-
Bug
-
Resolution: Done
-
Blocker
-
None
It is not possible to authenticate to CLI using kerberos.
Same configuration works well against 7.0.0.GA
17:32:21,109 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-2) configuredMaxReceiveBuffer=16777215 17:32:21,109 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-2) relaxComplianceChecks=false 17:32:21,109 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-2) QOP={AUTH} 17:32:21,109 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-2) Our name 'remote@localhost.localdomain' 17:32:21,113 INFO [stdout] (management I/O-2) Java config name: /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb5-945898887586223869.conf 17:32:21,113 INFO [stdout] (management I/O-2) Loaded from Java config 17:32:21,114 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Unable to create SaslServer: javax.security.sasl.SaslException: ELY05029: [GSSAPI] Unable to create GSSContext [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos credentails)] at org.wildfly.security.sasl.gssapi.GssapiServer.<init>(GssapiServer.java:77) at org.wildfly.security.sasl.gssapi.GssapiServerFactory.createSaslServer(GssapiServerFactory.java:44) at org.wildfly.security.sasl.util.SecurityProviderSaslServerFactory.createSaslServer(SecurityProviderSaslServerFactory.java:77) at org.wildfly.security.sasl.util.FilterMechanismSaslServerFactory.createSaslServer(FilterMechanismSaslServerFactory.java:88) at org.wildfly.security.sasl.util.PropertiesSaslServerFactory.createSaslServer(PropertiesSaslServerFactory.java:56) at org.wildfly.security.sasl.util.AbstractDelegatingSaslServerFactory.createSaslServer(AbstractDelegatingSaslServerFactory.java:64) at org.wildfly.security.sasl.util.AbstractDelegatingSaslServerFactory.createSaslServer(AbstractDelegatingSaslServerFactory.java:64) at org.wildfly.security.sasl.util.SetMechanismInformationSaslServerFactory.createSaslServer(SetMechanismInformationSaslServerFactory.java:79) at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory.createSaslServer(AuthenticationCompleteCallbackSaslServerFactory.java:51) at org.wildfly.security.sasl.util.TrustManagerSaslServerFactory.createSaslServer(TrustManagerSaslServerFactory.java:72) at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory.createSaslServer(AuthenticationTimeoutSaslServerFactory.java:74) at org.wildfly.security.sasl.util.AbstractDelegatingSaslServerFactory.createSaslServer(AbstractDelegatingSaslServerFactory.java:64) at org.wildfly.security.sasl.util.ServerNameSaslServerFactory.createSaslServer(ServerNameSaslServerFactory.java:48) at org.wildfly.security.sasl.util.AbstractDelegatingSaslServerFactory.createSaslServer(AbstractDelegatingSaslServerFactory.java:64) at org.wildfly.security.sasl.util.ProtocolSaslServerFactory.createSaslServer(ProtocolSaslServerFactory.java:48) at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory.createSaslServer(SecurityIdentitySaslServerFactory.java:51) at org.wildfly.security.auth.server.SaslAuthenticationFactory.doCreate(SaslAuthenticationFactory.java:59) at org.wildfly.security.auth.server.SaslAuthenticationFactory.doCreate(SaslAuthenticationFactory.java:50) at org.wildfly.security.auth.server.AbstractMechanismAuthenticationFactory.createMechanism(AbstractMechanismAuthenticationFactory.java:54) at org.jboss.remoting3.remote.ServerConnectionOpenListener$Initial.handleEvent(ServerConnectionOpenListener.java:259) at org.jboss.remoting3.remote.ServerConnectionOpenListener$Initial.handleEvent(ServerConnectionOpenListener.java:125) at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66) at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89) at org.xnio.nio.WorkerThread.run(WorkerThread.java:567) Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos credentails) at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:87) at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:127) at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:193) at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:427) at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:62) at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:154) at org.wildfly.security.sasl.gssapi.GssapiServer.<init>(GssapiServer.java:72) ... 24 more 17:32:21,115 TRACE [org.jboss.remoting.remote] (management I/O-2) Rejected invalid SASL mechanism GSSAPI 17:32:21,115 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Sent 5 bytes 17:32:21,115 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Flushed channel 17:32:21,115 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No buffers in queue for message header 17:32:21,115 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Allocated fresh buffers 17:32:21,115 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received 59 bytes 17:32:21,116 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received message java.nio.HeapByteBuffer[pos=0 lim=55 cap=8192] 17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Received java.nio.HeapByteBuffer[pos=0 lim=55 cap=8192] 17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capabilities request 17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: version 1 17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote endpoint name "cli-client" 17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: message close protocol supported 17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote version is "5.0.0.Beta17-redhat-1" 17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote channels in is "40" 17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote channels out is "40" 17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: authentication service 17:32:21,116 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Sent 77 bytes 17:32:21,116 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Flushed channel 17:32:21,118 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No buffers in queue for message header 17:32:21,118 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Allocated fresh buffers 17:32:21,118 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received EOF 17:32:21,118 TRACE [org.jboss.remoting.remote] (management I/O-2) Received connection end-of-stream 17:32:21,441 INFO [org.jboss.eapqe.krbldap.eap7.utils.CustomCLIExecutor] (main) CLI executor output: 17:32:21,441 INFO [org.jboss.eapqe.krbldap.eap7.utils.CustomCLIExecutor] (main) Java config name: /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb5-945898887586223869.conf Loaded from Java config >>>KinitOptions cache name is /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb5cc >>>DEBUG <CCacheInputStream> client principal is hnelson7259cb36-69b2-4e28-afb5-f668120a8dea@JBOSS.ORG >>>DEBUG <CCacheInputStream> server principal is krbtgt/JBOSS.ORG@JBOSS.ORG >>>DEBUG <CCacheInputStream> key type: 17 >>>DEBUG <CCacheInputStream> auth time: Thu Feb 23 17:32:11 CET 2017 >>>DEBUG <CCacheInputStream> start time: Thu Feb 23 17:32:11 CET 2017 >>>DEBUG <CCacheInputStream> end time: Fri Feb 24 01:32:11 CET 2017 >>>DEBUG <CCacheInputStream> renew_till time: null >>> CCacheInputStream: readFlags() INITIAL; PRE_AUTH; Found ticket for hnelson7259cb36-69b2-4e28-afb5-f668120a8dea@JBOSS.ORG to go to krbtgt/JBOSS.ORG@JBOSS.ORG expiring on Fri Feb 24 01:32:11 CET 2017 Entered Krb5Context.initSecContext with state=STATE_NEW Service ticket not found in the subject >>> Credentials acquireServiceCreds: same realm default etypes for default_tgs_enctypes: 17. >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType >>> KdcAccessibility: reset >>> KrbKdcReq send: kdc=localhost.localdomain UDP:6088, timeout=5000, number of retries =3, #bytes=648 >>> KDCCommunication: kdc=localhost.localdomain UDP:6088, timeout=5000,Attempt =1, #bytes=648 >>> KrbKdcReq send: #bytes read=634 >>> KdcAccessibility: remove localhost.localdomain:6088 >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType >>> KrbApReq: APOptions are 00000000 00000000 00000000 00000000 >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType Krb5Context setting mySeqNumber to: 951540638 Krb5Context setting peerSeqNumber to: 0 Created InitSecContextToken: 0000: 01 00 6E 82 02 2C 30 82 02 28 A0 03 02 01 05 A1 ..n..,0..(...... 0010: 03 02 01 0E A2 07 03 05 00 00 00 00 00 A3 82 01 ................ 0020: 2C 61 82 01 28 30 82 01 24 A0 03 02 01 05 A1 0B ,a..(0..$....... 0030: 1B 09 4A 42 4F 53 53 2E 4F 52 47 A2 2A 30 28 A0 ..JBOSS.ORG.*0(. 0040: 03 02 01 00 A1 21 30 1F 1B 06 72 65 6D 6F 74 65 .....!0...remote 0050: 1B 15 6C 6F 63 61 6C 68 6F 73 74 2E 6C 6F 63 61 ..localhost.loca 0060: 6C 64 6F 6D 61 69 6E A3 81 E3 30 81 E0 A0 03 02 ldomain...0..... 0070: 01 11 A2 81 D8 04 81 D5 AF 46 53 89 B1 22 66 A6 .........FS.."f. 0080: C7 3C 9B 50 EB 36 7C D7 95 45 C9 46 BE A7 17 43 .<.P.6...E.F...C 0090: CD 9E DB B1 34 F7 1E 89 A4 D8 7B 2D 37 F9 4D DE ....4......-7.M. 00A0: 8C B6 9D 07 83 2B 3E BF 80 34 34 CB 52 B9 01 95 .....+>..44.R... 00B0: AF 07 D1 8A 15 F8 7D 29 56 03 63 36 13 44 17 0B .......)V.c6.D.. 00C0: C9 31 CD 6F 41 35 5D B2 5A 5F 25 27 20 8D DE 9A .1.oA5].Z_%' ... 00D0: 1B A9 26 A9 22 E2 81 4C 18 BB F9 15 27 A4 75 68 ..&."..L....'.uh 00E0: AF FE F4 2D 84 6D 44 24 73 C8 18 C0 3E 85 3E 0C ...-.mD$s...>.>. 00F0: 6E 2C 89 FA 54 0B F6 E4 D3 C9 DA A3 61 14 5F 97 n,..T.......a._. 0100: 1D FE 6A 70 D7 C7 9C D2 91 D7 D0 B0 88 20 A1 C8 ..jp......... .. 0110: 53 42 DD 6B DB 3C 39 DC 2C DF 8A 52 C9 8B E4 0B SB.k.<9.,..R.... 0120: AD 05 B8 81 08 0E D2 4E 83 F9 23 C8 DC F1 9A 42 .......N..#....B 0130: BD 44 A4 DB CB E6 64 9B 9D 53 FA F3 4E 77 99 5F .D....d..S..Nw._ 0140: AE 0C B3 52 11 B5 6E 65 FB 2C 6E D9 49 A4 81 E2 ...R..ne.,n.I... 0150: 30 81 DF A0 03 02 01 11 A2 81 D7 04 81 D4 13 3B 0..............; 0160: BB 37 F0 B9 F9 C3 60 E0 80 DA A2 8D 0C E9 8A 34 .7....`........4 0170: DA E1 55 CB 4F 09 EB 36 3A F4 68 D3 90 D9 0F CD ..U.O..6:.h..... 0180: 0F BA 50 1C A9 5C 70 84 1B CD 43 12 33 41 8A CA ..P..\p...C.3A.. 0190: 46 B0 21 4B 10 D7 22 5C EC D0 79 C1 0D 5E 1C 58 F.!K.."\..y..^.X 01A0: 64 7C 75 43 77 96 82 1F 3A AD A2 C1 C4 9B 96 5B d.uCw...:......[ 01B0: 0D 1B DC 60 BD 76 91 69 53 DE 2F 34 CF 9E 0B EE ...`.v.iS./4.... 01C0: 8D D9 98 E0 37 AB 8D 2F 0D 61 B5 8C 10 43 20 2B ....7../.a...C + 01D0: 6D 36 E1 0F 5B 23 22 8A 76 1B 55 0C 2E A1 8C D7 m6..[#".v.U..... 01E0: 8C 6F D2 07 2B 26 3B BF 54 74 9B 76 4A 78 2B E8 .o..+&;.Tt.vJx+. 01F0: 70 E3 81 08 E9 8B A3 F1 69 A3 E2 BE 1D 5B 8F 3A p.......i....[.: 0200: 0F 34 3D 2D 01 69 C4 FC 67 FB 13 4B F3 D9 BE 94 .4=-.i..g..K.... 0210: 9D 24 75 92 32 13 4B 8B 18 D0 FF 3B F9 51 19 90 .$u.2.K....;.Q.. 0220: 44 63 61 BF A0 91 9E 76 9D 42 AA 3D B3 46 64 0A Dca....v.B.=.Fd. 0230: 0D 19 .. Failed to connect to the controller: Unable to authenticate against controller at localhost.localdomain:9990: Authentication failed: all available authentication mechanisms failed: GSSAPI: Server rejected authentication
- clones
-
JBEAP-9084 Regression against 7.0.GA, Kerberos over CLI
- Closed