrong Token ID. Expected 0504, was 6030, zookeeper server: kb01.sa:2181
2022/07/25 17:38:37 error in resending auth creds: wrong Token ID. Expected 0504, was 6030

@MikhailMS MikhailMS mentioned this issue Nov 10, 2022
Closed
@MikhailMS
Copy link

MikhailMS commented Nov 19, 2022
edited
Loading

I've made some progress on the issue --> https://github.com/MikhailMS/gokrb5 - if anyone wants to check it against their Kafka, would be appreciated

If I can keep up the pace, then soon it would be offered as PR - so it would be up to owner to include it into the next release whenever that happens :)

@MikhailMS MikhailMS linked a pull request Nov 30, 2022 that will close this issue
Open
@salastrue salastrue mentioned this issue Feb 8, 2023
Closed
@veezhang
Copy link

@MikhailMS I also have similar problems. So, can this PR solve your problem? Thanks!

no available namenodes: SASL handshake: wrong Token ID. Expect 0504, was 6030.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add support for Wrap Tokens v1 MikhailMS/gokrb5
5 participants
@kirbyzhou @MikhailMS @veezhang @doddys @zhuliquan