Loading...

Type: Bug
Resolution: Done
Priority: Blocker
Fix Version/s: 7.1.0.CR1
Affects Version/s: 7.1.0.ER3
Component/s: Security
Labels:
None

CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Release Note Status:
Not Required
Target Release:

7.1.0.GA
Steps to Reproduce:
Hide

secured management interface (9993) with Elytron server SSL context

with kerberos ticket connect using jboss-cli.sh

jboss-cli.sh -c --controller=remote+https://localhost.localdomain:9993 -Dwildfly.config.url=/path/to/wildfly-config.xml -Djavax.security.auth.useSubjectCredsOnly=false :whoami

Or

git clone git@gitlab.mw.lab.eng.bos.redhat.com:jbossqe-eap/tests-ldap-kerberos.git cd tests-ldap-kerberos ./build-eap71.sh -Dversion.jboss.bom=7.1.0.GA -Dversion.wildfly.core=3.0.0.Beta30-redhat-1 -Dmaven.repo.local=/home/mchoma/workspace/eap-versions/7.1.0.ER3/jboss-eap-7.1.0.GA-maven-repository/maven-repository -Djboss.dist.zip=/home/mchoma/workspace/git-repositories/wildfly/build/target/wildfly-11.0.0.CR1-SNAPSHOT.zip -Dmaven.test.failure.ignore=true -Dtest=KerberosCLIGs2Krb5PlusTestCase
Show
secured management interface (9993) with Elytron server SSL context with kerberos ticket connect using jboss-cli.sh jboss-cli.sh -c --controller=remote+https: //localhost.localdomain:9993 -Dwildfly.config.url=/path/to/wildfly-config.xml -Djavax.security.auth.useSubjectCredsOnly= false :whoami Or git clone git@gitlab.mw.lab.eng.bos.redhat.com:jbossqe-eap/tests-ldap-kerberos.git cd tests-ldap-kerberos ./build-eap71.sh -Dversion.jboss.bom=7.1.0.GA -Dversion.wildfly.core=3.0.0.Beta30-redhat-1 -Dmaven.repo.local=/home/mchoma/workspace/eap-versions/7.1.0.ER3/jboss-eap-7.1.0.GA-maven-repository/maven-repository -Djboss.dist.zip=/home/mchoma/workspace/git-repositories/wildfly/build/target/wildfly-11.0.0.CR1-SNAPSHOT.zip -Dmaven.test.failure.ignore= true -Dtest=KerberosCLIGs2Krb5PlusTestCase

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

I am unable to connect with jboss-cli.sh using GS2-KRB5-PLUS. This is not duplicity to ~~JBEAP-12688~~. In this case even SASL client is not created.

In server.log I see

17:25:10,564 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Initialized connection from /127.0.0.1:37230 to /127.0.0.1:9993 with options {org.jboss.remoting3.RemotingOptions.SASL_PROTOCOL=>remote}
17:25:10,564 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Accepted connection from /127.0.0.1:37230 to localhost.localdomain/127.0.0.1:9993
17:25:10,564 TRACE [org.jboss.remoting.remote] (management I/O-2) Setting read listener to org.jboss.remoting3.remote.ServerConnectionOpenListener$Initial@2cb6a081
17:25:10,564 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No buffers in queue for message header
17:25:10,564 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Allocated fresh buffers
17:25:10,564 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No read bytes available
17:25:10,565 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Sent 28 bytes
17:25:10,565 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Flushed channel
17:25:10,576 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No buffers in queue for message header
17:25:10,577 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Allocated fresh buffers
17:25:10,577 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received 56 bytes
17:25:10,577 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received message java.nio.HeapByteBuffer[pos=0 lim=52 cap=8192]
17:25:10,577 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Received java.nio.HeapByteBuffer[pos=0 lim=52 cap=8192]
17:25:10,577 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capabilities request
17:25:10,577 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: version 1
17:25:10,577 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote endpoint name "cli-client"
17:25:10,577 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: message close protocol supported
17:25:10,577 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote version is "5.0.0.CR5-redhat-1"
17:25:10,577 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote channels in is "40"
17:25:10,577 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote channels out is "40"
17:25:10,577 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: authentication service
17:25:10,580 TRACE [org.jboss.remoting.remote.server] (management I/O-2) No EXTERNAL mechanism due to unverified SSL peer
17:25:10,583 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Added mechanism GS2-KRB5-PLUS
17:25:10,583 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Added mechanism PLAIN
17:25:10,583 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No buffers in queue for message header
17:25:10,583 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Allocated fresh buffers
17:25:10,583 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No read bytes available
17:25:10,583 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Sent 88 bytes
17:25:10,583 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Flushed channel
17:25:10,637 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No buffers in queue for message header
17:25:10,637 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Allocated fresh buffers
17:25:10,637 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No read bytes available
17:25:10,637 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No buffers in queue for message header
17:25:10,637 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Allocated fresh buffers
17:25:10,637 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No read bytes available
17:25:10,638 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No buffers in queue for message header
17:25:10,638 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Allocated fresh buffers
17:25:10,638 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received EOF
17:25:10,638 TRACE [org.jboss.remoting.remote] (management I/O-2) Received connection end-of-stream
17:25:10,971 INFO  [org.jboss.eapqe.krbldap.utils.CustomCLIExecutor] (main) CLI executor output:
17:25:10,971 INFO  [org.jboss.eapqe.krbldap.utils.CustomCLIExecutor] (main) Failed to connect to the controller: Unable to authenticate against controller at localhost.localdomain:9993: Authentication failed: none of the mechanisms presented by the server (GS2-KRB5-PLUS, PLAIN) are supported

In jboss-cli.log I see.

17:14:21,557 TRACE [org.wildfly.security] Created SaslClient [null] for mechanisms [GS2-KRB5-PLUS]
17:14:21,557 TRACE [org.jboss.remoting.remote.connection] Connection error detail: javax.security.sasl.SaslException: Authentication failed: none of the mechanisms presented by the server (GS2-KRB5-PLUS, PLAIN) are supported
        at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:438)
        at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:242)
        at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
        at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
        at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
        at org.xnio.nio.WorkerThread.run(WorkerThread.java:571)

17:14:21,558 DEBUG [org.jboss.remoting.remote.connection] JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: none of the mechanisms presented by the server (GS2-KRB5-PLUS, PLAIN) are supported
17:14:21,559 TRACE [org.jboss.remoting.endpoint] Registered exception result: javax.security.sasl.SaslException: Authentication failed: none of the mechanisms presented by the server (GS2-KRB5-PLUS, PLAIN) are supported
        at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:438)
        at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:242)
        at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
        at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
        at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
        at org.xnio.nio.WorkerThread.run(WorkerThread.java:571)

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

configuration-working.zip
10 kB
2017/08/15 7:47 AM
pretested-jboss-cli.log
36 kB
2017/08/15 3:20 AM
pretested-standalone.xml
33 kB
2017/08/15 3:56 AM
wildfly-config.xml
1 kB
2017/08/10 11:37 AM

is blocked by

JBEAP-12688 Unable to use GS2-KRB5-PLUS SASL mechanism - AP_REQ token id does not match

Closed

is cloned by

ELY-1336 Unable to connect jboss-cli.sh using GS2-KRB5-PLUS

Resolved

WFCORE-3183 Unable to connect jboss-cli.sh using GS2-KRB5-PLUS

Resolved

is incorporated by

JBEAP-12378 (7.1.0) Upgrade to WildFly Core to 3.0.1.Final-redhat

Closed

Details

Description

Attachments

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates