Uploaded image for project: 'Infinispan'
  1. Infinispan
  2. ISPN-4288

JGroups kerberos auth is not able to obtain credentials

This issue belongs to an archived project. You can view it, but you can't modify it. Learn more

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Major Major
    • None
    • None
    • Test Suite
    • None

      When trying to use kerberos for authentication between ISPN nodes (which uses JGroups authentication) I get following exception:

      Caused by: java.lang.Exception: connecting to channel "clustered" failed
        at org.jgroups.JChannel._connect(JChannel.java:564)
        at org.jgroups.JChannel.connect(JChannel.java:288)
        at org.jgroups.JChannel.connect(JChannel.java:273)
        at org.infinispan.remoting.transport.jgroups.JGroupsTransport.startJGroupsChannelIfNeeded(JGroupsTransport.java:198)
        ... 27 more
Caused by: java.lang.SecurityException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
        at org.jgroups.protocols.SASL.down(SASL.java:294)
        at org.jgroups.protocols.pbcast.STABLE.down(STABLE.java:347)
        at org.jgroups.protocols.pbcast.ClientGmsImpl.sendJoinMessage(ClientGmsImpl.java:243)
        at org.jgroups.protocols.pbcast.ClientGmsImpl.joinInternal(ClientGmsImpl.java:124)
        at org.jgroups.protocols.pbcast.ClientGmsImpl.join(ClientGmsImpl.java:40)
        at org.jgroups.protocols.pbcast.GMS.down(GMS.java:1082)
        at org.jgroups.protocols.FlowControl.down(FlowControl.java:340)
        at org.jgroups.protocols.FlowControl.down(FlowControl.java:340)
        at org.jgroups.protocols.FRAG2.down(FRAG2.java:136)
        at org.jgroups.protocols.RSVP.down(RSVP.java:142)
        at org.jgroups.stack.ProtocolStack.down(ProtocolStack.java:1039)
        at org.jgroups.JChannel.down(JChannel.java:785)
        at org.jgroups.JChannel._connect(JChannel.java:558)
        ... 30 more
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
        at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212) [rt.jar:1.7.0_45]
        at org.jgroups.auth.sasl.SaslClientContext.addHeader(SaslClientContext.java:84)
        at org.jgroups.protocols.SASL.down(SASL.java:289)
        ... 42 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
        at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147) [rt.jar:1.7.0_45]
        at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:121) [rt.jar:1.7.0_45]
        at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:187) [rt.jar:1.7.0_45]
        at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:223) [rt.jar:1.7.0_45]
        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212) [rt.jar:1.7.0_45]
        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179) [rt.jar:1.7.0_45]
        at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:193) [rt.jar:1.7.0_45]
        ... 44 more

      The test and setup can be downloaded here. Not completely sure, if it's a bug or some kerberos setup issue, but it failed also in case when I tried to use already running kerberos (not ApacheDS run in within the test).

              mircea.markus Mircea Markus (Inactive)
              vjuranek@redhat.com Vojtech Juranek
              Archiver:
              rhn-support-adongare Amol Dongare

                Created:
                Updated:
                Resolved:
                Archived: