Client SSPI to Server GSSAPI

[max.g...@gmail.com]

Hello,

My situation is around getting Windows SSO to work with Kafka/Zookeeper. In a sentence, Kafka is a message broker. The details are:

1. The client - a C client running on Windows. This sends messages to the broker.
   
2. The server - Kafka/Zookeeper also running on Windows.
3. I have gotten Kafka and Zookeeper to integrate with Kerberos on Windows using Jaas and SASL/GSSAPI. That was done by following the respective documentation. There are SPNs and keytabs involved.
4. The problem is now to get the C client to do Kerberos authentication with the broker. There is a documentation of how to get the C client to do SASL authentication, unfortunately it does not work on Windows.

I was hoping i could use Waffle for two purposes:

1. On the server - update the server side to get rid of the keytabs and just replace it with Waffle. I'm confused as to how to actually get that to work. There is some documentation for JAAS on TOMCAT. Is it possible to get some more details as to what exactly needs to be copied to the broker to integrate it with Kerberos without keytabs.
2. On the client - extract a Kerberos token i can use to pass to the broker to achieve SSO authentication. This blob would be passed to the C client.

Happy to provide more details. Can you please indicate if my two goals are something WAFFLE can do?

[Daniel Doubrovkine]

On the server, I am not familiar with what protocol(s) Kafka/Zookeeper talk, but assuming it's HTTP, what is that all based on? Is it using Tomcat? Something else? You can definitely integrate Waffle into anything, https://github.com/dblock/waffle provides several such integrations - generic filters for Tomcat/Jetty/etc. as well as specific extensions for Spring framework and what not. All use the same Waffle shared code that ultimately calls into Windows SSPI.

Your C client running on Windows should be doing low level SSPI, see https://msdn.microsoft.com/en-us/library/windows/desktop/aa380536(v=vs.85).aspx. Once it's able to call things like InitializeSecurityContext it's all about exchanging buffers with the server. Assuming the client talks HTTP you need to read/write headers. I think http://code.dblock.org/2010/03/26/jna-acquirecredentialshandle-initializesecuritycontext-and-acceptsecuritycontext-establishing-an-authenticated-connection.html could be helpful in general. 

--
You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

dB. | Moscow - Geneva - Seattle - New York
code.dblock.org - @dblockdotorg - artsy.net - github/dblock

[max.g...@gmail.com]

Thank you. The client connects to Kafka via TCP. Zookeeper is used by by Kafka only and i believe that the communication between Kafka and Zookeeper is also TCP.

When you say that on the client it is just about doing the native SSPI correctly, is that under the assumption that the server (Kafka) will also be doing SSPI? Currently Kafka is doing SASL/GSSAPI.

The way i've setup SASL on Kafka is by:

1.Creating and SPN for Kafka

2.Create a keytab for Kafka

3.Using a Jaas file like this:

Server {

  com.sun.security.auth.module.Krb5LoginModule required

  useKeyTab="true"

  principal="some spn"

  storeKey="true"

  debug="true"

  serviceName="kafka"

  keyTab="some keytab";

};

What would i have to replace the above jaas to get the server to do SSPI? If I just use JAAS sample from:

https://github.com/dblock/waffle/blob/master/Docs/tomcat/TomcatWindowsLoginJAASAuthenticator.md

Jaas {
    waffle.jaas.WindowsLoginModule sufficient debug=false;
};

, then Kafka fails to start.

[Daniel Doubrovkine]

The whole keytab implementation is completely orthogonal to Waffle. That exists because on *nix that's how you do Kerberos. Waffle works on top of Windows SSPI, it's a whole other (Windows) world.

I am afraid I know close to nothing about SASL/GSSAPI, and I would be shocked if what you're trying works out of the box. All I can say is that waffle has the moving parts to implement both client and server for SSO with the Windows SSPI, but how to do it in this context is beyond my pay grade. 

[max.g...@gmail.com]

Thank you Daniel. I've managed to do SSPI to GSSAPI, albeit via native Win32 SSPI and not Waffle. I am happy to leave the client side like this and just use native Win32 SSPI API.

Can you please help me out with the server side though. It would be a massive win if i can get the Server (Kafka) to do Kerberos integration without keytabs and SPNs. Can you please provide me with a sample JAAS file i can use to replace the current JAAS i have indicated above?

Kafka is just a java (scala) service that i have configured to use SASL via the GSSAPI mechanism. GSSAPI is done via JAAS authentication to obtain the Kerberos credentials. I believe that all i have to do in the JAAS file is to specify "waffle.jaas.WindowsLoginModule sufficient". But this does not work just like that. I think i am missing something.

The error is:

User 'null' not found in list of DIGEST-MD5 authenticateable users.

No password found for user: null

Unexpected exception, exiting abnormally

java.io.IOException: Could not configure server because SASL configuration did not allow the server to authenticate itself properly: javax.security.auth.login.LoginException

Does this suggest the the JAAS requires a password? I expected it to just do SSPI.

[Daniel Doubrovkine]

I don't know anything about JAAS, I did the sample implementation in Waffle 10 years ago, sorry.

This error suggests that it's trying to do some other kind of auth (digest-md5), this doesn't come from Waffle.

--

You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.