Filebeat output to elasticsearch (open kerberos), publisher_pipeline_output WWW-Authenticate Negotiate 401 No processing

Connect to elasticsearch(open kerberos ),The authentication fails, when elasticsearch responds with 401(Negotiate), nothing happens,Normal logic should go to kdc to request processing

Why doesn't filebeat request kerberos kdc in response to 401?

Successfully access elasticsearch,kibanan (open kerberos) from the browser

Access to elasticsearch in curl is also successful

Version: filebeat 7.10.1 elasticsearch 7.10.1 kibanan 7.10.1
Operating System: centos7
Discuss Forum URL:
Steps to Reproduce:

debug log

2021-01-08T15:29:45.251+0800 INFO eslegclient/connection.go:99 elasticsearch url: https://192.168.174.1:9200
2021-01-08T15:29:45.253+0800 INFO eslegclient/connection.go:159 kerberos client created

2021-01-08T15:29:55.436+0800 ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://192.168.174.1:9200)): 401 Unauthorized: {"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":["Basic realm="security" charset="UTF-8"","Negotiate","Bearer realm="security"","ApiKey"]}}],"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":["Basic realm="security" charset="UTF-8"","Negotiate","Bearer realm="security"","ApiKey"]}},"status":401}

filebeat.yml

output.elasticsearch:
hosts: ["192.168.174.133:9200"]
protocol: "https"
kerberos.enabled: true
kerberos.auth_type: keytab
kerberos.keytab: /etc/elastic.keytab
kerberos.config_path: /etc/krb5.conf
kerberos.username: elastic
kerberos.realm: EXAMPLE.COM
ssl.certificate_authorities: ["/etc/filebeat/elasticsearch-ca.pem"]

elasticsearch config

xpack.security.enabled: true
xpack.security.audit.enabled: true
xpack.security.transport.ssl.enabled: true

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: "http.p12"
xpack.security.authc.token.enabled: true

http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-headers: Authorization

xpack.security.authc.realms.kerberos.kerb1:
order: 1
keytab.path: es24.keytab
remove_realm_name: false
krb.debug: true

krb5.conf
includedir /etc/krb5.conf.d/

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}

[realms]
EXAMPLE.COM = {
kdc = 192.168.174.132
admin_server = 192.168.174.132
default_domain = example.com
}

[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

kdc.conf

[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88

[realms]
EXAMPLE.COM = {
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}

Can you give me some suggestions and opinions?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.