Kerberos failure : wrong Token ID. Expected 0504, was 6030

[salastrue]

Hi,

I am trying to connect the redpanda console to a Kafka cluster that is kerberized. This cluster only supports two encryption types: rc4-hmac and _aes256-ct_s.

I have tried to connect with keytabs with both types of encryption and this configuration at sasl field at config.yaml:

sasl:
    enabled: true
    mechanism: GSSAPI
    username: myuser
    gssapi:
      authType: KEYTAB_AUTH
      keyTabPath: myuser.keytab
      kerberosConfigPath: krb5.conf
      serviceName: kafka
      realm: MY.DOMAIN.CORP
      enableFast: false
      username: myuser

They both generate the same failure:

{"level":"info","ts":"2023-01-24T15:35:18.020+0100","msg":"started Redpanda Console","version":"2.1.1","built_at":"1669902595"}
{"level":"info","ts":"2023-01-24T15:35:18.290+0100","msg":"connecting to Kafka seed brokers, trying to fetch cluster metadata"}
{"level":"error","ts":"2023-01-24T15:35:18.516+0100","msg":"unable to initialize sasl","source":"kafka_client","broker":"seed 0","err":"EOF"}
{"level":"error","ts":"2023-01-24T15:35:18.939+0100","msg":"unable to initialize sasl","source":"kafka_client","broker":"seed 1","err":"EOF"}
{"level":"error","ts":"2023-01-24T15:35:19.578+0100","msg":"unable to initialize sasl","source":"kafka_client","broker":"seed 2","err":"EOF"}
{"level":"error","ts":"2023-01-24T15:35:20.431+0100","msg":"unable to initialize sasl","source":"kafka_client","broker":"seed 0","err":"wrong Token ID. Expected 0504, was 6030"}
{"level":"warn","ts":"2023-01-24T15:35:20.431+0100","msg":"Failed to test Kafka connection, going to retry in 1s","remaining_retries":5}

I am using redpanda_console_2.1.1_windows_64-bit.zip for windows and running with openjdk 11 2018-09-25

I have seen in some related issues such as 274#issuecomment-924053396 or 1400#issue-455423482 that it may be a bug of the type of encryption supported, in this case rc4-hmac is deprecated.

Is this true for this case?
Is there any restriction on encryption when using kerberos?
What can the token id error mean? Is my configuration OK?

[weeco]

Hey @salastrue ,
apologies for the late response. I'm unfortunately not a Kerberos experts and we consume this via franz-go, which again (like almost all Go applications afaik) uses https://github.com/jcmturner/gokrb5 for the kerberos authentication. I'm aware that Console is used in Kerberized environments, but I'm not sure what exact configurations are used there.

Sorry for not being more helpful here, but if you figure something out I'm happy to help.

[salastrue]

Hi @weeco,

Thanks for your response. I have been investigating a little more and I have seen that inside the library that you mention that is used for the connection (gokrb5) there is an open issue: jcmturner/gokrb5#460 (comment) and a PR: Add support for Wrap Tokens v1 that makes reference to my error ("wrong Token ID. Expected 0504, was 6030") and this issue.

From your side, would there be any way to solve this problem, or would we have to wait for the corresponding gokrb5 PR to be approved?

Thanks in advance!

[weeco]

The gokrb5 is a transitive dependency (franz-go uses it). Thus, I think we have to wait until this PR get's merged and franz-go updates the gokrb5 library (franz-go is very actively maintained though). If you know any way to workaround this issue, please let me know and I'll try to help.

[twmb]

gokrb5 is mostly unmaintained and there is no other Kerberos library in the Go ecosystem. Unless gokrb5 fixes things, we can't do anything here. Closing for now.