Hi, I hope someone who had experience using solrj with kerberos could help me out and I read the instruction below
To use Kerberos authentication in a SolrJ application, you need the following two lines before you create a SolrClient:
You need to specify a Kerberos service principal for the client and a corresponding keytab in the JAAS client configuration file above. This principal should be different from the service principal we created for Solr .
Here’s an example:
My questions: 1. What should I put for the principal in the jaas-client.conf file, should I include the hostname of the server where the SolrJ program is running on? For example: solrclient/<hostname>@EXAMPLE.com ? 2. I tried to create keytab and principle on a windows version of KDC I ran this command: Ktpass princ solrclient@<realm> mapuser solrclient -pass <password> -ptype KRB5_NT_PRINCIPAL out solr.service.keytab.client Then, I got this error: ( I hide the value of OU and DC) Failed to set property 'servicePrincipalName' to 'solrclient' on Dn 'CN=solrclient,OU=<OU>,DC=<DC>,DC=<DC>,DC=<DC>': 0x13. WARNING: Unable to set SPN mapping data.
What do I do wrong?
I am not sure about SOLRJ but this is a Kerberos issue. Couple of things.
Shouldn't the comman have "-mapuser" instead of "mapuser".
Also, I think you need to specify domain name for SOLR client. something like this:
-mapuser firstname.lastname@example.org -pass <> [rest of your command].
If you haven't seen already, this link might help.
I believe that in this case you do not need the hostname in the principal (i.e. an SPN is not required). This principal is the service account that you are using to authenticate to Solr. If you wanted to do something like SPNEGO and forward the end-user's KRB Ticket to Solr, that'd be a different configuration that would require that you create a SPN.
You don't need to do this with KTPass since you don't need a SPN, I'd recommend using the ktab.exe bundled with Java, it'll be more reliable for what you're trying to accomplish.