Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-11381

Regression in DR19, Elytron unable to authenticate with kerberos using jboss-cli

XMLWordPrintable

    • Hide
      /subsystem=elytron/configurable-sasl-server-factory=configured:list-add(name=filters, value={pattern-filter=GSSAPI})
      /subsystem=elytron/kerberos-security-factory=kerberosSecurityFactory:add(name=kerberosSecurityFactory, principal=remote/localhost.localdomain@JBOSS.ORG, path=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb.1141298291371780269.keytab, debug=true)
      /subsystem=elytron/filesystem-realm=fileSystemRealm:add(path=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/KerberosCLITestCase/fs-realm-users)
      /subsystem=elytron/simple-role-decoder=simpleRoleDecoder:add(attribute=Roles)
      /subsystem=elytron/regex-principal-transformer=principalTransformer:add(pattern=@.*, replacement=)
      /subsystem=elytron/security-domain=securityDomain:add(default-realm=fileSystemRealm, realms=[{realm => fileSystemRealm, role-decoder => simpleRoleDecoder}], pre-realm-principal-transformer=principalTransformer, permission-mapper=default-permission-mapper)
      /subsystem=elytron/sasl-authentication-factory=SaslAuthenticationFactory:add(security-domain=securityDomain, sasl-server-factory=configured, mechanism-configurations=[{mechanism-name => GSSAPI, credential-security-factory => kerberosSecurityFactory, mechanism-realm-configurations => [{realm-name => fileSystemRealm}]}])
      /subsystem=elytron/filesystem-realm=fileSystemRealm:add-identity(identity=jdukef3677204-8397-4dd5-bc7b-160d26c0aefb)
      /core-service=management/management-interface=http-interface:write-attribute(name=http-upgrade.sasl-authentication-factory, value=SaslAuthenticationFactory){allow-resource-service-restart=true}
      
      export KRB5CCNAME=FILE:/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/KerberosCLITestCase/krb5cc
      export KRB5_CONFIG=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb5-1335725875753885515.conf
      
      /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/../tests/target/dist/jboss-eap/bin/jboss-cli.sh \
          -Djboss.cli.config=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/../tests/target/dist/jboss-eap/bin/jboss-cli.xml \
          -c \
          --controller=remote+http://localhost.localdomain:9990 \
          --timeout=60000 \
          -Djavax.security.auth.useSubjectCredsOnly=false \
          -Djava.security.krb5.conf=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb5-1335725875753885515.conf \
          -Dsun.security.krb5.debug=true \
          -Djboss.cli.log.file=/tmp/jboss-cli.log \
          :whoami
      

      [1] https://doc-stage.usersys.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1.beta/html-single/how_to_set_up_sso_with_kerberos/#configure-krb-management-interfaces

      Show
      /subsystem=elytron/configurable-sasl-server-factory=configured:list-add(name=filters, value={pattern-filter=GSSAPI}) /subsystem=elytron/kerberos-security-factory=kerberosSecurityFactory:add(name=kerberosSecurityFactory, principal=remote/localhost.localdomain@JBOSS.ORG, path=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb.1141298291371780269.keytab, debug= true ) /subsystem=elytron/filesystem-realm=fileSystemRealm:add(path=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/KerberosCLITestCase/fs-realm-users) /subsystem=elytron/simple-role-decoder=simpleRoleDecoder:add(attribute=Roles) /subsystem=elytron/regex-principal-transformer=principalTransformer:add(pattern=@.*, replacement=) /subsystem=elytron/security-domain=securityDomain:add( default -realm=fileSystemRealm, realms=[{realm => fileSystemRealm, role-decoder => simpleRoleDecoder}], pre-realm-principal-transformer=principalTransformer, permission-mapper= default -permission-mapper) /subsystem=elytron/sasl-authentication-factory=SaslAuthenticationFactory:add(security-domain=securityDomain, sasl-server-factory=configured, mechanism-configurations=[{mechanism-name => GSSAPI, credential-security-factory => kerberosSecurityFactory, mechanism-realm-configurations => [{realm-name => fileSystemRealm}]}]) /subsystem=elytron/filesystem-realm=fileSystemRealm:add-identity(identity=jdukef3677204-8397-4dd5-bc7b-160d26c0aefb) /core-service=management/management- interface =http- interface :write-attribute(name=http-upgrade.sasl-authentication-factory, value=SaslAuthenticationFactory){allow-resource-service-restart= true } export KRB5CCNAME=FILE:/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/KerberosCLITestCase/krb5cc export KRB5_CONFIG=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb5-1335725875753885515.conf /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/../tests/target/dist/jboss-eap/bin/jboss-cli.sh \ -Djboss.cli.config=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/../tests/target/dist/jboss-eap/bin/jboss-cli.xml \ -c \ --controller=remote+http: //localhost.localdomain:9990 \ --timeout=60000 \ -Djavax.security.auth.useSubjectCredsOnly= false \ -Djava.security.krb5.conf=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb5-1335725875753885515.conf \ -Dsun.security.krb5.debug= true \ -Djboss.cli.log.file=/tmp/jboss-cli.log \ :whoami [1] https://doc-stage.usersys.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1.beta/html-single/how_to_set_up_sso_with_kerberos/#configure-krb-management-interfaces

      Trying to connect with jboss-cli to server using kerberos leads to error

      14:41:22,654 TRACE [org.wildfly.security.sasl.gssapi.server] (management task-7) Client selected security layer AUTH, with maxBuffer of 65536
      14:41:22,655 TRACE [org.jboss.remoting.remote.server] (management task-7) Server sending authentication rejected: javax.security.sasl.SaslException: ELY05123: [GSSAPI] No security layer selected but message length received
      	at org.wildfly.security.sasl.gssapi.GssapiServer.evaluateMessage(GssapiServer.java:245)
      	at org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:180)
      	at org.wildfly.security.sasl.gssapi.GssapiServer.evaluateResponse(GssapiServer.java:121)
      	at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58)
      	at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106)
      	at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1.evaluateResponse(SecurityIdentitySaslServerFactory.java:57)
      	at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:245)
      	at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:217)
      	at org.jboss.remoting3.remote.ServerConnectionOpenListener$AuthStepRunnable.run(ServerConnectionOpenListener.java:470)
      	at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:902)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at java.lang.Thread.run(Thread.java:745)
      

      Error message is little bit confusing as previous log message claims AUTH security layer is selected.

      Looking into code does not reveal meaning to me neither.

      GssapiServer.java
      	log.tracef("Client selected security layer %s, with maxBuffer of %d", selectedQop, maxBuffer);
      	if (relaxComplianceChecks == false && selectedQop == QOP.AUTH && maxBuffer != 0) {
      	    throw log.mechNoSecurityLayerButLengthReceived(getMechanismName()).toSaslException();
      	}
      

        1. jboss-cli.log
          19 kB
        2. jboss-cli.xml
          2 kB
        3. Kerberos_jboss_cli.log
          42 kB
        4. krb5-1335725875753885515.conf
          0.5 kB
        5. standalone.xml
          33 kB

              darran.lofthouse@redhat.com Darran Lofthouse
              mchoma@redhat.com Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: