Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Zookeeper unable to start after enabling Kerberos , SASL error

Labels:
avatar
author-rank muslihuddin
Rising Star

Created ‎12-29-2021 03:02 AM

Hi to all,

My cluster is the latest CM 7.4.4, and CR 7.1.7.

Cluster working fine until I enable Kerberos. Zookeeper wont start with error 


Could not configure server because SASL configuration did not allow the Zookeeper server to authenticat itself properly:javax.security.auth.login.LoginException: Message stream modified (41)

 

I'm able to get zookeeper and other services up if I commented

# renew_lifetime = 7d  on all the nodes and kerberos server.

But only Hue Kerberos Ticket Renewer will have a problem. So what I did was I commented out 

renew_lifetime = 7d on server that hosted Kerberos Ticket REnewar roles.

 

So now my cluster will be up. But this does not like a good workarund as some of the UI are having a problem like Atlas and Solr with error (tgt renewal).

 

Anyone encounter this?

 

P/S: I have a working Kerberized cluster with same version of CDP. It is working fine. Same exact version, os version, java version, and kerberos version. Only not all components is available in this cluster. So weird. 

1,962 Views
0 Kudos
3 REPLIES 3

avatar
author-rank GangWar author-rank
Master Guru

Created on ‎01-03-2022 03:09 AM - last edited on ‎01-03-2022 08:59 AM by Cloudera Employee

@muslihuddin You are running into a known Java Bug which has been found Earlier and documented. You have to follow below steps to overcome this issue..

For JDK 8u241 and higher versions running on Kerberized clusters, you must disable referrals by settingsun.security.krb5.disableReferrals=true.

For example, with OpenJDK 1.8.0u242:

  1. Open /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7.x86_64/jre/lib/security/java.security with a text editor.
  2. Add sun.security.krb5.disableReferrals=true (it can be at the bottom of the file).
  3. Add this property on each node that has the impacted JDK version.
  4. Restart the applications using the JDK so the change takes effect.

For more information, see the KB article. You can so many similar discussion on Cloudera Community which has been resolved Earlier. 
[1] https://docs.cloudera.com/cdp-private-cloud-upgrade/latest/release-guide/topics/cdpdc-java-requireme...

 


Cheers!
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
1,931 Views
0 Kudos

avatar
author-rank muslihuddin
Rising Star

Created ‎01-03-2022 09:00 PM

Hi @GangWar 

Thank you very much for your response. 

I did suspect something got to do with my java version and I've already did what you mention to disable the referrals setting sun.security.krb5.disableReferrals=true but the zookeeper still unable to start.

 

On the problematic cluster, I'm using OpenJDK 1.8.0u262. I have one more kerberized cluster that is running fine using OpenJDK 1.8.0u312.So what other things I tried previously. 

  1. Downgraded my OpenJDK to match the problematic version u262.

  2. Restarted cluster few times.

  3. Cluster still working fine with Kerberos, no need to comment renew_lifetime

That is why I ignored the Java version suspicion.

 

So the only thing for now that can make my zookeeper start was by commenting on the renew_lifetime. This guy have the same exact thing with my problem and solution. He did try the referrals as well. Do you think there are any other bugs related to this problem?

 

https://community.cloudera.com/t5/Community-Articles/How-to-solve-the-Message-stream-modified-41-err...

 

Thank you and regards.

Mus

 

 

 

 

1,911 Views
0 Kudos

avatar
author-rank GangWar author-rank
Master Guru

Created ‎01-05-2022 03:36 AM

@muslihuddin No I didn’t find any other bug. Not sure in your case by the modification of java.security file didn’t worked alone. The solution you are having atm is also fine in my opinion no harm in that. 


Cheers!
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
1,890 Views
0 Kudos
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements