Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Zookeeper service fails to start with checksum error after Kerberos is enabled

Labels:
avatar
author-rank Krish216
Explorer

Created on ‎03-07-2018 03:47 PM - edited ‎09-16-2022 05:56 AM

Zookeeper service fails to start after kerberos has been enabled with the following error -

 

ERROR org.apache.zookeeper.server.quorum.QuorumPeerMain: Unexpected exception, exiting abnormally
java.io.IOException: Could not configure server because SASL configuration did not allow the ZooKeeper server to authenticate itself properly: javax.security.auth.login.LoginException: Checksum failed
at org.apache.zookeeper.server.ServerCnxnFactory.configureSaslLogin(ServerCnxnFactory.java:207)
at org.apache.zookeeper.server.NIOServerCnxnFactory.configure(NIOServerCnxnFactory.java:87)
at org.apache.zookeeper.server.quorum.QuorumPeerMain.runFromConfig(QuorumPeerMain.java:135)
at org.apache.zookeeper.server.quorum.QuorumPeerMain.initializeAndRun(QuorumPeerMain.java:116)
at org.apache.zookeeper.server.quorum.QuorumPeerMain.main(QuorumPeerMain.java:79)

 

please advise. I have been through multiple posts but do not see any solution regarding this.

 

 

8,368 Views
0 Kudos
0
2 ACCEPTED SOLUTIONS

avatar
author-rank bgooley author-rank
Master Guru

Created ‎03-09-2018 09:32 AM

@Krish216,

 

Do you have any other stack information or is that all that appears?

 

The failure there is occurring when attempting to get a TGT from your KDC.

The "checksum" error likely occurs after the KDC has replied to the AS_REQ (TGT request) because the reply cannot be decrypted.

 

It could be that your krb5.conf file has encryption types listed that are not in the zookeeper keytab.

 

Recommendations:

 

1. make certain that your /etc/krb5.conf on the zookeeper host contains only the encryption types that are in the zookeeper keytab

 

2.  If (1) does not help or is not the issue, try regenerating the zookeeper credentials in Cloudera Manager to ensure that your keytab contains the same keys as the KDC for that principal.

 

 

View solution in original post

8,293 Views
0

avatar
author-rank Krish216
Explorer

Created ‎03-12-2018 10:02 AM

@bgooley

 

Here is what happened -  KDC slave that we're connecting was not running the kpropd demon. Once started we're able to pass the issue.

 

Also, checking on encryption types in kdc.conf made the issue completely resolved. Thank you all the help & suggestions.

View solution in original post

8,228 Views
0 Kudos
0
5 REPLIES 5

avatar
author-rank GeKas
Super Collaborator

Created ‎03-08-2018 12:52 AM

This is obviously an issue with the Kerberos. Checksum error isually when keytab is not created correctly. Have you manually created and distributed keytabs? If yes, then check the integrity of keytab by trying to authenticate using it (kinit).

If you rely on Cloudera Manager (which is preferable) to do this job, then you should check the zookeeper node. E.g.:

* /etc/krb5.conf is correct

* you can authenticate to Kerberos from this node

* Java Cryptography Extension (JCE) is installed and zookeeper is launched with the correct java.

8,341 Views

avatar
author-rank Krish216
Explorer

Created ‎03-08-2018 08:44 AM

Thanks Gekas for the suggestions. I am able to do kinit with the keytab that is generated without any issue.

While starting zookeeper is taking JAVA_HOME as /usr/java/jdk1.8.0 and I have installed the JCE files at the /usr/java/jdk1.8.0/jre/lib/security. There is only one version of java that is installed. I did a netcat from source to KDC hosts and those are working fine as well.

 

Not sure If I'm missing anything. 

8,321 Views
0 Kudos

avatar
author-rank bgooley author-rank
Master Guru

Created ‎03-09-2018 09:32 AM

@Krish216,

 

Do you have any other stack information or is that all that appears?

 

The failure there is occurring when attempting to get a TGT from your KDC.

The "checksum" error likely occurs after the KDC has replied to the AS_REQ (TGT request) because the reply cannot be decrypted.

 

It could be that your krb5.conf file has encryption types listed that are not in the zookeeper keytab.

 

Recommendations:

 

1. make certain that your /etc/krb5.conf on the zookeeper host contains only the encryption types that are in the zookeeper keytab

 

2.  If (1) does not help or is not the issue, try regenerating the zookeeper credentials in Cloudera Manager to ensure that your keytab contains the same keys as the KDC for that principal.

 

 

8,294 Views
0

avatar
author-rank Krish216
Explorer

Created ‎03-12-2018 10:02 AM

@bgooley

 

Here is what happened -  KDC slave that we're connecting was not running the kpropd demon. Once started we're able to pass the issue.

 

Also, checking on encryption types in kdc.conf made the issue completely resolved. Thank you all the help & suggestions.

8,229 Views
0 Kudos
0

avatar
csguna author-rank
Champion

Created ‎05-09-2018 07:55 AM

Could you please mark it as answered so the community will be benifited ? 

8,046 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements