https://community.cloudera.com/t5/Support-Questions/Kafka-console-producer-consumer-failing-with-AD-users-but/m-p/92237#M45862 <P><a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/27216">@satz</a>&nbsp;</P><P>&nbsp;</P><P>We were able to resolve this. We had the kerberos auth principles in default kafka group while all the broker were in a different config group. Adding the auth principles to the kafka config group has solved the issue.</P> Wed, 03 Jul 2019 15:34:50 GMT RajeshBodolla 2019-07-03T15:34:50Z https://community.cloudera.com/t5/Support-Questions/Kafka-console-producer-consumer-failing-with-AD-users-but/m-p/91415#M45860 <P>Hi,</P><P>&nbsp;</P><P>We have just built a new kafka cluster(<SPAN>3.1.0-1.3.1.0.p0.35</SPAN>) and integrated it with kerberos. Kerberos is integrated with AD. We are able to produce and consume with kafka principle which is local but with AD users, it fails with below error on console.</P><P>&nbsp;</P><P>19/06/09 08:14:22 DEBUG authenticator.SaslClientAuthenticator: Set SASL client state to CLIENT_COMPLETE<BR />19/06/09 08:14:22 DEBUG authenticator.SaslClientAuthenticator: Set SASL client state to COMPLETE<BR />19/06/09 08:14:22 DEBUG clients.NetworkClient: [Producer clientId=console-producer] Initiating API versions fetch from node -1.<BR /><STRONG>19/06/09 08:14:22 DEBUG network.Selector: [Producer clientId=console-producer] Connection with server2.kafka4.corp/180.20.92.23 disconnected</STRONG><BR /><STRONG>java.io.EOFException</STRONG><BR />at org.apache.kafka.common.network.NetworkReceive.readFromReadableChannel(NetworkReceive.java:124)<BR />at org.apache.kafka.common.network.NetworkReceive.readFrom(NetworkReceive.java:93)<BR />at org.apache.kafka.common.network.KafkaChannel.receive(KafkaChannel.java:235)<BR />at org.apache.kafka.common.network.KafkaChannel.read(KafkaChannel.java:196)<BR />at org.apache.kafka.common.network.Selector.attemptRead(Selector.java:545)<BR />at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:483)<BR />at org.apache.kafka.common.network.Selector.poll(Selector.java:412)<BR />at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:481)<BR />at org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:239)<BR />at org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:163)<BR />at java.lang.Thread.run(Thread.java:748)<BR />19/06/09 08:14:22 DEBUG clients.NetworkClient: [Producer clientId=console-producer] Node -1 disconnected.<BR />19/06/09 08:14:22 INFO clients.NetworkClient: [Producer clientId=console-producer] API versions request failed via disconnect. Defaulting legacy API versions<BR />19/06/09 08:14:22 DEBUG clients.NetworkClient: [Producer clientId=console-producer] Give up sending metadata request since no node is available<BR />19/06/09 08:14:22 DEBUG clients.NetworkClient: [Producer clientId=console-producer] Give up sending metadata request since no node is available<BR />^C19/06/09 08:14:22 INFO producer.KafkaProducer: [Producer clientId=console-producer] Closing the Kafka producer with timeoutMillis = 9223372036854775807 ms.<BR />19/06/09 08:14:22 DEBUG internals.Sender: [Producer clientId=console-producer] Beginning shutdown of Kafka producer I/O thread, sending remaining records.</P><P>&nbsp;</P><P>==========================================</P><P>&nbsp;</P><P>The broker logs only have errors about the shortname for users.</P><P>&nbsp;</P><P>Caused by: org.apache.kafka.common.security.kerberos.NoMatchingRule: No rules apply to RAJESH@KAFKA4.CORP, rules [DEFAULT]</P> Fri, 16 Sep 2022 14:26:19 GMT https://community.cloudera.com/t5/Support-Questions/Kafka-console-producer-consumer-failing-with-AD-users-but/m-p/91415#M45860 RajeshBodolla 2022-09-16T14:26:19Z https://community.cloudera.com/t5/Support-Questions/Kafka-console-producer-consumer-failing-with-AD-users-but/m-p/92234#M45861 <P>Hello&nbsp;<a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/24123">@RajeshBodolla</a>&nbsp;</P><P>&nbsp;</P><P>It seems like the actual exception is as below</P><P>&nbsp;</P><P><SPAN>Caused by: org.apache.kafka.common.security.kerberos.NoMatchingRule: No rules apply to RAJESH@KAFKA4.CORP, rules [DEFAULT]</SPAN></P><P>&nbsp;</P><P><SPAN>Could you please share the complete stack? it seems it is somewhere not able to resolve the principal</SPAN></P> Wed, 03 Jul 2019 15:27:42 GMT https://community.cloudera.com/t5/Support-Questions/Kafka-console-producer-consumer-failing-with-AD-users-but/m-p/92234#M45861 satz 2019-07-03T15:27:42Z https://community.cloudera.com/t5/Support-Questions/Kafka-console-producer-consumer-failing-with-AD-users-but/m-p/92237#M45862 <P><a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/27216">@satz</a>&nbsp;</P><P>&nbsp;</P><P>We were able to resolve this. We had the kerberos auth principles in default kafka group while all the broker were in a different config group. Adding the auth principles to the kafka config group has solved the issue.</P> Wed, 03 Jul 2019 15:34:50 GMT https://community.cloudera.com/t5/Support-Questions/Kafka-console-producer-consumer-failing-with-AD-users-but/m-p/92237#M45862 RajeshBodolla 2019-07-03T15:34:50Z