Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-10668

Regression in legacy security in DR17, Kerberos for CLI

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 7.1.0.ER2
    • 7.1.0.DR17
    • Remoting, Security
    • None
    • Regression
    • Hide
      Show
      Follow documentation https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.0/html-single/how_to_set_up_sso_with_kerberos/#configure-krb-management-interfaces Misconfiugre server-identity=kerberos to use wrong realm (remote/localhost.localdomain@WRONG_REALM.ORG) or wrong service (WRONG_SERVICE/localhost.localdomain@JBOSS.ORG) /core-service=management/security-realm=ManagementRealm/server-identity=kerberos/keytab=remote\/hostname@WRONG_REALM.ORG:add( path=/home\/username\/service.keytab,debug= true ) specifying fallback user with jboss-cli parameters --user and --password does not work.

      User impact: User relying on fallback authentication mechanism in case of Kerberos can't.
      When migrating EAP 7.0 configuration to EAP 7.1 configuration fallbacking does not work as in EAP 7.0.

      This worked well in DR16.

      When GSSAPI mechanism fails other mechanism e.g. PLAIN doesn't occure.

      server.log
      14:47:03,078 TRACE [org.wildfly.security] (management I/O-2) Handling MechanismInformationCallback type='SASL' name='GSSAPI' host-name='localhost.localdomain' protocol='remote'
      14:47:03,078 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-2) configuredMaxReceiveBuffer=16777215
      14:47:03,078 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-2) relaxComplianceChecks=false
      14:47:03,078 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-2) QOP={AUTH}
      14:47:03,078 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-2) Obtaining GSSCredential for the service from callback handler...
      14:47:03,078 TRACE [org.jboss.as.domain.management.security] (management I/O-2) Selected KeytabService with principal 'remote/localhost.localdomain@WRONG_REALM.ORG' for host 'localhost.localdomain'
      14:47:03,079 INFO  [stdout] (management I/O-2) Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator false KeyTab is /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.5505588796137857648.keytab refreshKrb5Config is false principal is remote/localhost.localdomain@WRONG_REALM.ORG tryFirstPass is false useFirstPass is false storePass is false clearPass is false
      14:47:03,079 INFO  [stdout] (management I/O-2) principal is remote/localhost.localdomain@WRONG_REALM.ORG
      14:47:03,079 INFO  [stdout] (management I/O-2) Will use keytab
      14:47:03,079 INFO  [stdout] (management I/O-2) Commit Succeeded 
      14:47:03,079 INFO  [stdout] (management I/O-2) 
      14:47:03,079 INFO  [stdout] (management I/O-2) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.5505588796137857648.keytab for remote/localhost.localdomain@WRONG_REALM.ORG
      14:47:03,080 INFO  [stdout] (management I/O-2) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.5505588796137857648.keytab for remote/localhost.localdomain@WRONG_REALM.ORG
      14:47:03,080 INFO  [stdout] (management I/O-2) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.5505588796137857648.keytab for remote/localhost.localdomain@WRONG_REALM.ORG
      14:47:03,080 INFO  [stdout] (management I/O-2) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.5505588796137857648.keytab for remote/localhost.localdomain@WRONG_REALM.ORG
      14:47:03,080 TRACE [org.wildfly.security] (management I/O-2) Handling ServerCredentialCallback: successfully obtained credential type type=class org.wildfly.security.credential.GSSKerberosCredential, algorithm=null, params=null
      14:47:03,080 TRACE [org.jboss.remoting.endpoint] (management I/O-2) Allocated tick to 9 of endpoint "localhost:MANAGEMENT" <15985cc1> (opened org.jboss.remoting3.EndpointImpl$TrackingExecutor@211c95d4)
      14:47:03,081 INFO  [stdout] (management task-6) Entered Krb5Context.acceptSecContext with state=STATE_NEW
      14:47:03,082 INFO  [stdout] (management task-6) Looking for keys for: remote/localhost.localdomain@WRONG_REALM.ORG
      14:47:03,083 TRACE [org.jboss.remoting.remote.server] (management task-6) Server sending authentication rejected: javax.security.sasl.SaslException: ELY05031: [GSSAPI] Unable to accept SASL client message [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES128 CTS mode with HMAC SHA1-96)]
      	at org.wildfly.security.sasl.gssapi.GssapiServer.evaluateMessage(GssapiServer.java:152)
      	at org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:180)
      	at org.wildfly.security.sasl.gssapi.GssapiServer.evaluateResponse(GssapiServer.java:121)
      	at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58)
      	at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106)
      	at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1.evaluateResponse(SecurityIdentitySaslServerFactory.java:57)
      	at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:245)
      	at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:217)
      	at org.jboss.remoting3.remote.ServerConnectionOpenListener$AuthStepRunnable.run(ServerConnectionOpenListener.java:467)
      	at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:891)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at java.lang.Thread.run(Thread.java:745)
      Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES128 CTS mode with HMAC SHA1-96)
      	at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:856)
      	at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
      	at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
      	at org.wildfly.security.sasl.gssapi.GssapiServer.evaluateMessage(GssapiServer.java:131)
      	... 12 more
      Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES128 CTS mode with HMAC SHA1-96
      	at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:278)
      	at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149)
      	at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
      	at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829)
      	... 15 more
      
      14:47:03,083 TRACE [org.wildfly.security.sasl.gssapi.server] (management task-6) dispose
      14:47:03,083 TRACE [org.wildfly.security] (management task-6) Handling AuthenticationCompleteCallback: fail
      14:47:03,084 TRACE [org.jboss.remoting.endpoint] (management task-6) Resource closed count 00000008 of endpoint "localhost:MANAGEMENT" <15985cc1> (closed org.jboss.remoting3.EndpointImpl$TrackingExecutor@211c95d4)
      14:47:03,084 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Sent 5 bytes
      14:47:03,084 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Flushed channel
      14:47:03,084 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Shut down writes on channel
      14:47:03,086 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No buffers in queue for message header
      14:47:03,086 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Allocated fresh buffers
      14:47:03,086 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received EOF
      14:47:03,087 TRACE [org.jboss.remoting.remote] (management I/O-2) Received connection end-of-stream
      14:47:03,108 INFO  [org.jboss.eapqe.krbldap.eap7.utils.CustomCLIExecutor] (main) CLI executor output:
      14:47:03,109 INFO  [org.jboss.eapqe.krbldap.eap7.utils.CustomCLIExecutor] (main) Java config name: /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb5-1708048015373854835.conf
      Loaded from Java config
      >>>KinitOptions cache name is /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb5cc
      >>>DEBUG <CCacheInputStream>  client principal is hnelson30d3d46a-214b-4b2d-903e-c484ebab7908@JBOSS.ORG
      >>>DEBUG <CCacheInputStream> server principal is krbtgt/JBOSS.ORG@JBOSS.ORG
      >>>DEBUG <CCacheInputStream> key type: 17
      >>>DEBUG <CCacheInputStream> auth time: Tue May 02 14:46:23 CEST 2017
      >>>DEBUG <CCacheInputStream> start time: Tue May 02 14:46:23 CEST 2017
      >>>DEBUG <CCacheInputStream> end time: Tue May 02 22:46:23 CEST 2017
      >>>DEBUG <CCacheInputStream> renew_till time: null
      >>> CCacheInputStream: readFlags()  INITIAL; PRE_AUTH;
      Found ticket for hnelson30d3d46a-214b-4b2d-903e-c484ebab7908@JBOSS.ORG to go to krbtgt/JBOSS.ORG@JBOSS.ORG expiring on Tue May 02 22:46:23 CEST 2017
      Entered Krb5Context.initSecContext with state=STATE_NEW
      Service ticket not found in the subject
      >>> Credentials acquireServiceCreds: same realm
      default etypes for default_tgs_enctypes: 17.
      >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
      >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
      >>> KdcAccessibility: reset
      >>> KrbKdcReq send: kdc=localhost.localdomain UDP:6088, timeout=5000, number of retries =3, #bytes=648
      >>> KDCCommunication: kdc=localhost.localdomain UDP:6088, timeout=5000,Attempt =1, #bytes=648
      >>> KrbKdcReq send: #bytes read=634
      >>> KdcAccessibility: remove localhost.localdomain:6088
      >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
      >>> KrbApReq: APOptions are 00000000 00000000 00000000 00000000
      >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
      Krb5Context setting mySeqNumber to: 23519002
      Krb5Context setting peerSeqNumber to: 0
      Created InitSecContextToken:
      0000: 01 00 6E 82 02 2C 30 82   02 28 A0 03 02 01 05 A1  ..n..,0..(......
      0010: 03 02 01 0E A2 07 03 05   00 00 00 00 00 A3 82 01  ................
      0020: 2C 61 82 01 28 30 82 01   24 A0 03 02 01 05 A1 0B  ,a..(0..$.......
      0030: 1B 09 4A 42 4F 53 53 2E   4F 52 47 A2 2A 30 28 A0  ..JBOSS.ORG.*0(.
      0040: 03 02 01 00 A1 21 30 1F   1B 06 72 65 6D 6F 74 65  .....!0...remote
      0050: 1B 15 6C 6F 63 61 6C 68   6F 73 74 2E 6C 6F 63 61  ..localhost.loca
      0060: 6C 64 6F 6D 61 69 6E A3   81 E3 30 81 E0 A0 03 02  ldomain...0.....
      0070: 01 11 A2 81 D8 04 81 D5   6B C5 1A F4 8B 3A B3 7B  ........k....:..
      0080: AE 21 B6 7C 76 DA 7F 42   F7 74 77 08 B1 47 5E 91  .!..v..B.tw..G^.
      0090: 2D 93 54 AA FF 8B A2 A3   F4 ED E4 20 58 8F 1D 3A  -.T........ X..:
      00A0: 11 1D E7 26 86 BF 70 A9   64 F2 D4 B6 E5 5A 7B 6D  ...&..p.d....Z.m
      00B0: D4 4A 47 C3 7E A8 40 8F   6A CE B1 B0 E4 8C 00 CC  .JG...@.j.......
      00C0: AD D0 30 23 D7 A2 6D 55   58 32 9C 0E 4D 48 78 62  ..0#..mUX2..MHxb
      00D0: 7C BD C5 64 05 A4 2A F1   A7 D9 29 C2 78 F5 A0 E8  ...d..*...).x...
      00E0: C3 24 77 34 C0 6A 70 27   42 20 47 EA E8 BE 7A 1C  .$w4.jp'B G...z.
      00F0: 72 3A AB 01 E9 5B 71 7A   86 AE E8 D8 00 94 17 2F  r:...[qz......./
      0100: 3F 8F 62 FC 58 4B 27 86   24 78 B9 97 71 1B E4 ED  ?.b.XK'.$x..q...
      0110: 93 A5 8F 1C 1B 7A 31 17   E4 E5 90 2A 02 88 22 39  .....z1....*.."9
      0120: 9D B9 48 05 89 A2 8D F6   4F E7 29 C6 75 CE 2A EB  ..H.....O.).u.*.
      0130: A4 EB 60 C7 DA 26 AB 75   17 8C 9E 0B 55 A6 69 5B  ..`..&.u....U.i[
      0140: 53 DF 41 F7 E0 48 01 53   44 F3 8A 8F 5A A4 81 E2  S.A..H.SD...Z...
      0150: 30 81 DF A0 03 02 01 11   A2 81 D7 04 81 D4 F2 C9  0...............
      0160: 95 00 E1 89 EB 9F AF 03   DB 8E 9C 9B F5 FF E4 AF  ................
      0170: BD AB 4C FA 87 FD 87 B4   0B C8 21 53 7C A2 D9 07  ..L.......!S....
      0180: 0D 63 D5 EA 76 D4 30 C4   17 ED 1D 90 6B 46 20 BE  .c..v.0.....kF .
      0190: 28 C0 02 87 7D D8 EC 21   0F 50 FC 39 D7 0B AD C3  (......!.P.9....
      01A0: 07 10 7A F4 79 71 0E 59   5C 8D 55 D6 71 54 4B 35  ..z.yq.Y\.U.qTK5
      01B0: EE E7 33 87 BD 21 78 79   76 49 DF FA 17 CA 5A B2  ..3..!xyvI....Z.
      01C0: A6 72 4C 6B E2 CB A6 8F   2E 8B 1B F4 DD 41 4D 85  .rLk.........AM.
      01D0: 5D 9A 92 5A 90 EB 2F 80   7A 02 F4 05 9A 54 1D D5  ]..Z../.z....T..
      01E0: 0F 04 12 53 29 1D A1 D3   5B 08 E4 FA 75 F0 AE 2E  ...S)...[...u...
      01F0: F6 07 0E 44 BD F2 6C 0F   3F 95 14 D6 75 2F 12 08  ...D..l.?...u/..
      0200: 0E F5 6E B9 CB 28 6A 5C   51 7E 4F 9D E0 2F 18 1C  ..n..(j\Q.O../..
      0210: 0D 0D 18 AA 31 FE 8E D2   42 AD CA 62 B1 EF 69 9D  ....1...B..b..i.
      0220: 88 82 57 36 58 B2 72 CF   35 54 B1 BE 9B 57 10 F5  ..W6X.r.5T...W..
      0230: 2C FF                                              ,.
      
      Failed to connect to the controller: The controller is not available at localhost.localdomain:9990: java.net.ConnectException: WFLYPRT0053: Could not connect to remote+http://localhost.localdomain:9990. The connection failed: WFLYPRT0053: Could not connect to remote+http://localhost.localdomain:9990. The connection failed: JBREM000202: Abrupt close on Remoting connection 79a3d728 to localhost.localdomain/127.0.0.1:9990 of endpoint "cli-client" <24aed80c>
      

              darran.lofthouse@redhat.com Darran Lofthouse
              mchoma@redhat.com Martin Choma
              Martin Choma Martin Choma
              Martin Choma Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: