Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Blocker
Fix Version/s: 7.1.0.ER2
Affects Version/s: 7.1.0.DR17
Component/s: Remoting, Security
Labels:
None

Affects Testing:

Regression
CDW blocker:
CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Target Release:

7.1.0.GA
Git Pull Request:
https://github.com/jboss-remoting/jboss-remoting/pull/125
Steps to Reproduce:
Hide

Follow documentation https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.0/html-single/how_to_set_up_sso_with_kerberos/#configure-krb-management-interfaces

Misconfiugre server-identity=kerberos to use wrong realm (remote/localhost.localdomain@WRONG_REALM.ORG) or wrong service (WRONG_SERVICE/localhost.localdomain@JBOSS.ORG)

/core-service=management/security-realm=ManagementRealm/server-identity=kerberos/keytab=remote\/hostname@WRONG_REALM.ORG:add( path=/home\/username\/service.keytab,debug=true)

specifying fallback user with jboss-cli parameters --user and --password does not work.
Show
Follow documentation https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.0/html-single/how_to_set_up_sso_with_kerberos/#configure-krb-management-interfaces Misconfiugre server-identity=kerberos to use wrong realm (remote/localhost.localdomain@WRONG_REALM.ORG) or wrong service (WRONG_SERVICE/localhost.localdomain@JBOSS.ORG) /core-service=management/security-realm=ManagementRealm/server-identity=kerberos/keytab=remote\/hostname@WRONG_REALM.ORG:add( path=/home\/username\/service.keytab,debug= true ) specifying fallback user with jboss-cli parameters --user and --password does not work.

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

User impact: User relying on fallback authentication mechanism in case of Kerberos can't.
When migrating EAP 7.0 configuration to EAP 7.1 configuration fallbacking does not work as in EAP 7.0.

This worked well in DR16.

When GSSAPI mechanism fails other mechanism e.g. PLAIN doesn't occure.

server.log

14:47:03,078 TRACE [org.wildfly.security] (management I/O-2) Handling MechanismInformationCallback type='SASL' name='GSSAPI' host-name='localhost.localdomain' protocol='remote'
14:47:03,078 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-2) configuredMaxReceiveBuffer=16777215
14:47:03,078 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-2) relaxComplianceChecks=false
14:47:03,078 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-2) QOP={AUTH}
14:47:03,078 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-2) Obtaining GSSCredential for the service from callback handler...
14:47:03,078 TRACE [org.jboss.as.domain.management.security] (management I/O-2) Selected KeytabService with principal 'remote/localhost.localdomain@WRONG_REALM.ORG' for host 'localhost.localdomain'
14:47:03,079 INFO  [stdout] (management I/O-2) Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator false KeyTab is /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.5505588796137857648.keytab refreshKrb5Config is false principal is remote/localhost.localdomain@WRONG_REALM.ORG tryFirstPass is false useFirstPass is false storePass is false clearPass is false
14:47:03,079 INFO  [stdout] (management I/O-2) principal is remote/localhost.localdomain@WRONG_REALM.ORG
14:47:03,079 INFO  [stdout] (management I/O-2) Will use keytab
14:47:03,079 INFO  [stdout] (management I/O-2) Commit Succeeded 
14:47:03,079 INFO  [stdout] (management I/O-2) 
14:47:03,079 INFO  [stdout] (management I/O-2) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.5505588796137857648.keytab for remote/localhost.localdomain@WRONG_REALM.ORG
14:47:03,080 INFO  [stdout] (management I/O-2) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.5505588796137857648.keytab for remote/localhost.localdomain@WRONG_REALM.ORG
14:47:03,080 INFO  [stdout] (management I/O-2) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.5505588796137857648.keytab for remote/localhost.localdomain@WRONG_REALM.ORG
14:47:03,080 INFO  [stdout] (management I/O-2) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.5505588796137857648.keytab for remote/localhost.localdomain@WRONG_REALM.ORG
14:47:03,080 TRACE [org.wildfly.security] (management I/O-2) Handling ServerCredentialCallback: successfully obtained credential type type=class org.wildfly.security.credential.GSSKerberosCredential, algorithm=null, params=null
14:47:03,080 TRACE [org.jboss.remoting.endpoint] (management I/O-2) Allocated tick to 9 of endpoint "localhost:MANAGEMENT" <15985cc1> (opened org.jboss.remoting3.EndpointImpl$TrackingExecutor@211c95d4)
14:47:03,081 INFO  [stdout] (management task-6) Entered Krb5Context.acceptSecContext with state=STATE_NEW
14:47:03,082 INFO  [stdout] (management task-6) Looking for keys for: remote/localhost.localdomain@WRONG_REALM.ORG
14:47:03,083 TRACE [org.jboss.remoting.remote.server] (management task-6) Server sending authentication rejected: javax.security.sasl.SaslException: ELY05031: [GSSAPI] Unable to accept SASL client message [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES128 CTS mode with HMAC SHA1-96)]
	at org.wildfly.security.sasl.gssapi.GssapiServer.evaluateMessage(GssapiServer.java:152)
	at org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:180)
	at org.wildfly.security.sasl.gssapi.GssapiServer.evaluateResponse(GssapiServer.java:121)
	at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58)
	at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106)
	at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1.evaluateResponse(SecurityIdentitySaslServerFactory.java:57)
	at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:245)
	at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:217)
	at org.jboss.remoting3.remote.ServerConnectionOpenListener$AuthStepRunnable.run(ServerConnectionOpenListener.java:467)
	at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:891)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES128 CTS mode with HMAC SHA1-96)
	at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:856)
	at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
	at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
	at org.wildfly.security.sasl.gssapi.GssapiServer.evaluateMessage(GssapiServer.java:131)
	... 12 more
Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES128 CTS mode with HMAC SHA1-96
	at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:278)
	at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149)
	at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
	at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829)
	... 15 more

