Loading...

Details

Type: Bug
Resolution: Done
Priority: Blocker
Fix Version/s: 3.0.0.Beta29
Affects Version/s: None
Component/s: Security
Labels:
None

Steps to Reproduce:
Hide

/subsystem=elytron/configurable-sasl-server-factory=configured:list-add(name=filters, value={pattern-filter=GSSAPI}) /subsystem=elytron/kerberos-security-factory=kerberosSecurityFactory:add(name=kerberosSecurityFactory, principal=remote/localhost.localdomain@JBOSS.ORG, path=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb.1141298291371780269.keytab, debug=true) /subsystem=elytron/filesystem-realm=fileSystemRealm:add(path=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/KerberosCLITestCase/fs-realm-users) /subsystem=elytron/simple-role-decoder=simpleRoleDecoder:add(attribute=Roles) /subsystem=elytron/regex-principal-transformer=principalTransformer:add(pattern=@.*, replacement=) /subsystem=elytron/security-domain=securityDomain:add(default-realm=fileSystemRealm, realms=[{realm => fileSystemRealm, role-decoder => simpleRoleDecoder}], pre-realm-principal-transformer=principalTransformer, permission-mapper=default-permission-mapper) /subsystem=elytron/sasl-authentication-factory=SaslAuthenticationFactory:add(security-domain=securityDomain, sasl-server-factory=configured, mechanism-configurations=[{mechanism-name => GSSAPI, credential-security-factory => kerberosSecurityFactory, mechanism-realm-configurations => [{realm-name => fileSystemRealm}]}]) /subsystem=elytron/filesystem-realm=fileSystemRealm:add-identity(identity=jdukef3677204-8397-4dd5-bc7b-160d26c0aefb) /core-service=management/management-interface=http-interface:write-attribute(name=http-upgrade.sasl-authentication-factory, value=SaslAuthenticationFactory){allow-resource-service-restart=true}

[1] https://doc-stage.usersys.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1.beta/html-single/how_to_set_up_sso_with_kerberos/#configure-krb-management-interfaces
Show
/subsystem=elytron/configurable-sasl-server-factory=configured:list-add(name=filters, value={pattern-filter=GSSAPI}) /subsystem=elytron/kerberos-security-factory=kerberosSecurityFactory:add(name=kerberosSecurityFactory, principal=remote/localhost.localdomain@JBOSS.ORG, path=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb.1141298291371780269.keytab, debug= true ) /subsystem=elytron/filesystem-realm=fileSystemRealm:add(path=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/KerberosCLITestCase/fs-realm-users) /subsystem=elytron/simple-role-decoder=simpleRoleDecoder:add(attribute=Roles) /subsystem=elytron/regex-principal-transformer=principalTransformer:add(pattern=@.*, replacement=) /subsystem=elytron/security-domain=securityDomain:add( default -realm=fileSystemRealm, realms=[{realm => fileSystemRealm, role-decoder => simpleRoleDecoder}], pre-realm-principal-transformer=principalTransformer, permission-mapper= default -permission-mapper) /subsystem=elytron/sasl-authentication-factory=SaslAuthenticationFactory:add(security-domain=securityDomain, sasl-server-factory=configured, mechanism-configurations=[{mechanism-name => GSSAPI, credential-security-factory => kerberosSecurityFactory, mechanism-realm-configurations => [{realm-name => fileSystemRealm}]}]) /subsystem=elytron/filesystem-realm=fileSystemRealm:add-identity(identity=jdukef3677204-8397-4dd5-bc7b-160d26c0aefb) /core-service=management/management- interface =http- interface :write-attribute(name=http-upgrade.sasl-authentication-factory, value=SaslAuthenticationFactory){allow-resource-service-restart= true } [1] https://doc-stage.usersys.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1.beta/html-single/how_to_set_up_sso_with_kerberos/#configure-krb-management-interfaces

Description

Trying to connect with jboss-cli to server using kerberos leads to error

14:41:22,654 TRACE [org.wildfly.security.sasl.gssapi.server] (management task-7) Client selected security layer AUTH, with maxBuffer of 65536
14:41:22,655 TRACE [org.jboss.remoting.remote.server] (management task-7) Server sending authentication rejected: javax.security.sasl.SaslException: ELY05123: [GSSAPI] No security layer selected but message length received
	at org.wildfly.security.sasl.gssapi.GssapiServer.evaluateMessage(GssapiServer.java:245)
	at org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:180)
	at org.wildfly.security.sasl.gssapi.GssapiServer.evaluateResponse(GssapiServer.java:121)
	at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58)
	at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106)
	at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1.evaluateResponse(SecurityIdentitySaslServerFactory.java:57)
	at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:245)
	at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:217)
	at org.jboss.remoting3.remote.ServerConnectionOpenListener$AuthStepRunnable.run(ServerConnectionOpenListener.java:470)
	at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:902)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)

Error message is little bit confusing as previous log message claims AUTH security layer is selected.

Looking into code does not reveal meaning to me neither.

GssapiServer.java

	log.tracef("Client selected security layer %s, with maxBuffer of %d", selectedQop, maxBuffer);
	if (relaxComplianceChecks == false && selectedQop == QOP.AUTH && maxBuffer != 0) {
	    throw log.mechNoSecurityLayerButLengthReceived(getMechanismName()).toSaslException();
	}

Attachments

Issue Links

clones

JBEAP-11381 Regression in DR19, Elytron unable to authenticate with kerberos using jboss-cli

Verified

Regression in DR19, Elytron unable to authenticate with kerberos using jboss-cli

Details

Description

Attachments

Issue Links

Activity

People

Dates