Community Articles

Find and share helpful community-sourced technical articles.
Celebrating as our community reaches 100,000 members! Thank you!
Labels (2)

What happened?


Starting up a ZooKeeper server in a Kerberized CDP-DC 7.0.3 cluster failed with the logs below. 


2020-03-30 12:23:10,251 ERROR org.apache.zookeeper.server.quorum.QuorumPeerMain: Unexpected exception, exiting abnormally Could not configure server because SASL configuration did not allow the  ZooKeeper server to authenticate itself properly: Message stream modified (41)
        at org.apache.zookeeper.server.ServerCnxnFactory.configureSaslLogin(
        at org.apache.zookeeper.server.NIOServerCnxnFactory.configure(
        at org.apache.zookeeper.server.quorum.QuorumPeerMain.runFromConfig(
        at org.apache.zookeeper.server.quorum.QuorumPeerMain.initializeAndRun(
        at org.apache.zookeeper.server.quorum.QuorumPeerMain.main(


The JDK for this environment is OpenJDK 1.8.0_242.


# java -version
openjdk version "1.8.0_242"
OpenJDK Runtime Environment (build 1.8.0_242-b08)
OpenJDK 64-Bit Server VM (build 25.242-b08, mixed mode)




Removing the line of renew_lifetime in /etc/krb5.conf.

Removing this line means to use the default value, 0, for renew_lifetime.

Thus, it may also need to specify renew_lifetime when running kinit command.


See also

On this page, Akira Ajisaka, one of Hadoop PMCs, described the solution.

He also mentioned a related OpenJDK's JIRA ticket.

This page also introduced the same solution.

Additionally, this page showed another solution, setting in file. But in my case, this solution didn't work.

This is a related article from the Cloudera Knowledge Base.

It also describes as its workaround.


Expert Contributor

Thanks for the solution!! Same issue for me after enabling MIT Kerberos in the CDH 5.16.2 cluster zookeeper wouldn't start with the above message Message stream modified (41)


I was using openjdk version "1.8.0_272". As per your solution commented the line in /etc/krb5.conf on all servers:

#renew_lifetime = 604800    


After that restart of cluster all services worked except Hue Kerberos Ticket Renewer which gives error

Couldn't renew kerberos ticket in order to work around Kerberos 1.8.1 issue. Please check that the ticket for 'hue/fqdn@KRBREALM' is still renewable:

The Kerberos Ticket Renewer is a separate issue and we need to run on the MIT KDC server:

kadmin.local:  modprinc -maxrenewlife 90day krbtgt/KRBREALM

kadmin.local:  modprinc -maxrenewlife 90day +allow_renewable hue/fqdn@KRBREALM   for all hue servers fqdn


After that  Hue Kerberos Ticket Renewer restarted successfully.