SASL GSSAPI Cannot contact any KDC for realm

[elainel8]

Hi,
Sorry, if I'm not providing the right detail, I'm fairly new at this and it's the first time I'm trying to consume from kafka through kerberos authentication.
I used the code under example.erl as a reference to built mine.

That realm is defined under my krb5.conf, which is located under /etc/
I have also set this environment variable: export KAFKA_OPTS="-Djava.security.krb5.conf=/etc/krb5.conf"
Do I need to load this file somewhere else?

After running the last line of code, I get the error below:

   {{sasl_auth_error,{sasl_fail,<<"SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Cannot contact any KDC for realm 'BELLDEV.DEV.BCE.CA')">>}},
    [{kpro_sasl,auth,7,
               [{file,"/home/med/bm/ossfm/server/fm/_build/default/lib/kafka_protocol/src/kpro_sasl.erl"},
                {line,43}]},
    {kpro_connection,init_connection,2,
                     [{file,"/home/med/bm/ossfm/server/fm/_build/default/lib/kafka_protocol/src/kpro_connection.erl"},
                      {line,240}]},
    {kpro_connection,init,4,
                     [{file,"/home/med/bm/ossfm/server/fm/_build/default/lib/kafka_protocol/src/kpro_connection.erl"},
                      {line,170}]},
    {proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,247}]}]}}],
[{brod_client,ensure_metadata_connection,1,
              [{file,"/home/med/bm/ossfm/server/fm/_build/default/lib/brod/src/brod_client.erl"},
               {line,554}]},
 {brod_client,handle_info,2,
              [{file,"/home/med/bm/ossfm/server/fm/_build/default/lib/brod/src/brod_client.erl"},
               {line,300}]},
 {gen_server,try_dispatch,4,[{file,"gen_server.erl"},{line,616}]},
 {gen_server,handle_msg,6,[{file,"gen_server.erl"},{line,686}]},
 {proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,247}]}]}

Config =
    [
      {ssl, true},
      {sasl, {callback, brod_gssapi, {gssapi, <<"FileKeytab.keytab">>, <<"username@BELL.CORP.BCE.CA">>}}}
    ].
Args =
    [
      {bootstrap_endpoints, [{"server_name", port}]},
      {topic, <<"topic_name">>},
      {partition, all},
      {config, Config},
      {begin_offset, latest},
      {client_id, test_kafka}
    ].

Bootstrap_endpoints = proplists:get_value(bootstrap_endpoints, Args),
Topic = proplists:get_value(topic, Args),
Config = proplists:get_value(config, Args),
Partition = proplists:get_value(partition, Args),
Begin_offset = proplists:get_value(begin_offset, Args),
Client_id = proplists:get_value(client_id, Args).

{ok, _} = application:ensure_all_started(brod).
ok = application:load(brod_gssapi).
application:set_env(brod_gssapi,default_handshake_vsn,1).
ok = brod:start_client(Bootstrap_endpoints, Client_id, Config).

Thank you!

[kjellwinblad]

Hi @elainel8,

First of all, since you asked the question a couple of months ago, I want to apologize for late response and ask if you have already resolved the issue by yourself or if you are still having problems?

That realm is defined under my krb5.conf, which is located under /etc/
I have also set this environment variable: export KAFKA_OPTS="-Djava.security.krb5.conf=/etc/krb5.conf"
Do I need to load this file somewhere else?

Yes, this file is needed also by the Kerberos KDC. It should be picked up automatically if it is located in location that the Kerberos expect (please see the documentation of your Kerberos library).

It might also be useful to look at our docker compose file that we use to set up a Kerberos and Kafka environment to perform continues testing: https://github.com/emqx/emqx/blob/master/.ci/docker-compose-file/docker-compose-kafka.yaml .

The error message "SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot contact any KDC for realm 'BELLDEV.DEV.BCE.CA')" suggests that the Kerberos authentication process is failing due to an inability to contact the Key Distribution Center (KDC) for your specified realm.

Here are some things that you can check:

• Verify that the Key Distribution Center (KDC) for the realm 'BELLDEV.DEV.BCE.CA' is reachable from your machines. For example using ping.

• Double-check your /etc/krb5.conf file to ensure the realm and KDC are correctly specified. Make sure there are no typos or incorrect configurations.

• Confirm that the keytab file and principal are correctly configured: https://stackoverflow.com/questions/63723556/keytab-file-authentication-check