Bringing together the Apache Cassandra experts from the community and DataStax.

Want to learn? Have a question? Want to share your expertise? You are in the right place!

Not sure where to begin? Getting Started

 

question

Erick Ramirez avatar image
Erick Ramirez asked ·

Why does cqlsh result in a Kerberos error "LoginException: Message stream modified (41)" ?

When trying to connect to a Kerberos-enabled cluster running on CentOS 7.x with cqlsh, a login exception is thrown and the following error is logged in system.log:

ERROR [IOThread-0] 2020-03-04 05:42:32,069  DseAuthenticator.java:778 - Error obtaining subject for server identity
javax.security.auth.login.LoginException: Message stream modified (41)
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:808)
    at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:618)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
    at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
    at com.datastax.bdp.transport.server.KerberosServerUtils.loginServer(KerberosServerUtils.java:36)
    at com.datastax.bdp.cassandra.auth.DseAuthenticator$GSSAPISaslNegotiator.(DseAuthenticator.java:774)
    at com.datastax.bdp.cassandra.auth.DseAuthenticator.getSaslNegotiatorForScheme(DseAuthenticator.java:682)
    at com.datastax.bdp.cassandra.auth.DseAuthenticator.access$400(DseAuthenticator.java:100)
    at com.datastax.bdp.cassandra.auth.DseAuthenticator$UnifiedSaslNegotiator.evaluateResponse(DseAuthenticator.java:513)
    ...
Caused by: sun.security.krb5.internal.KrbApErrException: Message stream modified (41)
    at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:101)
    at sun.security.krb5.KrbAsRep.decrypt(KrbAsRep.java:159)
    at sun.security.krb5.KrbAsRep.decryptUsingKeyTab(KrbAsRep.java:121)
    at sun.security.krb5.KrbAsReqBuilder.resolve(KrbAsReqBuilder.java:308)
    at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:447)
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:780)
    ... 31 common frames omitted
securitycentoskerberos
10 |1000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

1 Answer

Erick Ramirez avatar image
Erick Ramirez answered ·

Background

There is an issue with CentOS 7 that prevents applications from authenticating successfully with Kerberos. A quick internet search shows that the problem affects lots of different applications and is widespread. The issue is reported as a bug on CentOS and is tracked as defect ID #17000.

Workaround

Users have reported that removing the renew_lifetime parameter from the Kerberos configuration file /etc/krb5.conf allows applications to authenticate successfully. For example, remove the line:

 renew_lifetime = 7d

from the [libdefaults] section:

[libdefaults]
 default_realm = TEST.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

As stated above, this issue affects various applications and isn't specific to DataStax Enterprise or Apache Cassandra. The root cause is not completely understood so there is no available fix at the time of writing.

References

The workaround above is also documented in the DataStax Support KB article #360006872038.

Share
10 |1000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.