-
Bug
-
Resolution: Duplicate
-
Major
-
None
-
None
There is regresion in strategy of choosing keytab described by xsd
wildfly-config_5_0.xsd
<xs:element name="keytab"> <xs:complexType> <xs:annotation> <xs:documentation> Reference to an individual keytab. On handling the authentication for an incoming request two pieces of information are known, the protocol and the name of the host this server is acting as. For HTTP requests the protocol will always be HTTP, for requests over Remoting by default the protocol will be 'remote' although this can be overridden. At the time authentication is going to be handled the keytab will be selected as follows: - 1 - Iterate the list of keytabs and identity one where the for-hosts attribute contains an entry matching protocol/hostname. 2 - Iterate the list of keytabs and identify one where the name of the principal matches matches protocol/hostname. 3 - Iterate the list of keytabs and identity one where the for-hosts attribute contains an entry matching hostname. 4 - Iterate the list of keytabs and identify one where the hostname portion of the principal matches the hostname of the request. 5 - Use the keytab where for-hosts is set to '*'. If no match is found no keytab will be selected and Kerberos will not be available for communication as that host. </xs:documentation> </xs:annotation>
In this example
standalone.xlm
<security-realm name="PriorityForHostsProtocolBeforePrincipal"> <server-identities> <kerberos> <keytab principal="HTTP/localhost.localdomain@JBOSS.ORG" path="krb.keytab" for-hosts="wrongprotocol/localhost.localdomain"/> <keytab principal="HTTP/wronghost@JBOSS.ORG" path="krb.keytab" for-hosts="HTTP/localhost.localdomain"/> </kerberos>
Rule 1 should be applied, but <keytab principal="HTTP/localhost.localdomain@JBOSS.ORG" path="krb.keytab" for-hosts="wrongprotocol/localhost.localdomain"/> is chosen,
server.log
10:28:40,743 TRACE [org.jboss.as.domain.management.security] (management task-8) No mapping for name 'http/localhost.localdomain' to KeytabService, attempting to use host only match. 10:28:40,744 TRACE [org.jboss.as.domain.management.security] (management task-8) Selected KeytabService with principal 'HTTP/localhost.localdomain@JBOSS.ORG' for host 'localhost.localdomain' 10:28:40,744 INFO [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain@JBOSS.ORG 10:28:40,745 INFO [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain@JBOSS.ORG 10:28:40,745 INFO [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain@JBOSS.ORG 10:28:40,745 INFO [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain@JBOSS.ORG 10:28:40,847 TRACE [org.jboss.as.domain.management.security] (management task-9) No mapping for name 'http/localhost.localdomain' to KeytabService, attempting to use host only match. 10:28:40,848 TRACE [org.jboss.as.domain.management.security] (management task-9) Selected KeytabService with principal 'HTTP/localhost.localdomain@JBOSS.ORG' for host 'localhost.localdomain' 10:28:40,848 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain@JBOSS.ORG 10:28:40,848 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain@JBOSS.ORG 10:28:40,849 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain@JBOSS.ORG 10:28:40,849 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain@JBOSS.ORG
In this example
standalone.xlm
<security-realm name="PriorityProtocolPrincipalBeforeForHosts"> <server-identities> <kerberos> <keytab principal="HTTP/localhost.localdomain@JBOSS.ORG" path="krb.keytab" for-hosts="wronghost"/> <keytab principal="HTTP/wronghost@JBOSS.ORG" path="krb.keytab" for-hosts="localhost.localdomain"/> </kerberos>
Rule 2 should be applied, but <keytab principal="HTTP/wronghost@JBOSS.ORG" path="krb.keytab" for-hosts="localhost.localdomain"/> is chosen
server.log
10:29:21,889 TRACE [org.jboss.as.domain.management.security] (management task-8) No mapping for name 'http/localhost.localdomain' to KeytabService, attempting to use host only match. 10:29:21,890 TRACE [org.jboss.as.domain.management.security] (management task-8) Selected KeytabService with principal 'HTTP/wronghost@JBOSS.ORG' for host 'localhost.localdomain' 10:29:21,890 INFO [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost@JBOSS.ORG 10:29:21,890 INFO [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost@JBOSS.ORG 10:29:21,891 INFO [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost@JBOSS.ORG 10:29:21,891 INFO [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost@JBOSS.ORG 10:29:21,955 TRACE [org.jboss.as.domain.management.security] (management task-9) No mapping for name 'http/localhost.localdomain' to KeytabService, attempting to use host only match. 10:29:21,955 TRACE [org.jboss.as.domain.management.security] (management task-9) Selected KeytabService with principal 'HTTP/wronghost@JBOSS.ORG' for host 'localhost.localdomain' 10:29:21,957 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost@JBOSS.ORG 10:29:21,957 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost@JBOSS.ORG 10:29:21,958 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost@JBOSS.ORG 10:29:21,958 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost@JBOSS.ORG 10:29:21,959 INFO [stdout] (management task-9) Entered Krb5Context.acceptSecContext with state=STATE_NEW 10:29:21,960 INFO [stdout] (management task-9) Looking for keys for: HTTP/wronghost@JBOSS.ORG
- clones
-
JBEAP-8566 Legacy Kerberos in management, regression in choosing keytab strategy
- Closed
- duplicates
-
WFCORE-2398 Legacy Kerberos in management, EAP search for HTTPS/localhost ticket
- Resolved