14:47:03,083 TRACE [org.wildfly.security.sasl.gssapi.server] (management task-6) dispose
14:47:03,083 TRACE [org.wildfly.security] (management task-6) Handling AuthenticationCompleteCallback: fail
14:47:03,084 TRACE [org.jboss.remoting.endpoint] (management task-6) Resource closed count 00000008 of endpoint "localhost:MANAGEMENT" <15985cc1> (closed org.jboss.remoting3.EndpointImpl$TrackingExecutor@211c95d4)
14:47:03,084 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Sent 5 bytes
14:47:03,084 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Flushed channel
14:47:03,084 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Shut down writes on channel
14:47:03,086 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No buffers in queue for message header
14:47:03,086 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Allocated fresh buffers
14:47:03,086 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received EOF
14:47:03,087 TRACE [org.jboss.remoting.remote] (management I/O-2) Received connection end-of-stream
14:47:03,108 INFO  [org.jboss.eapqe.krbldap.eap7.utils.CustomCLIExecutor] (main) CLI executor output:
14:47:03,109 INFO  [org.jboss.eapqe.krbldap.eap7.utils.CustomCLIExecutor] (main) Java config name: /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb5-1708048015373854835.conf
Loaded from Java config
>>>KinitOptions cache name is /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb5cc
>>>DEBUG <CCacheInputStream>  client principal is hnelson30d3d46a-214b-4b2d-903e-c484ebab7908@JBOSS.ORG
>>>DEBUG <CCacheInputStream> server principal is krbtgt/JBOSS.ORG@JBOSS.ORG
>>>DEBUG <CCacheInputStream> key type: 17
>>>DEBUG <CCacheInputStream> auth time: Tue May 02 14:46:23 CEST 2017
>>>DEBUG <CCacheInputStream> start time: Tue May 02 14:46:23 CEST 2017
>>>DEBUG <CCacheInputStream> end time: Tue May 02 22:46:23 CEST 2017
>>>DEBUG <CCacheInputStream> renew_till time: null
>>> CCacheInputStream: readFlags()  INITIAL; PRE_AUTH;
Found ticket for hnelson30d3d46a-214b-4b2d-903e-c484ebab7908@JBOSS.ORG to go to krbtgt/JBOSS.ORG@JBOSS.ORG expiring on Tue May 02 22:46:23 CEST 2017
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
default etypes for default_tgs_enctypes: 17.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
>>> KdcAccessibility: reset
>>> KrbKdcReq send: kdc=localhost.localdomain UDP:6088, timeout=5000, number of retries =3, #bytes=648
>>> KDCCommunication: kdc=localhost.localdomain UDP:6088, timeout=5000,Attempt =1, #bytes=648
>>> KrbKdcReq send: #bytes read=634
>>> KdcAccessibility: remove localhost.localdomain:6088
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
>>> KrbApReq: APOptions are 00000000 00000000 00000000 00000000
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
Krb5Context setting mySeqNumber to: 23519002
Krb5Context setting peerSeqNumber to: 0
Created InitSecContextToken:
0000: 01 00 6E 82 02 2C 30 82   02 28 A0 03 02 01 05 A1  ..n..,0..(......
0010: 03 02 01 0E A2 07 03 05   00 00 00 00 00 A3 82 01  ................
0020: 2C 61 82 01 28 30 82 01   24 A0 03 02 01 05 A1 0B  ,a..(0..$.......
0030: 1B 09 4A 42 4F 53 53 2E   4F 52 47 A2 2A 30 28 A0  ..JBOSS.ORG.*0(.
0040: 03 02 01 00 A1 21 30 1F   1B 06 72 65 6D 6F 74 65  .....!0...remote
0050: 1B 15 6C 6F 63 61 6C 68   6F 73 74 2E 6C 6F 63 61  ..localhost.loca
0060: 6C 64 6F 6D 61 69 6E A3   81 E3 30 81 E0 A0 03 02  ldomain...0.....
0070: 01 11 A2 81 D8 04 81 D5   6B C5 1A F4 8B 3A B3 7B  ........k....:..
0080: AE 21 B6 7C 76 DA 7F 42   F7 74 77 08 B1 47 5E 91  .!..v..B.tw..G^.
0090: 2D 93 54 AA FF 8B A2 A3   F4 ED E4 20 58 8F 1D 3A  -.T........ X..:
00A0: 11 1D E7 26 86 BF 70 A9   64 F2 D4 B6 E5 5A 7B 6D  ...&..p.d....Z.m
00B0: D4 4A 47 C3 7E A8 40 8F   6A CE B1 B0 E4 8C 00 CC  .JG...@.j.......
00C0: AD D0 30 23 D7 A2 6D 55   58 32 9C 0E 4D 48 78 62  ..0#..mUX2..MHxb
00D0: 7C BD C5 64 05 A4 2A F1   A7 D9 29 C2 78 F5 A0 E8  ...d..*...).x...
00E0: C3 24 77 34 C0 6A 70 27   42 20 47 EA E8 BE 7A 1C  .$w4.jp'B G...z.
00F0: 72 3A AB 01 E9 5B 71 7A   86 AE E8 D8 00 94 17 2F  r:...[qz......./
0100: 3F 8F 62 FC 58 4B 27 86   24 78 B9 97 71 1B E4 ED  ?.b.XK'.$x..q...
0110: 93 A5 8F 1C 1B 7A 31 17   E4 E5 90 2A 02 88 22 39  .....z1....*.."9
0120: 9D B9 48 05 89 A2 8D F6   4F E7 29 C6 75 CE 2A EB  ..H.....O.).u.*.
0130: A4 EB 60 C7 DA 26 AB 75   17 8C 9E 0B 55 A6 69 5B  ..`..&.u....U.i[
0140: 53 DF 41 F7 E0 48 01 53   44 F3 8A 8F 5A A4 81 E2  S.A..H.SD...Z...
0150: 30 81 DF A0 03 02 01 11   A2 81 D7 04 81 D4 F2 C9  0...............
0160: 95 00 E1 89 EB 9F AF 03   DB 8E 9C 9B F5 FF E4 AF  ................
0170: BD AB 4C FA 87 FD 87 B4   0B C8 21 53 7C A2 D9 07  ..L.......!S....
0180: 0D 63 D5 EA 76 D4 30 C4   17 ED 1D 90 6B 46 20 BE  .c..v.0.....kF .
0190: 28 C0 02 87 7D D8 EC 21   0F 50 FC 39 D7 0B AD C3  (......!.P.9....
01A0: 07 10 7A F4 79 71 0E 59   5C 8D 55 D6 71 54 4B 35  ..z.yq.Y\.U.qTK5
01B0: EE E7 33 87 BD 21 78 79   76 49 DF FA 17 CA 5A B2  ..3..!xyvI....Z.
01C0: A6 72 4C 6B E2 CB A6 8F   2E 8B 1B F4 DD 41 4D 85  .rLk.........AM.
01D0: 5D 9A 92 5A 90 EB 2F 80   7A 02 F4 05 9A 54 1D D5  ]..Z../.z....T..
01E0: 0F 04 12 53 29 1D A1 D3   5B 08 E4 FA 75 F0 AE 2E  ...S)...[...u...
01F0: F6 07 0E 44 BD F2 6C 0F   3F 95 14 D6 75 2F 12 08  ...D..l.?...u/..
0200: 0E F5 6E B9 CB 28 6A 5C   51 7E 4F 9D E0 2F 18 1C  ..n..(j\Q.O../..
0210: 0D 0D 18 AA 31 FE 8E D2   42 AD CA 62 B1 EF 69 9D  ....1...B..b..i.
0220: 88 82 57 36 58 B2 72 CF   35 54 B1 BE 9B 57 10 F5  ..W6X.r.5T...W..
0230: 2C FF                                              ,.

Failed to connect to the controller: The controller is not available at localhost.localdomain:9990: java.net.ConnectException: WFLYPRT0053: Could not connect to remote+http://localhost.localdomain:9990. The connection failed: WFLYPRT0053: Could not connect to remote+http://localhost.localdomain:9990. The connection failed: JBREM000202: Abrupt close on Remoting connection 79a3d728 to localhost.localdomain/127.0.0.1:9990 of endpoint "cli-client" <24aed80c>

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

standalone.xml
34 kB
2017/06/20 8:30 AM

is caused by

REM3-289 Failed Authentication Attempts Being Counted Twice

Resolved

is cloned by

WFCORE-2892 Regression in legacy security in DR17, Kerberos for CLI

Resolved

is incorporated by

JBEAP-11716 Upgrade JBoss Remoting to 5.0.0.CR2

Closed

Assignee:: Darran Lofthouse

Reporter:: Martin Choma

Tester:: Martin Choma

QA Contact:: Martin Choma

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2017/05/02 9:03 AM

Updated:: 2024/09/02 3:49 PM

Resolved:: 2017/06/29 8:59 AM

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates