Ticket renew issue

[dzbeda]

Hi,
I have set the kafka-ui to integrate with the kafka cluster where both TLS and Kerberos are enabled.
When I’m starting the docker everything is working – but it looks like after 1 day everything is still up and running but part of the options is not functioning like “read message” from topic. And the error message I’m getting is the following:

“Connection to node -3 (kafka3.lab.com/x.x.x.x:9093) terminated during authentication. This may happen due to any of the following reasons: (1) Authentication failed due to invalid credentials with brokers older than 1.0.0, (2) Firewall blocking Kafka TLS traffic (eg it may only allow HTTPS traffic), (3) Transient network issue.”

I have suspected that I have a problem with the ticket renewal so in the krb5.conf file I have changed the ticket_lifetime parameter to 2 Minutes and the renew_lifetime parameter to 1 minute.

After applying the configuration, I got the error message after 2 minutes – meaning that the ticket was not renewed.

Any advice?

This is my configuration of the docker-compose file

version: '3.4'
services:
kafka-ui:
container_name: kafka-ui
image: provectuslabs/kafka-ui:latest
ports:
- 80:8080

environment:
  KAFKA_CLUSTERS_1_NAME: Kafka cluster
  KAFKA_CLUSTERS_1_PROPERTIES_SECURITY_PROTOCOL: SASL_SSL
  KAFKA_CLUSTERS_1_PROPERTIES_SASL_MECHANISM: GSSAPI
  KAFKA_CLUSTERS_1_PROPERTIES_SASL_JAAS_CONFIG: com.sun.security.auth.module.Krb5LoginModule required  useTicketCache=true useKeyTab=true storeKey=true keyTab="/etc/kafkaui/lab/systemuser.keytab" principal="[email protected]";
  KAFKA_CLUSTERS_1_PROPERTIES_SASL_KERBEROS_SERVICE_NAME: "kafka"
  KAFKA_CLUSTERS_1_BOOTSTRAPSERVERS: kafka1.lab.com:9093
  KAFKA_CLUSTERS_1_SSL_TRUSTSTORELOCATION: /etc/kafkaui/lab/lab.truststore
  KAFKA_CLUSTERS_1_SSL_TRUSTSTOREPASSWORD: password
  KAFKA_CLUSTERS_1_METRICS_PORT: 8080
  KAFKA_CLUSTERS_1_METRICS_TYPE: PROMETHEUS
  KAFKA_CLUSTERS_1_PROPERTIES_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM: '' # DISABLE COMMON NAME VERIFICATION

volumes:
- ./lab/lab.truststore:/etc/kafkaui/lab/lab.truststore:U
- ./lab/systemuser.keytab:/etc/kafkaui/lab/systemuser.keytab:U
- ./krb5.conf:/etc/krb5.conf:U

Krb5.conf file

[libdefaults]
default_realm = LAB.COM
dns_lookup_kdc = false
dns_lookup_realm = false
ticket_lifetime = 120
renew_lifetime = 60
allow_weak_crypto = true
forwardable = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
udp_preference_limit = 1
kdc_timeout = 3000
[realms]
LAB.COM = {
kdc = x.x.x.x
admin_server = x.x.x.x
}
[domain_realm]
.lab.com = LAB.COM
lab.com = LAB.COM

[Haarolean]

Haven't personally heard about this issue before, though we have experienced some reports about kerberos in general.

For example, we have this: #2118

As a suggestion: try asking around in our discord, some might've experienced this. The invite link is available in readme.