Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-2378

Regression against 7.0.GA, Kerberos over CLI

    XMLWordPrintable

Details

    Description

      It is not possible to authenticate to CLI using kerberos.
      Same configuration works well against 7.0.0.GA 

      17:32:21,109 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-2) configuredMaxReceiveBuffer=16777215
17:32:21,109 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-2) relaxComplianceChecks=false
17:32:21,109 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-2) QOP={AUTH}
17:32:21,109 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-2) Our name 'remote@localhost.localdomain'
17:32:21,113 INFO  [stdout] (management I/O-2) Java config name: /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb5-945898887586223869.conf
17:32:21,113 INFO  [stdout] (management I/O-2) Loaded from Java config
17:32:21,114 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Unable to create SaslServer: javax.security.sasl.SaslException: ELY05029: [GSSAPI] Unable to create GSSContext [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos credentails)]
	at org.wildfly.security.sasl.gssapi.GssapiServer.<init>(GssapiServer.java:77)
	at org.wildfly.security.sasl.gssapi.GssapiServerFactory.createSaslServer(GssapiServerFactory.java:44)
	at org.wildfly.security.sasl.util.SecurityProviderSaslServerFactory.createSaslServer(SecurityProviderSaslServerFactory.java:77)
	at org.wildfly.security.sasl.util.FilterMechanismSaslServerFactory.createSaslServer(FilterMechanismSaslServerFactory.java:88)
	at org.wildfly.security.sasl.util.PropertiesSaslServerFactory.createSaslServer(PropertiesSaslServerFactory.java:56)
	at org.wildfly.security.sasl.util.AbstractDelegatingSaslServerFactory.createSaslServer(AbstractDelegatingSaslServerFactory.java:64)
	at org.wildfly.security.sasl.util.AbstractDelegatingSaslServerFactory.createSaslServer(AbstractDelegatingSaslServerFactory.java:64)
	at org.wildfly.security.sasl.util.SetMechanismInformationSaslServerFactory.createSaslServer(SetMechanismInformationSaslServerFactory.java:79)
	at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory.createSaslServer(AuthenticationCompleteCallbackSaslServerFactory.java:51)
	at org.wildfly.security.sasl.util.TrustManagerSaslServerFactory.createSaslServer(TrustManagerSaslServerFactory.java:72)
	at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory.createSaslServer(AuthenticationTimeoutSaslServerFactory.java:74)
	at org.wildfly.security.sasl.util.AbstractDelegatingSaslServerFactory.createSaslServer(AbstractDelegatingSaslServerFactory.java:64)
	at org.wildfly.security.sasl.util.ServerNameSaslServerFactory.createSaslServer(ServerNameSaslServerFactory.java:48)
	at org.wildfly.security.sasl.util.AbstractDelegatingSaslServerFactory.createSaslServer(AbstractDelegatingSaslServerFactory.java:64)
	at org.wildfly.security.sasl.util.ProtocolSaslServerFactory.createSaslServer(ProtocolSaslServerFactory.java:48)
	at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory.createSaslServer(SecurityIdentitySaslServerFactory.java:51)
	at org.wildfly.security.auth.server.SaslAuthenticationFactory.doCreate(SaslAuthenticationFactory.java:59)
	at org.wildfly.security.auth.server.SaslAuthenticationFactory.doCreate(SaslAuthenticationFactory.java:50)
	at org.wildfly.security.auth.server.AbstractMechanismAuthenticationFactory.createMechanism(AbstractMechanismAuthenticationFactory.java:54)
	at org.jboss.remoting3.remote.ServerConnectionOpenListener$Initial.handleEvent(ServerConnectionOpenListener.java:259)
	at org.jboss.remoting3.remote.ServerConnectionOpenListener$Initial.handleEvent(ServerConnectionOpenListener.java:125)
	at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
	at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
	at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
	at org.xnio.nio.WorkerThread.run(WorkerThread.java:567)
Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos credentails)
	at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:87)
	at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:127)
	at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:193)
	at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:427)
	at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:62)
	at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:154)
	at org.wildfly.security.sasl.gssapi.GssapiServer.<init>(GssapiServer.java:72)
	... 24 more

17:32:21,115 TRACE [org.jboss.remoting.remote] (management I/O-2) Rejected invalid SASL mechanism GSSAPI
17:32:21,115 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Sent 5 bytes
17:32:21,115 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Flushed channel
17:32:21,115 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No buffers in queue for message header
17:32:21,115 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Allocated fresh buffers
17:32:21,115 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received 59 bytes
17:32:21,116 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received message java.nio.HeapByteBuffer[pos=0 lim=55 cap=8192]
17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Received java.nio.HeapByteBuffer[pos=0 lim=55 cap=8192]
17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capabilities request
17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: version 1
17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote endpoint name "cli-client"
17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: message close protocol supported
17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote version is "5.0.0.Beta17-redhat-1"
17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote channels in is "40"
17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote channels out is "40"
17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: authentication service
17:32:21,116 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Sent 77 bytes
17:32:21,116 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Flushed channel
17:32:21,118 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No buffers in queue for message header
17:32:21,118 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Allocated fresh buffers
17:32:21,118 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received EOF
17:32:21,118 TRACE [org.jboss.remoting.remote] (management I/O-2) Received connection end-of-stream
17:32:21,441 INFO  [org.jboss.eapqe.krbldap.eap7.utils.CustomCLIExecutor] (main) CLI executor output:
17:32:21,441 INFO  [org.jboss.eapqe.krbldap.eap7.utils.CustomCLIExecutor] (main) Java config name: /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb5-945898887586223869.conf
Loaded from Java config
>>>KinitOptions cache name is /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb5cc
>>>DEBUG <CCacheInputStream>  client principal is hnelson7259cb36-69b2-4e28-afb5-f668120a8dea@JBOSS.ORG
>>>DEBUG <CCacheInputStream> server principal is krbtgt/JBOSS.ORG@JBOSS.ORG
>>>DEBUG <CCacheInputStream> key type: 17
>>>DEBUG <CCacheInputStream> auth time: Thu Feb 23 17:32:11 CET 2017
>>>DEBUG <CCacheInputStream> start time: Thu Feb 23 17:32:11 CET 2017
>>>DEBUG <CCacheInputStream> end time: Fri Feb 24 01:32:11 CET 2017
>>>DEBUG <CCacheInputStream> renew_till time: null
>>> CCacheInputStream: readFlags()  INITIAL; PRE_AUTH;
Found ticket for hnelson7259cb36-69b2-4e28-afb5-f668120a8dea@JBOSS.ORG to go to krbtgt/JBOSS.ORG@JBOSS.ORG expiring on Fri Feb 24 01:32:11 CET 2017
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
default etypes for default_tgs_enctypes: 17.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
>>> KdcAccessibility: reset
>>> KrbKdcReq send: kdc=localhost.localdomain UDP:6088, timeout=5000, number of retries =3, #bytes=648
>>> KDCCommunication: kdc=localhost.localdomain UDP:6088, timeout=5000,Attempt =1, #bytes=648
>>> KrbKdcReq send: #bytes read=634
>>> KdcAccessibility: remove localhost.localdomain:6088
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
>>> KrbApReq: APOptions are 00000000 00000000 00000000 00000000
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
Krb5Context setting mySeqNumber to: 951540638
Krb5Context setting peerSeqNumber to: 0
Created InitSecContextToken:
0000: 01 00 6E 82 02 2C 30 82   02 28 A0 03 02 01 05 A1  ..n..,0..(......
0010: 03 02 01 0E A2 07 03 05   00 00 00 00 00 A3 82 01  ................
0020: 2C 61 82 01 28 30 82 01   24 A0 03 02 01 05 A1 0B  ,a..(0..$.......
0030: 1B 09 4A 42 4F 53 53 2E   4F 52 47 A2 2A 30 28 A0  ..JBOSS.ORG.*0(.
0040: 03 02 01 00 A1 21 30 1F   1B 06 72 65 6D 6F 74 65  .....!0...remote
0050: 1B 15 6C 6F 63 61 6C 68   6F 73 74 2E 6C 6F 63 61  ..localhost.loca
0060: 6C 64 6F 6D 61 69 6E A3   81 E3 30 81 E0 A0 03 02  ldomain...0.....
0070: 01 11 A2 81 D8 04 81 D5   AF 46 53 89 B1 22 66 A6  .........FS.."f.
0080: C7 3C 9B 50 EB 36 7C D7   95 45 C9 46 BE A7 17 43  .<.P.6...E.F...C
0090: CD 9E DB B1 34 F7 1E 89   A4 D8 7B 2D 37 F9 4D DE  ....4......-7.M.
00A0: 8C B6 9D 07 83 2B 3E BF   80 34 34 CB 52 B9 01 95  .....+>..44.R...
00B0: AF 07 D1 8A 15 F8 7D 29   56 03 63 36 13 44 17 0B  .......)V.c6.D..
00C0: C9 31 CD 6F 41 35 5D B2   5A 5F 25 27 20 8D DE 9A  .1.oA5].Z_%' ...
00D0: 1B A9 26 A9 22 E2 81 4C   18 BB F9 15 27 A4 75 68  ..&."..L....'.uh
00E0: AF FE F4 2D 84 6D 44 24   73 C8 18 C0 3E 85 3E 0C  ...-.mD$s...>.>.
00F0: 6E 2C 89 FA 54 0B F6 E4   D3 C9 DA A3 61 14 5F 97  n,..T.......a._.
0100: 1D FE 6A 70 D7 C7 9C D2   91 D7 D0 B0 88 20 A1 C8  ..jp......... ..
0110: 53 42 DD 6B DB 3C 39 DC   2C DF 8A 52 C9 8B E4 0B  SB.k.<9.,..R....
0120: AD 05 B8 81 08 0E D2 4E   83 F9 23 C8 DC F1 9A 42  .......N..#....B
0130: BD 44 A4 DB CB E6 64 9B   9D 53 FA F3 4E 77 99 5F  .D....d..S..Nw._
0140: AE 0C B3 52 11 B5 6E 65   FB 2C 6E D9 49 A4 81 E2  ...R..ne.,n.I...
0150: 30 81 DF A0 03 02 01 11   A2 81 D7 04 81 D4 13 3B  0..............;
0160: BB 37 F0 B9 F9 C3 60 E0   80 DA A2 8D 0C E9 8A 34  .7....`........4
0170: DA E1 55 CB 4F 09 EB 36   3A F4 68 D3 90 D9 0F CD  ..U.O..6:.h.....
0180: 0F BA 50 1C A9 5C 70 84   1B CD 43 12 33 41 8A CA  ..P..\p...C.3A..
0190: 46 B0 21 4B 10 D7 22 5C   EC D0 79 C1 0D 5E 1C 58  F.!K.."\..y..^.X
01A0: 64 7C 75 43 77 96 82 1F   3A AD A2 C1 C4 9B 96 5B  d.uCw...:......[
01B0: 0D 1B DC 60 BD 76 91 69   53 DE 2F 34 CF 9E 0B EE  ...`.v.iS./4....
01C0: 8D D9 98 E0 37 AB 8D 2F   0D 61 B5 8C 10 43 20 2B  ....7../.a...C +
01D0: 6D 36 E1 0F 5B 23 22 8A   76 1B 55 0C 2E A1 8C D7  m6..[#".v.U.....
01E0: 8C 6F D2 07 2B 26 3B BF   54 74 9B 76 4A 78 2B E8  .o..+&;.Tt.vJx+.
01F0: 70 E3 81 08 E9 8B A3 F1   69 A3 E2 BE 1D 5B 8F 3A  p.......i....[.:
0200: 0F 34 3D 2D 01 69 C4 FC   67 FB 13 4B F3 D9 BE 94  .4=-.i..g..K....
0210: 9D 24 75 92 32 13 4B 8B   18 D0 FF 3B F9 51 19 90  .$u.2.K....;.Q..
0220: 44 63 61 BF A0 91 9E 76   9D 42 AA 3D B3 46 64 0A  Dca....v.B.=.Fd.
0230: 0D 19                                              ..

Failed to connect to the controller: Unable to authenticate against controller at localhost.localdomain:9990: Authentication failed: all available authentication mechanisms failed:
   GSSAPI: Server rejected authentication

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-9084 Regression against 7.0.GA, Kerberos over CLI

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified

          Activity

            People

              darran.lofthouse@redhat.com Darran Lofthouse
              mchoma@redhat.com Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: