Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-9084

Regression against 7.0.GA, Kerberos over CLI

    XMLWordPrintable

Details

    Description

      It is not possible to authenticate to CLI using kerberos.
      Same configuration works well against 7.0.0.GA

      17:32:21,109 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-2) configuredMaxReceiveBuffer=16777215
      17:32:21,109 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-2) relaxComplianceChecks=false
      17:32:21,109 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-2) QOP={AUTH}
      17:32:21,109 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-2) Our name 'remote@localhost.localdomain'
      17:32:21,113 INFO  [stdout] (management I/O-2) Java config name: /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb5-945898887586223869.conf
      17:32:21,113 INFO  [stdout] (management I/O-2) Loaded from Java config
      17:32:21,114 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Unable to create SaslServer: javax.security.sasl.SaslException: ELY05029: [GSSAPI] Unable to create GSSContext [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos credentails)]
      	at org.wildfly.security.sasl.gssapi.GssapiServer.<init>(GssapiServer.java:77)
      	at org.wildfly.security.sasl.gssapi.GssapiServerFactory.createSaslServer(GssapiServerFactory.java:44)
      	at org.wildfly.security.sasl.util.SecurityProviderSaslServerFactory.createSaslServer(SecurityProviderSaslServerFactory.java:77)
      	at org.wildfly.security.sasl.util.FilterMechanismSaslServerFactory.createSaslServer(FilterMechanismSaslServerFactory.java:88)
      	at org.wildfly.security.sasl.util.PropertiesSaslServerFactory.createSaslServer(PropertiesSaslServerFactory.java:56)
      	at org.wildfly.security.sasl.util.AbstractDelegatingSaslServerFactory.createSaslServer(AbstractDelegatingSaslServerFactory.java:64)
      	at org.wildfly.security.sasl.util.AbstractDelegatingSaslServerFactory.createSaslServer(AbstractDelegatingSaslServerFactory.java:64)
      	at org.wildfly.security.sasl.util.SetMechanismInformationSaslServerFactory.createSaslServer(SetMechanismInformationSaslServerFactory.java:79)
      	at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory.createSaslServer(AuthenticationCompleteCallbackSaslServerFactory.java:51)
      	at org.wildfly.security.sasl.util.TrustManagerSaslServerFactory.createSaslServer(TrustManagerSaslServerFactory.java:72)
      	at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory.createSaslServer(AuthenticationTimeoutSaslServerFactory.java:74)
      	at org.wildfly.security.sasl.util.AbstractDelegatingSaslServerFactory.createSaslServer(AbstractDelegatingSaslServerFactory.java:64)
      	at org.wildfly.security.sasl.util.ServerNameSaslServerFactory.createSaslServer(ServerNameSaslServerFactory.java:48)
      	at org.wildfly.security.sasl.util.AbstractDelegatingSaslServerFactory.createSaslServer(AbstractDelegatingSaslServerFactory.java:64)
      	at org.wildfly.security.sasl.util.ProtocolSaslServerFactory.createSaslServer(ProtocolSaslServerFactory.java:48)
      	at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory.createSaslServer(SecurityIdentitySaslServerFactory.java:51)
      	at org.wildfly.security.auth.server.SaslAuthenticationFactory.doCreate(SaslAuthenticationFactory.java:59)
      	at org.wildfly.security.auth.server.SaslAuthenticationFactory.doCreate(SaslAuthenticationFactory.java:50)
      	at org.wildfly.security.auth.server.AbstractMechanismAuthenticationFactory.createMechanism(AbstractMechanismAuthenticationFactory.java:54)
      	at org.jboss.remoting3.remote.ServerConnectionOpenListener$Initial.handleEvent(ServerConnectionOpenListener.java:259)
      	at org.jboss.remoting3.remote.ServerConnectionOpenListener$Initial.handleEvent(ServerConnectionOpenListener.java:125)
      	at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
      	at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
      	at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
      	at org.xnio.nio.WorkerThread.run(WorkerThread.java:567)
      Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos credentails)
      	at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:87)
      	at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:127)
      	at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:193)
      	at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:427)
      	at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:62)
      	at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:154)
      	at org.wildfly.security.sasl.gssapi.GssapiServer.<init>(GssapiServer.java:72)
      	... 24 more
      
      17:32:21,115 TRACE [org.jboss.remoting.remote] (management I/O-2) Rejected invalid SASL mechanism GSSAPI
      17:32:21,115 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Sent 5 bytes
      17:32:21,115 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Flushed channel
      17:32:21,115 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No buffers in queue for message header
      17:32:21,115 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Allocated fresh buffers
      17:32:21,115 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received 59 bytes
      17:32:21,116 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received message java.nio.HeapByteBuffer[pos=0 lim=55 cap=8192]
      17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Received java.nio.HeapByteBuffer[pos=0 lim=55 cap=8192]
      17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capabilities request
      17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: version 1
      17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote endpoint name "cli-client"
      17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: message close protocol supported
      17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote version is "5.0.0.Beta17-redhat-1"
      17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote channels in is "40"
      17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote channels out is "40"
      17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: authentication service
      17:32:21,116 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Sent 77 bytes
      17:32:21,116 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Flushed channel
      17:32:21,118 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No buffers in queue for message header
      17:32:21,118 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Allocated fresh buffers
      17:32:21,118 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received EOF
      17:32:21,118 TRACE [org.jboss.remoting.remote] (management I/O-2) Received connection end-of-stream
      17:32:21,441 INFO  [org.jboss.eapqe.krbldap.eap7.utils.CustomCLIExecutor] (main) CLI executor output:
      17:32:21,441 INFO  [org.jboss.eapqe.krbldap.eap7.utils.CustomCLIExecutor] (main) Java config name: /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb5-945898887586223869.conf
      Loaded from Java config
      >>>KinitOptions cache name is /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb5cc
      >>>DEBUG <CCacheInputStream>  client principal is hnelson7259cb36-69b2-4e28-afb5-f668120a8dea@JBOSS.ORG
      >>>DEBUG <CCacheInputStream> server principal is krbtgt/JBOSS.ORG@JBOSS.ORG
      >>>DEBUG <CCacheInputStream> key type: 17
      >>>DEBUG <CCacheInputStream> auth time: Thu Feb 23 17:32:11 CET 2017
      >>>DEBUG <CCacheInputStream> start time: Thu Feb 23 17:32:11 CET 2017
      >>>DEBUG <CCacheInputStream> end time: Fri Feb 24 01:32:11 CET 2017
      >>>DEBUG <CCacheInputStream> renew_till time: null
      >>> CCacheInputStream: readFlags()  INITIAL; PRE_AUTH;
      Found ticket for hnelson7259cb36-69b2-4e28-afb5-f668120a8dea@JBOSS.ORG to go to krbtgt/JBOSS.ORG@JBOSS.ORG expiring on Fri Feb 24 01:32:11 CET 2017
      Entered Krb5Context.initSecContext with state=STATE_NEW
      Service ticket not found in the subject
      >>> Credentials acquireServiceCreds: same realm
      default etypes for default_tgs_enctypes: 17.
      >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
      >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
      >>> KdcAccessibility: reset
      >>> KrbKdcReq send: kdc=localhost.localdomain UDP:6088, timeout=5000, number of retries =3, #bytes=648
      >>> KDCCommunication: kdc=localhost.localdomain UDP:6088, timeout=5000,Attempt =1, #bytes=648
      >>> KrbKdcReq send: #bytes read=634
      >>> KdcAccessibility: remove localhost.localdomain:6088
      >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
      >>> KrbApReq: APOptions are 00000000 00000000 00000000 00000000
      >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
      Krb5Context setting mySeqNumber to: 951540638
      Krb5Context setting peerSeqNumber to: 0
      Created InitSecContextToken:
      0000: 01 00 6E 82 02 2C 30 82   02 28 A0 03 02 01 05 A1  ..n..,0..(......
      0010: 03 02 01 0E A2 07 03 05   00 00 00 00 00 A3 82 01  ................
      0020: 2C 61 82 01 28 30 82 01   24 A0 03 02 01 05 A1 0B  ,a..(0..$.......
      0030: 1B 09 4A 42 4F 53 53 2E   4F 52 47 A2 2A 30 28 A0  ..JBOSS.ORG.*0(.
      0040: 03 02 01 00 A1 21 30 1F   1B 06 72 65 6D 6F 74 65  .....!0...remote
      0050: 1B 15 6C 6F 63 61 6C 68   6F 73 74 2E 6C 6F 63 61  ..localhost.loca
      0060: 6C 64 6F 6D 61 69 6E A3   81 E3 30 81 E0 A0 03 02  ldomain...0.....
      0070: 01 11 A2 81 D8 04 81 D5   AF 46 53 89 B1 22 66 A6  .........FS.."f.
      0080: C7 3C 9B 50 EB 36 7C D7   95 45 C9 46 BE A7 17 43  .<.P.6...E.F...C
      0090: CD 9E DB B1 34 F7 1E 89   A4 D8 7B 2D 37 F9 4D DE  ....4......-7.M.
      00A0: 8C B6 9D 07 83 2B 3E BF   80 34 34 CB 52 B9 01 95  .....+>..44.R...
      00B0: AF 07 D1 8A 15 F8 7D 29   56 03 63 36 13 44 17 0B  .......)V.c6.D..
      00C0: C9 31 CD 6F 41 35 5D B2   5A 5F 25 27 20 8D DE 9A  .1.oA5].Z_%' ...
      00D0: 1B A9 26 A9 22 E2 81 4C   18 BB F9 15 27 A4 75 68  ..&."..L....'.uh
      00E0: AF FE F4 2D 84 6D 44 24   73 C8 18 C0 3E 85 3E 0C  ...-.mD$s...>.>.
      00F0: 6E 2C 89 FA 54 0B F6 E4   D3 C9 DA A3 61 14 5F 97  n,..T.......a._.
      0100: 1D FE 6A 70 D7 C7 9C D2   91 D7 D0 B0 88 20 A1 C8  ..jp......... ..
      0110: 53 42 DD 6B DB 3C 39 DC   2C DF 8A 52 C9 8B E4 0B  SB.k.<9.,..R....
      0120: AD 05 B8 81 08 0E D2 4E   83 F9 23 C8 DC F1 9A 42  .......N..#....B
      0130: BD 44 A4 DB CB E6 64 9B   9D 53 FA F3 4E 77 99 5F  .D....d..S..Nw._
      0140: AE 0C B3 52 11 B5 6E 65   FB 2C 6E D9 49 A4 81 E2  ...R..ne.,n.I...
      0150: 30 81 DF A0 03 02 01 11   A2 81 D7 04 81 D4 13 3B  0..............;
      0160: BB 37 F0 B9 F9 C3 60 E0   80 DA A2 8D 0C E9 8A 34  .7....`........4
      0170: DA E1 55 CB 4F 09 EB 36   3A F4 68 D3 90 D9 0F CD  ..U.O..6:.h.....
      0180: 0F BA 50 1C A9 5C 70 84   1B CD 43 12 33 41 8A CA  ..P..\p...C.3A..
      0190: 46 B0 21 4B 10 D7 22 5C   EC D0 79 C1 0D 5E 1C 58  F.!K.."\..y..^.X
      01A0: 64 7C 75 43 77 96 82 1F   3A AD A2 C1 C4 9B 96 5B  d.uCw...:......[
      01B0: 0D 1B DC 60 BD 76 91 69   53 DE 2F 34 CF 9E 0B EE  ...`.v.iS./4....
      01C0: 8D D9 98 E0 37 AB 8D 2F   0D 61 B5 8C 10 43 20 2B  ....7../.a...C +
      01D0: 6D 36 E1 0F 5B 23 22 8A   76 1B 55 0C 2E A1 8C D7  m6..[#".v.U.....
      01E0: 8C 6F D2 07 2B 26 3B BF   54 74 9B 76 4A 78 2B E8  .o..+&;.Tt.vJx+.
      01F0: 70 E3 81 08 E9 8B A3 F1   69 A3 E2 BE 1D 5B 8F 3A  p.......i....[.:
      0200: 0F 34 3D 2D 01 69 C4 FC   67 FB 13 4B F3 D9 BE 94  .4=-.i..g..K....
      0210: 9D 24 75 92 32 13 4B 8B   18 D0 FF 3B F9 51 19 90  .$u.2.K....;.Q..
      0220: 44 63 61 BF A0 91 9E 76   9D 42 AA 3D B3 46 64 0A  Dca....v.B.=.Fd.
      0230: 0D 19                                              ..
      
      Failed to connect to the controller: Unable to authenticate against controller at localhost.localdomain:9990: Authentication failed: all available authentication mechanisms failed:
         GSSAPI: Server rejected authentication
      

      Attachments

        Issue Links

          Activity

            People

              darran.lofthouse@redhat.com Darran Lofthouse
              mchoma@redhat.com Martin Choma
              Martin Choma Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: