Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-10668

Regression in legacy security in DR17, Kerberos for CLI

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 7.1.0.ER2
    • 7.1.0.DR17
    • Remoting, Security
    • None
    • Regression
    • Hide
      Show
      Follow documentation https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.0/html-single/how_to_set_up_sso_with_kerberos/#configure-krb-management-interfaces Misconfiugre server-identity=kerberos to use wrong realm (remote/localhost.localdomain@WRONG_REALM.ORG) or wrong service (WRONG_SERVICE/localhost.localdomain@JBOSS.ORG) /core-service=management/security-realm=ManagementRealm/server-identity=kerberos/keytab=remote\/hostname@WRONG_REALM.ORG:add( path=/home\/username\/service.keytab,debug= true ) specifying fallback user with jboss-cli parameters --user and --password does not work.

      User impact: User relying on fallback authentication mechanism in case of Kerberos can't.
      When migrating EAP 7.0 configuration to EAP 7.1 configuration fallbacking does not work as in EAP 7.0.

      This worked well in DR16.

      When GSSAPI mechanism fails other mechanism e.g. PLAIN doesn't occure.

      server.log
      14:47:03,078 TRACE [org.wildfly.security] (management I/O-2) Handling MechanismInformationCallback type='SASL' name='GSSAPI' host-name='localhost.localdomain' protocol='remote'
14:47:03,078 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-2) configuredMaxReceiveBuffer=16777215
14:47:03,078 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-2) relaxComplianceChecks=false
14:47:03,078 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-2) QOP={AUTH}
14:47:03,078 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-2) Obtaining GSSCredential for the service from callback handler...
14:47:03,078 TRACE [org.jboss.as.domain.management.security] (management I/O-2) Selected KeytabService with principal 'remote/localhost.localdomain@WRONG_REALM.ORG' for host 'localhost.localdomain'
14:47:03,079 INFO  [stdout] (management I/O-2) Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator false KeyTab is /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.5505588796137857648.keytab refreshKrb5Config is false principal is remote/localhost.localdomain@WRONG_REALM.ORG tryFirstPass is false useFirstPass is false storePass is false clearPass is false
14:47:03,079 INFO  [stdout] (management I/O-2) principal is remote/localhost.localdomain@WRONG_REALM.ORG
14:47:03,079 INFO  [stdout] (management I/O-2) Will use keytab
14:47:03,079 INFO  [stdout] (management I/O-2) Commit Succeeded 
14:47:03,079 INFO  [stdout] (management I/O-2) 
14:47:03,079 INFO  [stdout] (management I/O-2) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.5505588796137857648.keytab for remote/localhost.localdomain@WRONG_REALM.ORG
14:47:03,080 INFO  [stdout] (management I/O-2) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.5505588796137857648.keytab for remote/localhost.localdomain@WRONG_REALM.ORG
14:47:03,080 INFO  [stdout] (management I/O-2) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.5505588796137857648.keytab for remote/localhost.localdomain@WRONG_REALM.ORG
14:47:03,080 INFO  [stdout] (management I/O-2) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.5505588796137857648.keytab for remote/localhost.localdomain@WRONG_REALM.ORG
14:47:03,080 TRACE [org.wildfly.security] (management I/O-2) Handling ServerCredentialCallback: successfully obtained credential type type=class org.wildfly.security.credential.GSSKerberosCredential, algorithm=null, params=null
14:47:03,080 TRACE [org.jboss.remoting.endpoint] (management I/O-2) Allocated tick to 9 of endpoint "localhost:MANAGEMENT" <15985cc1> (opened org.jboss.remoting3.EndpointImpl$TrackingExecutor@211c95d4)
14:47:03,081 INFO  [stdout] (management task-6) Entered Krb5Context.acceptSecContext with state=STATE_NEW
14:47:03,082 INFO  [stdout] (management task-6) Looking for keys for: remote/localhost.localdomain@WRONG_REALM.ORG
14:47:03,083 TRACE [org.jboss.remoting.remote.server] (management task-6) Server sending authentication rejected: javax.security.sasl.SaslException: ELY05031: [GSSAPI] Unable to accept SASL client message [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES128 CTS mode with HMAC SHA1-96)]
	at org.wildfly.security.sasl.gssapi.GssapiServer.evaluateMessage(GssapiServer.java:152)
	at org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:180)
	at org.wildfly.security.sasl.gssapi.GssapiServer.evaluateResponse(GssapiServer.java:121)
	at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58)
	at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106)
	at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1.evaluateResponse(SecurityIdentitySaslServerFactory.java:57)
	at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:245)
	at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:217)
	at org.jboss.remoting3.remote.ServerConnectionOpenListener$AuthStepRunnable.run(ServerConnectionOpenListener.java:467)
	at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:891)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES128 CTS mode with HMAC SHA1-96)
	at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:856)
	at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
	at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
	at org.wildfly.security.sasl.gssapi.GssapiServer.evaluateMessage(GssapiServer.java:131)
	... 12 more
Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES128 CTS mode with HMAC SHA1-96
	at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:278)
	at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149)
	at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
	at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829)
	... 15 more

14:47:03,083 TRACE [org.wildfly.security.sasl.gssapi.server] (management task-6) dispose
14:47:03,083 TRACE [org.wildfly.security] (management task-6) Handling AuthenticationCompleteCallback: fail
14:47:03,084 TRACE [org.jboss.remoting.endpoint] (management task-6) Resource closed count 00000008 of endpoint "localhost:MANAGEMENT" <15985cc1> (closed org.jboss.remoting3.EndpointImpl$TrackingExecutor@211c95d4)
14:47:03,084 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Sent 5 bytes
14:47:03,084 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Flushed channel
14:47:03,084 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Shut down writes on channel
14:47:03,086 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No buffers in queue for message header
14:47:03,086 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Allocated fresh buffers
14:47:03,086 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received EOF
14:47:03,087 TRACE [org.jboss.remoting.remote] (management I/O-2) Received connection end-of-stream
14:47:03,108 INFO  [org.jboss.eapqe.krbldap.eap7.utils.CustomCLIExecutor] (main) CLI executor output:
14:47:03,109 INFO  [org.jboss.eapqe.krbldap.eap7.utils.CustomCLIExecutor] (main) Java config name: /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb5-1708048015373854835.conf
Loaded from Java config
>>>KinitOptions cache name is /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb5cc
>>>DEBUG <CCacheInputStream>  client principal is hnelson30d3d46a-214b-4b2d-903e-c484ebab7908@JBOSS.ORG
>>>DEBUG <CCacheInputStream> server principal is krbtgt/JBOSS.ORG@JBOSS.ORG
>>>DEBUG <CCacheInputStream> key type: 17
>>>DEBUG <CCacheInputStream> auth time: Tue May 02 14:46:23 CEST 2017
>>>DEBUG <CCacheInputStream> start time: Tue May 02 14:46:23 CEST 2017
>>>DEBUG <CCacheInputStream> end time: Tue May 02 22:46:23 CEST 2017
>>>DEBUG <CCacheInputStream> renew_till time: null
>>> CCacheInputStream: readFlags()  INITIAL; PRE_AUTH;
Found ticket for hnelson30d3d46a-214b-4b2d-903e-c484ebab7908@JBOSS.ORG to go to krbtgt/JBOSS.ORG@JBOSS.ORG expiring on Tue May 02 22:46:23 CEST 2017
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
default etypes for default_tgs_enctypes: 17.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
>>> KdcAccessibility: reset
>>> KrbKdcReq send: kdc=localhost.localdomain UDP:6088, timeout=5000, number of retries =3, #bytes=648
>>> KDCCommunication: kdc=localhost.localdomain UDP:6088, timeout=5000,Attempt =1, #bytes=648
>>> KrbKdcReq send: #bytes read=634
>>> KdcAccessibility: remove localhost.localdomain:6088
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
>>> KrbApReq: APOptions are 00000000 00000000 00000000 00000000
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
Krb5Context setting mySeqNumber to: 23519002
Krb5Context setting peerSeqNumber to: 0
Created InitSecContextToken:
0000: 01 00 6E 82 02 2C 30 82   02 28 A0 03 02 01 05 A1  ..n..,0..(......
0010: 03 02 01 0E A2 07 03 05   00 00 00 00 00 A3 82 01  ................
0020: 2C 61 82 01 28 30 82 01   24 A0 03 02 01 05 A1 0B  ,a..(0..$.......
0030: 1B 09 4A 42 4F 53 53 2E   4F 52 47 A2 2A 30 28 A0  ..JBOSS.ORG.*0(.
0040: 03 02 01 00 A1 21 30 1F   1B 06 72 65 6D 6F 74 65  .....!0...remote
0050: 1B 15 6C 6F 63 61 6C 68   6F 73 74 2E 6C 6F 63 61  ..localhost.loca
0060: 6C 64 6F 6D 61 69 6E A3   81 E3 30 81 E0 A0 03 02  ldomain...0.....
0070: 01 11 A2 81 D8 04 81 D5   6B C5 1A F4 8B 3A B3 7B  ........k....:..
0080: AE 21 B6 7C 76 DA 7F 42   F7 74 77 08 B1 47 5E 91  .!..v..B.tw..G^.
0090: 2D 93 54 AA FF 8B A2 A3   F4 ED E4 20 58 8F 1D 3A  -.T........ X..:
00A0: 11 1D E7 26 86 BF 70 A9   64 F2 D4 B6 E5 5A 7B 6D  ...&..p.d....Z.m
00B0: D4 4A 47 C3 7E A8 40 8F   6A CE B1 B0 E4 8C 00 CC  .JG...@.j.......
00C0: AD D0 30 23 D7 A2 6D 55   58 32 9C 0E 4D 48 78 62  ..0#..mUX2..MHxb
00D0: 7C BD C5 64 05 A4 2A F1   A7 D9 29 C2 78 F5 A0 E8  ...d..*...).x...
00E0: C3 24 77 34 C0 6A 70 27   42 20 47 EA E8 BE 7A 1C  .$w4.jp'B G...z.
00F0: 72 3A AB 01 E9 5B 71 7A   86 AE E8 D8 00 94 17 2F  r:...[qz......./
0100: 3F 8F 62 FC 58 4B 27 86   24 78 B9 97 71 1B E4 ED  ?.b.XK'.$x..q...
0110: 93 A5 8F 1C 1B 7A 31 17   E4 E5 90 2A 02 88 22 39  .....z1....*.."9
0120: 9D B9 48 05 89 A2 8D F6   4F E7 29 C6 75 CE 2A EB  ..H.....O.).u.*.
0130: A4 EB 60 C7 DA 26 AB 75   17 8C 9E 0B 55 A6 69 5B  ..`..&.u....U.i[
0140: 53 DF 41 F7 E0 48 01 53   44 F3 8A 8F 5A A4 81 E2  S.A..H.SD...Z...
0150: 30 81 DF A0 03 02 01 11   A2 81 D7 04 81 D4 F2 C9  0...............
0160: 95 00 E1 89 EB 9F AF 03   DB 8E 9C 9B F5 FF E4 AF  ................
0170: BD AB 4C FA 87 FD 87 B4   0B C8 21 53 7C A2 D9 07  ..L.......!S....
0180: 0D 63 D5 EA 76 D4 30 C4   17 ED 1D 90 6B 46 20 BE  .c..v.0.....kF .
0190: 28 C0 02 87 7D D8 EC 21   0F 50 FC 39 D7 0B AD C3  (......!.P.9....
01A0: 07 10 7A F4 79 71 0E 59   5C 8D 55 D6 71 54 4B 35  ..z.yq.Y\.U.qTK5
01B0: EE E7 33 87 BD 21 78 79   76 49 DF FA 17 CA 5A B2  ..3..!xyvI....Z.
01C0: A6 72 4C 6B E2 CB A6 8F   2E 8B 1B F4 DD 41 4D 85  .rLk.........AM.
01D0: 5D 9A 92 5A 90 EB 2F 80   7A 02 F4 05 9A 54 1D D5  ]..Z../.z....T..
01E0: 0F 04 12 53 29 1D A1 D3   5B 08 E4 FA 75 F0 AE 2E  ...S)...[...u...
01F0: F6 07 0E 44 BD F2 6C 0F   3F 95 14 D6 75 2F 12 08  ...D..l.?...u/..
0200: 0E F5 6E B9 CB 28 6A 5C   51 7E 4F 9D E0 2F 18 1C  ..n..(j\Q.O../..
0210: 0D 0D 18 AA 31 FE 8E D2   42 AD CA 62 B1 EF 69 9D  ....1...B..b..i.
0220: 88 82 57 36 58 B2 72 CF   35 54 B1 BE 9B 57 10 F5  ..W6X.r.5T...W..
0230: 2C FF                                              ,.

Failed to connect to the controller: The controller is not available at localhost.localdomain:9990: java.net.ConnectException: WFLYPRT0053: Could not connect to remote+http://localhost.localdomain:9990. The connection failed: WFLYPRT0053: Could not connect to remote+http://localhost.localdomain:9990. The connection failed: JBREM000202: Abrupt close on Remoting connection 79a3d728 to localhost.localdomain/127.0.0.1:9990 of endpoint "cli-client" <24aed80c>

        1. standalone.xml
          34 kB

              darran.lofthouse@redhat.com Darran Lofthouse
              mchoma@redhat.com Martin Choma
              Martin Choma Martin Choma
              Martin Choma Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: