I am trying to run a kafka cluster with Kerberos auth enabled. kafka broker, zookeeper & kdc (kerberos) servers are started as containers inside a docker network.
Kafka broker port 9092 has been mapped to host machine so able to call broker from host machine network.
As client has to first interact with Kdc for kerberos auth, port 88 of KDC container also has been exposed and open from host machine.
docker ps (for kdc container): a856bfe3f330 plaintext_kdc "/bin/sh -c '/usr/sb…" 11 hours ago Up 11 hours 0.0.0.0:88->88/tcp, :::88->88/tcp kdc
/etc/krb5.conf :
[realms]
TEST.CONFLUENT.IO = {
kdc = 10.0.1.207 --(tried localhost also here)
}
Able to telnet localhost 88 from host machine. But getting below error when I try to run a producer from host machine : (Note : able to produce and consume message within docker network, producing from a client docker container inside the same docker network)
/home/ubuntu/kafka-docker-for-nifi-integration/kafka_install/kafka_2.11-2.4.0/bin/kafka-console-producer.sh --broker-list localhost:29092 --topic kafka-nifi-sasl_gssapi_plaintext --producer.config producer_kt.properties org.apache.kafka.common.KafkaException: Failed to construct kafka producer at org.apache.kafka.clients.producer.KafkaProducer.(KafkaProducer.java:432) at org.apache.kafka.clients.producer.KafkaProducer.(KafkaProducer.java:298) at kafka.tools.ConsoleProducer$.main(ConsoleProducer.scala:45) at kafka.tools.ConsoleProducer.main(ConsoleProducer.scala) Caused by: org.apache.kafka.common.KafkaException: javax.security.auth.login.LoginException: ICMP Port Unreachable at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:158) at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:146) at org.apache.kafka.common.network.ChannelBuilders.clientChannelBuilder(ChannelBuilders.java:67) at org.apache.kafka.clients.ClientUtils.createChannelBuilder(ClientUtils.java:99) at org.apache.kafka.clients.producer.KafkaProducer.newSender(KafkaProducer.java:450) at org.apache.kafka.clients.producer.KafkaProducer.(KafkaProducer.java:421) ... 3 more Caused by: javax.security.auth.login.LoginException: ICMP Port Unreachable at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:786) at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:592) at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:726) at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665) at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663) at java.base/java.security.AccessController.doPrivileged(Native Method) at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663) at java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:574) at org.apache.kafka.common.security.authenticator.AbstractLogin.login(AbstractLogin.java:60) at org.apache.kafka.common.security.kerberos.KerberosLogin.login(KerberosLogin.java:103) at org.apache.kafka.common.security.authenticator.LoginManager.(LoginManager.java:62) at org.apache.kafka.common.security.authenticator.LoginManager.acquireLoginManager(LoginManager.java:112) at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:147) ... 8 more Caused by: java.net.PortUnreachableException: ICMP Port Unreachable at java.base/java.net.PlainDatagramSocketImpl.receive0(Native Method) at java.base/java.net.AbstractPlainDatagramSocketImpl.receive(AbstractPlainDatagramSocketImpl.java:181) at java.base/java.net.DatagramSocket.receive(DatagramSocket.java:814) at java.security.jgss/sun.security.krb5.internal.UDPClient.receive(NetClient.java:205) at java.security.jgss/sun.security.krb5.KdcComm$KdcCommunication.run(KdcComm.java:404) at java.security.jgss/sun.security.krb5.KdcComm$KdcCommunication.run(KdcComm.java:364) at java.base/java.security.AccessController.doPrivileged(Native Method) at java.security.jgss/sun.security.krb5.KdcComm.send(KdcComm.java:348) at java.security.jgss/sun.security.krb5.KdcComm.sendIfPossible(KdcComm.java:253) at java.security.jgss/sun.security.krb5.KdcComm.send(KdcComm.java:229) at java.security.jgss/sun.security.krb5.KdcComm.send(KdcComm.java:200) at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:345) at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:498) at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:754)
Thanks Mahendra
