Hi,
confluent-kafka-go v1.6.1
Description
We are trying to connect to Kafka Topics (using Kerberos auth). Sometimes maybe because of machine being idle for long time or VPN reconnecting we are not able to connect to the topics and the Producer/Consumer start throwing these errors :
(krbtgt/) unknown while looking up ‘kafka/secured-kafka**’ (cached result, timeout in 920 sec) (negative cache))
Read message Consumer error: 3/3 brokers are down ()
%2|LIBSASL|rdkafka#consumer-1| [thrd:sasl_ssl://secured-kafka02/bootstrap]: sasl_ssl://secured-kafka02*****/bootstrap: GSSAPI Error: Miscellaneous failure (see text (Server (krbtgt/) unknown while looking up ‘kafka/secured-kafka02.‘ (cached result, timeout in 920 sec) (negative cache))
Read message Consumer error: 3/3 brokers are down ()
%2|LIBSASL|rdkafka#consumer-1| [thrd:sasl_ssl://secured-kafka01./bootstrap]: sasl_ssl://secured-kafka01./bootstrap: GSSAPI Error: Miscellaneous failure (see text (Server (krbtgt/) unknown while looking up ‘kafka/secured-kafka01.****’ (cached result, timeout in 920 sec) (negative cache))
How to reproduce
This happens sometimes and very intermittent, maybe if the client loses connection and comes back up or stays idle for long time. Something to do with the krbtgt — Kerberos Ticket expiry and not able to renew. Using kdestroy command — it sometimes works after restarting the clients.
Debug logs for Producer :
ed (start (-1)): SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text (Server (krbtgt/xxxxxxxx@US.CORP) unknown while looking up ‘kafka/secured-kafka02.xxxxxxxx@xxxxxxxx’ (cached result, timeout in 1199 sec)) (after 7ms in state AUTH_REQ) (_AUTHENTICATION)
%3|1619635691.037|FAIL|rdkafka#producer-1| [thrd:sasl_ssl://secured-kafka02.xxxxxxxx/bootstrap]: sasl_ssl://secured-kafka02.xxxxxxxx/bootstrap: Failed to initialize SASL authentication: SASL handshake failed (start (-1)): SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text (Server (krbtgt/xxxxxxxx@US.CORP) unknown while looking up ‘kafka/secured-kafka02.xxxxxxxx@xxxxxxxx’ (cached result, timeout in 1199 sec)) (after 7ms in state AUTH_REQ)
%7|1619635691.037|STATE|rdkafka#producer-1| [thrd:sasl_ssl://secured-kafka02.xxxxxxxx/bootstrap]: sasl_ssl://secured-kafka02.xxxxxxxx/bootstrap: Broker changed state AUTH_REQ -> DOWN
%7|1619635691.037|CONNECT|rdkafka#producer-1| [thrd:sasl_ssl://secured-kafka02.xxxxxxxx/bootstrap]: Cluster connection already in progress: broker down
%7|1619635691.037|FAIL|rdkafka#producer-1| [thrd:sasl_ssl://secured-kafka03.xxxxxxxx/bootstrap]: sasl_ssl://secured-kafka03.xxxxxxxx/bootstrap: Failed to initialize SASL authentication: SASL handshake failed (start (-1)): SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text (Server (krbtgt/xxxxxxxx@US.CORP) unknown while looking up ‘kafka/secured-kafka03.xxxxxxxx@xxxxxxxx’ (cached result, timeout in 1199 sec)) (after 5ms in state AUTH_REQ) (_AUTHENTICATION)
%7|1619635691.037|STATE|rdkafka#producer-1| [thrd:sasl_ssl://secured-kafka02.xxxxxxxx/bootstrap]: sasl_ssl://secured-kafka02.xxxxxxxx/bootstrap: Broker changed state DOWN -> INIT
%7|1619635691.038|STATE|rdkafka#producer-1| [thrd:sasl_ssl://secured-kafka02.xxxxxxxx/bootstrap]: sasl_ssl://secured-kafka02.xxxxxxxx/bootstrap: Broker changed state INIT -> TRY_CONNECT
%7|1619635691.038|RECONNECT|rdkafka#producer-1| [thrd:sasl_ssl://secured-kafka02.xxxxxxxx/bootstrap]: sasl_ssl://secured-kafka02.xxxxxxxx/bootstrap: Delaying next reconnect by 1089ms
%3|1619635691.038|FAIL|rdkafka#producer-1| [thrd:sasl_ssl://secured-kafka03.xxxxxxxx/bootstrap]: sasl_ssl://secured-kafka03.xxxxxxxx/bootstrap: Failed to initialize SASL authentication: SASL handshake failed (start (-1)): SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text (Server (krbtgt/xxxxxxxx@US.CORP) unknown while looking up ‘kafka/secured-kafka03.xxxxxxxx@xxxxxxxx’ (cached result, timeout in 1199 sec)) (after 5ms in state AUTH_REQ)
%7|1619635691.038|STATE|rdkafka#producer-1| [thrd:sasl_ssl://secured-kafka03.xxxxxxxx/bootstrap]: sasl_ssl://secured-kafka03.xxxxxxxx/bootstrap: Broker changed state AUTH_REQ -> DOWN
%7|1619635691.038|CONNECT|rdkafka#producer-1| [thrd:sasl_ssl://secured-kafka03.xxxxxxxx/bootstrap]: Not selecting any broker for cluster connection: still suppressed for 48ms: broker down
%7|1619635691.038|STATE|rdkafka#producer-1| [thrd:sasl_ssl://secured-kafka03.xxxxxxxx/bootstrap]: sasl_ssl://secured-kafka03.xxxxxxxx/bootstrap: Broker changed state DOWN -> INIT
%7|1619635691.039|STATE|rdkafka#producer-1| [thrd:sasl_ssl://secured-kafka03.xxxxxxxx/bootstrap]: sasl_ssl://secured-kafka03.xxxxxxxx/bootstrap: Broker changed state INIT -> TRY_CONNECT
%7|1619635691.039|RECONNECT|rdkafka#producer-1| [thrd:sasl_ssl://secured-kafka03.xxxxxxxx/bootstrap]: sasl_ssl://secured-kafka03.xxxxxxxx/bootstrap: Delaying next reconnect by 1020ms
%7|1619635691.080|NOINFO|rdkafka#producer-1| [thrd:main]: Topic development.internal.rewards.benefitsintegration metadata information unknown
%7|1619635691.080|NOINFO|rdkafka#producer-1| [thrd:main]: Topic development.internal.rewards.benefitsintegration partition count is zero: should refresh metadata
%7|1619635691.080|CONNECT|rdkafka#producer-1| [thrd:main]: Not selecting any broker for cluster connection: still suppressed for 7ms: refresh unavailable topics
%7|1619635691.080|CONNECT|rdkafka#producer-1| [thrd:main]: Not selecting any broker for cluster connection: still suppressed for 7ms: no cluster connection
%7|1619635691.302|CONNECT|rdkafka#producer-1| [thrd:sasl_ssl://secured-kafka01.xxxxxxxx/bootstrap]: sasl_ssl://secured-kafka01.xxxxxxxx/bootstrap: broker in state TRY_CONNECT connecting
%7|1619635691.302|STATE|rdkafka#producer-1| [thrd:sasl_ssl://secured-kafka01.xxxxxxxx/bootstrap]: sasl_ssl://secured-kafka01.xxxxxxxx/bootstrap: Broker changed state TRY_CONNECT -> CONNECT
%7|1619635691.303|CONNECT|rdkafka#producer-1| [thrd:sasl_ssl://secured-kafka01.xxxxxxxx/bootstrap]: sasl_ssl://secured-kafka01.xxxxxxxx/bootstrap: Connecting to ipv4#xxxxxxxx (sasl_ssl) with socket 16
%7|1619635691.399|CONNECT|rdkafka#producer-1| [thrd:sasl_ssl://secured-kafka01.xxxxxxxx/bootstrap]: sasl_ssl://secured-kafka01.xxxxxxxx/bootstrap: Connected to ipv4#xxxxxxxx
Checklist
IMPORTANT: We will close issues where the checklist has not been completed.
Please provide the following information:
- librdkafka version (release number or git tag):
librdkafka: stable 1.5.3 - Apache Kafka version:
2.7 - librdkafka client configuration:
"bootstrap.servers": bootstrapServers,"security.protocol": securityProtocol,"sasl.kerberos.service.name": serviceName,"sasl.kerberos.keytab": keytabFile,"sasl.kerberos.principal": principalName,"ssl.ca.location": certificateLocation - Operating system:
Mac OS x64 - Provide logs (with
debug=..as necessary) from librdkafka - Provide broker log excerpts
- Critical issue
|
On this page:
Context question(s)When trying to log in to SAPgui on my Windows machine, I get an error: GSS-API miscellaneous failure matching credentials not found. How do I resolve this? I am getting an error: «No credentials cache found» when I try to log in to SAPgui. How do I resolve this? OverviewThis error message means that SAPgui was unable to communicate with Kerberos and/or was unable to see a valid Kerberos ticket on the machine. The desired behavior is for SAPgui, on launch, to check whether there is a valid Kerberos ticket on the machine. If there is no Kerberos ticket, the Kerberos login screen should appear, prompting the user for Kerberos username and password. This will be the same username and password used to check @mit.edu email. After the user successfully acquires a Kerberos ticket, SAPgui should launch. Solution one — if Kerberos is not installed.Kerberos may not be installed on the machine. Check Control Panel > Add or Remove Programs to see if Kerberos is installed. Solution two — if Kerberos is installed, but tickets are expired.It may be that there is an expired Kerberos ticket on the machine. SAPgui sees that the Kerberos ticket exists, so it doesn’t bring up the Kerberos login screen, but, since the ticket is expired, the credentials are not valid.
Solution three — if there is a problem in the communication between SAPgui and Kerberos.Troubleshooting steps:
Background informationFrom http://www.faqs.org/faqs/kerberos-faq/general/section-84.html 5.2. What is GSSAPI? GSSAPI is an acronym; it stands for Generic Security Services Application Programming Interface. The GSSAPI is a generic API for doing client-server authentication. The motivation behind it is that every security system has it’s own API, and the effort involved with adding different security systems to applications is extremely difficult with the variance between security APIs. However, with a common API, application vendors could write to the generic API and it could work with any number of security systems. How does this relate to Kerberos? Included with most major Kerberos 5 distributions is a GSSAPI implementation. Thus, if a particular application or protocol says that it supports the GSSAPI, then that means that it supports Kerberos, by virtue of Kerberos including a GSSAPI implementation. |
|
Linc to the rescue, again. Thanks much. I’ll check these out in order over the next few days and let you know what I find. Here’s what I know so far:
1. OD Master does have a unique static IP.
2. NB I’m using Server 2.2.1 (169) managing a 10.8.5 server (incorrect listing on my account, which I corrected after this post), so the available screens and options are somewhat different from what you’ve described. Any idea where in this version I would access the «the Accessing your Server» sheet?
For what it’s worth, changeip -checkhostname returns:
The names match. There is nothing to change.
dirserv:success = «success»
3. I set the primary DNS server for the server itself to 127.0.0.1 via the network connections prefs in System Preferences. Previously it had been set to the primary static address . Most of our clients are assigned statically and bound to the OD. We have been using a secondary local server as a backup local DNS service (forwarders only) so clients can still access external sites when we take our main down for maintenance. Consequently we’ve populated the DNS settings of those clients with both addresses. I’ll work on cleaning those up over the next couple of days.
4. This step looks highly likely to be the magic bullet. In the last year we’ve both upgraded from 10.6.8 to 10.7 to 10.8.5 and migrated from an XServe to a mini. It seems likely to me that our Kerberos records need to be updated. I plan to run this step tonight after I do a little more research to make sure I know exactly what those commands are going to do.
5. Another likely culprit. We are using a wildcard cert that covers our whole domain, likely we’ll need to replace this with one that’s specific to this server. I’ll check into this if step 4 doesn’t clear things up.
6. Probably not needed, as we used the FQDN in all of our binds anyway — but if need be we can redo this.
7. Never a bad idea.
8. We never do this.
9. Long ago and far away (in my 10.3 days) I’ve had to do this. Glad that’s a last resort and hope it doesn’t come to that.
Thanks again, Linc.
-Paul
PS — A little tidbit for you: one of the many errors I’ve run down in the last week was:
collabpp[88328]: CFPreferences: user home directory for user kCFPreferencesCurrentUser at /var/teamsserver is unavailable. User domains will be volatile.
As some posters have noted, this directory technically does not exist (at least not as of 10.8.5) — but admins who actually look in /var will find a directory that *looks* like it’s supposed to be the teamsserver home directory — but it’s misspelled: teamserver (note the single «s»). This buggered me for quite a while trying to fix it with -chown and Workgroup Manager — until I took a good look at the directory. Easy to see how Apple developers might have overlooked that one.
Cheers!
Hi.
I configured the Single Sign-On with Microsoft Kerberos SSP between SAPGUI for windows and SAP WAS ABAP + JAVA(Local Installation).
The parameter «snc/identity/as» has the value: «p:prueba tsnetglobal.com». prueba is a domain user.
El use SAPServiceTGX is a local user.
But, the SAP System is stopped.
I get the following errors:
DEV_SERVER
*****************************************************************************
*
[Thr 1240] * LOCATION CPIC (TCP/IP) on local host with Unicode
[Thr 1240] * ERROR partner ‘172.16.6.104:sapgw01’ not reached
[Thr 1240] *
-
TIME Tue Aug 12 17:59:29 2008
[Thr 1240] * RELEASE 700
[Thr 1240] * COMPONENT NI (network interface)
[Thr 1240] * VERSION 38
[Thr 1240] * RC -10
[Thr 1240] * MODULE nixxi.cpp
[Thr 1240] * LINE 2823
[Thr 1240] * DETAIL NiPConnect2
[Thr 1240] * SYSTEM CALL connect
[Thr 1240] * ERRNO 10061
[Thr 1240] * ERRNO TEXT WSAECONNREFUSED: Connection refused
[Thr 1240] * COUNTER 1
[Thr 1240] *
[Thr 1240] *****************************************************************************
[Thr 2984] Tue Aug 12 17:59:30 2008
[Thr 2984] JLaunchIExitJava: exit hook is called (rc = -11113)
[Thr 2984] **********************************************************************
-
ERROR => The Java VM terminated with a non-zero exit code.
-
Please see SAP Note 943602 , section ‘J2EE Engine exit codes’
-
for additional information and trouble shooting.
**********************************************************************
[Thr 2984] JLaunchCloseProgram: good bye (exitcode = -11113)
DEV_W0
_SncInit(): Initializing Secure Network Communication (SNC)
N PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/32/32)
N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)
N SncInit(): found snc/data_protection/min=1, using 1 (Authentication Level)
N SncInit(): found snc/data_protection/use=9, using 3 (Privacy Level)
N SncInit(): found snc/gssapi_lib=C:WINDOWSsystem32gsskrb5.dll
N File «C:WINDOWSsystem32gsskrb5.dll» dynamically loaded as GSS-API v2 library.
N *** ERROR => SncPDLInit(): gss_indicate_mechs() failed
N [sncxxdl.0457]*** ERROR => SncPDLInit(()==SNCERR_INIT [sncxxdl.c 452]
N GSS-API(maj): Miscellaneous Failure
N GSS-API(min): Kerberos SSPI not usable with this User account
N STOP! — initial call to gss_indicate_mechs() failed
M *** ERROR => ErrISetSys: error info too large [err.c 944]
M Tue Aug 12 17:58:06 2008
M LOCATION SAP-Server tsnpesrv026_TGX_01 on host tsnpesrv026 (wp 0)
M ERROR GSS-API(maj): Miscellaneous Failure
M GSS-API(min): Kerberos SSPI not usable with this User account
M STOP! — initial call to gss_indicate_mechs() failed
M TIME Tue Aug 12 17:58:06 2008
M RELEASE 700
M COMPONENT SNC (Secure Network Communication)
M VERSION 5
M RC -1
M MODULE sncxxdl.c
M LINE 452
M DETAIL SncPDLInit(
M SYSTEM CALL gss_indicate_mechs
M ERRNO
M ERRNO TEXT
M DESCR MSG NO
M DESCR VARGS GSS-API(maj): Miscellaneous Failure;;;;
M ;;;;GSS-API(min): Kerberos SSPI not usable with this User account;;;;
M ;;;;STOP! — initial call to gss_indicate_mechs() failed
M DETAIL MSG N
M DETAIL VARGS
M COUNTER 1
N *** ERROR => SncPDLInit()==SNCERR_INIT, Adapter (#0) C:WINDOWSsystem32gsskrb5.dll not loaded
N [sncxxdl.0604]<<- ERROR: SncInit()==SNCERR_INIT
N sec_avail = «false»
M ***LOG R19=> ThSncInit, SncInitU ( SNC-000001) [thxxsnc.c 230]
M *** ERROR => ThSncInit: SncInitU (SNCERR_INIT) [thxxsnc.c 232]
M in_ThErrHandle: 1
M *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c 10468]
How can I solve the problem??.
Best regards.
Ticiano.