Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-11381

Regression in DR19, Elytron unable to authenticate with kerberos using jboss-cli

    XMLWordPrintable

Details

    • Hide 
      /subsystem=elytron/configurable-sasl-server-factory=configured:list-add(name=filters, value={pattern-filter=GSSAPI})
/subsystem=elytron/kerberos-security-factory=kerberosSecurityFactory:add(name=kerberosSecurityFactory, principal=remote/localhost.localdomain@JBOSS.ORG, path=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb.1141298291371780269.keytab, debug=true)
/subsystem=elytron/filesystem-realm=fileSystemRealm:add(path=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/KerberosCLITestCase/fs-realm-users)
/subsystem=elytron/simple-role-decoder=simpleRoleDecoder:add(attribute=Roles)
/subsystem=elytron/regex-principal-transformer=principalTransformer:add(pattern=@.*, replacement=)
/subsystem=elytron/security-domain=securityDomain:add(default-realm=fileSystemRealm, realms=[{realm => fileSystemRealm, role-decoder => simpleRoleDecoder}], pre-realm-principal-transformer=principalTransformer, permission-mapper=default-permission-mapper)
/subsystem=elytron/sasl-authentication-factory=SaslAuthenticationFactory:add(security-domain=securityDomain, sasl-server-factory=configured, mechanism-configurations=[{mechanism-name => GSSAPI, credential-security-factory => kerberosSecurityFactory, mechanism-realm-configurations => [{realm-name => fileSystemRealm}]}])
/subsystem=elytron/filesystem-realm=fileSystemRealm:add-identity(identity=jdukef3677204-8397-4dd5-bc7b-160d26c0aefb)
/core-service=management/management-interface=http-interface:write-attribute(name=http-upgrade.sasl-authentication-factory, value=SaslAuthenticationFactory){allow-resource-service-restart=true}

      export KRB5CCNAME=FILE:/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/KerberosCLITestCase/krb5cc
export KRB5_CONFIG=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb5-1335725875753885515.conf

/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/../tests/target/dist/jboss-eap/bin/jboss-cli.sh \
    -Djboss.cli.config=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/../tests/target/dist/jboss-eap/bin/jboss-cli.xml \
    -c \
    --controller=remote+http://localhost.localdomain:9990 \
    --timeout=60000 \
    -Djavax.security.auth.useSubjectCredsOnly=false \
    -Djava.security.krb5.conf=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb5-1335725875753885515.conf \
    -Dsun.security.krb5.debug=true \
    -Djboss.cli.log.file=/tmp/jboss-cli.log \
    :whoami

      [1] https://doc-stage.usersys.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1.beta/html-single/how_to_set_up_sso_with_kerberos/#configure-krb-management-interfaces

      Show
      /subsystem=elytron/configurable-sasl-server-factory=configured:list-add(name=filters, value={pattern-filter=GSSAPI}) /subsystem=elytron/kerberos-security-factory=kerberosSecurityFactory:add(name=kerberosSecurityFactory, principal=remote/localhost.localdomain@JBOSS.ORG, path=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb.1141298291371780269.keytab, debug= true ) /subsystem=elytron/filesystem-realm=fileSystemRealm:add(path=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/KerberosCLITestCase/fs-realm-users) /subsystem=elytron/simple-role-decoder=simpleRoleDecoder:add(attribute=Roles) /subsystem=elytron/regex-principal-transformer=principalTransformer:add(pattern=@.*, replacement=) /subsystem=elytron/security-domain=securityDomain:add( default -realm=fileSystemRealm, realms=[{realm => fileSystemRealm, role-decoder => simpleRoleDecoder}], pre-realm-principal-transformer=principalTransformer, permission-mapper= default -permission-mapper) /subsystem=elytron/sasl-authentication-factory=SaslAuthenticationFactory:add(security-domain=securityDomain, sasl-server-factory=configured, mechanism-configurations=[{mechanism-name => GSSAPI, credential-security-factory => kerberosSecurityFactory, mechanism-realm-configurations => [{realm-name => fileSystemRealm}]}]) /subsystem=elytron/filesystem-realm=fileSystemRealm:add-identity(identity=jdukef3677204-8397-4dd5-bc7b-160d26c0aefb) /core-service=management/management- interface =http- interface :write-attribute(name=http-upgrade.sasl-authentication-factory, value=SaslAuthenticationFactory){allow-resource-service-restart= true } export KRB5CCNAME=FILE:/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/KerberosCLITestCase/krb5cc export KRB5_CONFIG=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb5-1335725875753885515.conf /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/../tests/target/dist/jboss-eap/bin/jboss-cli.sh \ -Djboss.cli.config=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/../tests/target/dist/jboss-eap/bin/jboss-cli.xml \ -c \ --controller=remote+http: //localhost.localdomain:9990 \ --timeout=60000 \ -Djavax.security.auth.useSubjectCredsOnly= false \ -Djava.security.krb5.conf=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb5-1335725875753885515.conf \ -Dsun.security.krb5.debug= true \ -Djboss.cli.log.file=/tmp/jboss-cli.log \ :whoami [1] https://doc-stage.usersys.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1.beta/html-single/how_to_set_up_sso_with_kerberos/#configure-krb-management-interfaces

    Description

      Trying to connect with jboss-cli to server using kerberos leads to error 

      14:41:22,654 TRACE [org.wildfly.security.sasl.gssapi.server] (management task-7) Client selected security layer AUTH, with maxBuffer of 65536
14:41:22,655 TRACE [org.jboss.remoting.remote.server] (management task-7) Server sending authentication rejected: javax.security.sasl.SaslException: ELY05123: [GSSAPI] No security layer selected but message length received
	at org.wildfly.security.sasl.gssapi.GssapiServer.evaluateMessage(GssapiServer.java:245)
	at org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:180)
	at org.wildfly.security.sasl.gssapi.GssapiServer.evaluateResponse(GssapiServer.java:121)
	at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58)
	at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106)
	at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1.evaluateResponse(SecurityIdentitySaslServerFactory.java:57)
	at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:245)
	at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:217)
	at org.jboss.remoting3.remote.ServerConnectionOpenListener$AuthStepRunnable.run(ServerConnectionOpenListener.java:470)
	at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:902)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)

      Error message is little bit confusing as previous log message claims AUTH security layer is selected.

      Looking into code does not reveal meaning to me neither.

      GssapiServer.java
      	log.tracef("Client selected security layer %s, with maxBuffer of %d", selectedQop, maxBuffer);
	if (relaxComplianceChecks == false && selectedQop == QOP.AUTH && maxBuffer != 0) {
	    throw log.mechNoSecurityLayerButLengthReceived(getMechanismName()).toSaslException();
	}

      Attachments

        1. jboss-cli.log
          19 kB
        2. jboss-cli.xml
          2 kB
        3. Kerberos_jboss_cli.log
          42 kB
        4. krb5-1335725875753885515.conf
          0.5 kB
        5. standalone.xml
          33 kB

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. WFCORE-2931 Regression in DR19, Elytron unable to authenticate with kerberos using jboss-cli

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Resolved

          Activity

            People

              darran.lofthouse@redhat.com Darran Lofthouse
              mchoma@redhat.com Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: