Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-2892

Regression in legacy security in DR17, Kerberos for CLI

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Cannot Reproduce
    • Icon: Blocker Blocker
    • 3.0.0.Beta27
    • 3.0.0.Beta23
    • Security
    • None
    • Hide
      Show
      Follow documentation https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.0/html-single/how_to_set_up_sso_with_kerberos/#configure-krb-management-interfaces Misconfiugre server-identity=kerberos to use wrong realm (remote/localhost.localdomain@WRONG_REALM.ORG) or wrong service (WRONG_SERVICE/localhost.localdomain@JBOSS.ORG) /core-service=management/security-realm=ManagementRealm/server-identity=kerberos/keytab=remote\/hostname@WRONG_REALM.ORG:add( path=/home\/username\/service.keytab,debug= true ) specifying fallback user with jboss-cli parameters --user and --password does not work.

      User impact: User relying on fallback authentication mechanism in case of Kerberos can't.

      This worked well in DR16.

      When GSSAPI mechanism fails other mechanism e.g. PLAIN doesn't occure.

      server.log
      14:47:03,078 TRACE [org.wildfly.security] (management I/O-2) Handling MechanismInformationCallback type='SASL' name='GSSAPI' host-name='localhost.localdomain' protocol='remote'
      14:47:03,078 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-2) configuredMaxReceiveBuffer=16777215
      14:47:03,078 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-2) relaxComplianceChecks=false
      14:47:03,078 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-2) QOP={AUTH}
      14:47:03,078 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-2) Obtaining GSSCredential for the service from callback handler...
      14:47:03,078 TRACE [org.jboss.as.domain.management.security] (management I/O-2) Selected KeytabService with principal 'remote/localhost.localdomain@WRONG_REALM.ORG' for host 'localhost.localdomain'
      14:47:03,079 INFO  [stdout] (management I/O-2) Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator false KeyTab is /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.5505588796137857648.keytab refreshKrb5Config is false principal is remote/localhost.localdomain@WRONG_REALM.ORG tryFirstPass is false useFirstPass is false storePass is false clearPass is false
      14:47:03,079 INFO  [stdout] (management I/O-2) principal is remote/localhost.localdomain@WRONG_REALM.ORG
      14:47:03,079 INFO  [stdout] (management I/O-2) Will use keytab
      14:47:03,079 INFO  [stdout] (management I/O-2) Commit Succeeded 
      14:47:03,079 INFO  [stdout] (management I/O-2) 
      14:47:03,079 INFO  [stdout] (management I/O-2) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.5505588796137857648.keytab for remote/localhost.localdomain@WRONG_REALM.ORG
      14:47:03,080 INFO  [stdout] (management I/O-2) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.5505588796137857648.keytab for remote/localhost.localdomain@WRONG_REALM.ORG
      14:47:03,080 INFO  [stdout] (management I/O-2) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.5505588796137857648.keytab for remote/localhost.localdomain@WRONG_REALM.ORG
      14:47:03,080 INFO  [stdout] (management I/O-2) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.5505588796137857648.keytab for remote/localhost.localdomain@WRONG_REALM.ORG
      14:47:03,080 TRACE [org.wildfly.security] (management I/O-2) Handling ServerCredentialCallback: successfully obtained credential type type=class org.wildfly.security.credential.GSSKerberosCredential, algorithm=null, params=null
      14:47:03,080 TRACE [org.jboss.remoting.endpoint] (management I/O-2) Allocated tick to 9 of endpoint "localhost:MANAGEMENT" <15985cc1> (opened org.jboss.remoting3.EndpointImpl$TrackingExecutor@211c95d4)
      14:47:03,081 INFO  [stdout] (management task-6) Entered Krb5Context.acceptSecContext with state=STATE_NEW
      14:47:03,082 INFO  [stdout] (management task-6) Looking for keys for: remote/localhost.localdomain@WRONG_REALM.ORG
      14:47:03,083 TRACE [org.jboss.remoting.remote.server] (management task-6) Server sending authentication rejected: javax.security.sasl.SaslException: ELY05031: [GSSAPI] Unable to accept SASL client message [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES128 CTS mode with HMAC SHA1-96)]
      	at org.wildfly.security.sasl.gssapi.GssapiServer.evaluateMessage(GssapiServer.java:152)
      	at org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:180)
      	at org.wildfly.security.sasl.gssapi.GssapiServer.evaluateResponse(GssapiServer.java:121)
      	at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58)
      	at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106)
      	at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1.evaluateResponse(SecurityIdentitySaslServerFactory.java:57)
      	at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:245)
      	at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:217)
      	at org.jboss.remoting3.remote.ServerConnectionOpenListener$AuthStepRunnable.run(ServerConnectionOpenListener.java:467)
      	at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:891)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at java.lang.Thread.run(Thread.java:745)
      Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES128 CTS mode with HMAC SHA1-96)
      	at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:856)
      	at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
      	at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
      	at org.wildfly.security.sasl.gssapi.GssapiServer.evaluateMessage(GssapiServer.java:131)
      	... 12 more
      Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES128 CTS mode with HMAC SHA1-96
      	at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:278)
      	at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149)
      	at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
      	at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829)
      	... 15 more
      
      14:47:03,083 TRACE [org.wildfly.security.sasl.gssapi.server] (management task-6) dispose
      14:47:03,083 TRACE [org.wildfly.security] (management task-6) Handling AuthenticationCompleteCallback: fail
      14:47:03,084 TRACE [org.jboss.remoting.endpoint] (management task-6) Resource closed count 00000008 of endpoint "localhost:MANAGEMENT" <15985cc1> (closed org.jboss.remoting3.EndpointImpl$TrackingExecutor@211c95d4)
      14:47:03,084 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Sent 5 bytes
      14:47:03,084 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Flushed channel
      14:47:03,084 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Shut down writes on channel
      14:47:03,086 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No buffers in queue for message header
      14:47:03,086 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Allocated fresh buffers
      14:47:03,086 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received EOF
      14:47:03,087 TRACE [org.jboss.remoting.remote] (management I/O-2) Received connection end-of-stream
      14:47:03,108 INFO  [org.jboss.eapqe.krbldap.eap7.utils.CustomCLIExecutor] (main) CLI executor output:
      14:47:03,109 INFO  [org.jboss.eapqe.krbldap.eap7.utils.CustomCLIExecutor] (main) Java config name: /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb5-1708048015373854835.conf
      Loaded from Java config
      >>>KinitOptions cache name is /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb5cc
      >>>DEBUG <CCacheInputStream>  client principal is hnelson30d3d46a-214b-4b2d-903e-c484ebab7908@JBOSS.ORG
      >>>DEBUG <CCacheInputStream> server principal is krbtgt/JBOSS.ORG@JBOSS.ORG
      >>>DEBUG <CCacheInputStream> key type: 17
      >>>DEBUG <CCacheInputStream> auth time: Tue May 02 14:46:23 CEST 2017
      >>>DEBUG <CCacheInputStream> start time: Tue May 02 14:46:23 CEST 2017
      >>>DEBUG <CCacheInputStream> end time: Tue May 02 22:46:23 CEST 2017
      >>>DEBUG <CCacheInputStream> renew_till time: null
      >>> CCacheInputStream: readFlags()  INITIAL; PRE_AUTH;
      Found ticket for hnelson30d3d46a-214b-4b2d-903e-c484ebab7908@JBOSS.ORG to go to krbtgt/JBOSS.ORG@JBOSS.ORG expiring on Tue May 02 22:46:23 CEST 2017
      Entered Krb5Context.initSecContext with state=STATE_NEW
      Service ticket not found in the subject
      >>> Credentials acquireServiceCreds: same realm
      default etypes for default_tgs_enctypes: 17.
      >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
      >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
      >>> KdcAccessibility: reset
      >>> KrbKdcReq send: kdc=localhost.localdomain UDP:6088, timeout=5000, number of retries =3, #bytes=648
      >>> KDCCommunication: kdc=localhost.localdomain UDP:6088, timeout=5000,Attempt =1, #bytes=648
      >>> KrbKdcReq send: #bytes read=634
      >>> KdcAccessibility: remove localhost.localdomain:6088
      >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
      >>> KrbApReq: APOptions are 00000000 00000000 00000000 00000000
      >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
      Krb5Context setting mySeqNumber to: 23519002
      Krb5Context setting peerSeqNumber to: 0
      Created InitSecContextToken:
      0000: 01 00 6E 82 02 2C 30 82   02 28 A0 03 02 01 05 A1  ..n..,0..(......
      0010: 03 02 01 0E A2 07 03 05   00 00 00 00 00 A3 82 01  ................
      0020: 2C 61 82 01 28 30 82 01   24 A0 03 02 01 05 A1 0B  ,a..(0..$.......
      0030: 1B 09 4A 42 4F 53 53 2E   4F 52 47 A2 2A 30 28 A0  ..JBOSS.ORG.*0(.
      0040: 03 02 01 00 A1 21 30 1F   1B 06 72 65 6D 6F 74 65  .....!0...remote
      0050: 1B 15 6C 6F 63 61 6C 68   6F 73 74 2E 6C 6F 63 61  ..localhost.loca
      0060: 6C 64 6F 6D 61 69 6E A3   81 E3 30 81 E0 A0 03 02  ldomain...0.....
      0070: 01 11 A2 81 D8 04 81 D5   6B C5 1A F4 8B 3A B3 7B  ........k....:..
      0080: AE 21 B6 7C 76 DA 7F 42   F7 74 77 08 B1 47 5E 91  .!..v..B.tw..G^.
      0090: 2D 93 54 AA FF 8B A2 A3   F4 ED E4 20 58 8F 1D 3A  -.T........ X..:
      00A0: 11 1D E7 26 86 BF 70 A9   64 F2 D4 B6 E5 5A 7B 6D  ...&..p.d....Z.m
      00B0: D4 4A 47 C3 7E A8 40 8F   6A CE B1 B0 E4 8C 00 CC  .JG...@.j.......
      00C0: AD D0 30 23 D7 A2 6D 55   58 32 9C 0E 4D 48 78 62  ..0#..mUX2..MHxb
      00D0: 7C BD C5 64 05 A4 2A F1   A7 D9 29 C2 78 F5 A0 E8  ...d..*...).x...
      00E0: C3 24 77 34 C0 6A 70 27   42 20 47 EA E8 BE 7A 1C  .$w4.jp'B G...z.
      00F0: 72 3A AB 01 E9 5B 71 7A   86 AE E8 D8 00 94 17 2F  r:...[qz......./
      0100: 3F 8F 62 FC 58 4B 27 86   24 78 B9 97 71 1B E4 ED  ?.b.XK'.$x..q...
      0110: 93 A5 8F 1C 1B 7A 31 17   E4 E5 90 2A 02 88 22 39  .....z1....*.."9
      0120: 9D B9 48 05 89 A2 8D F6   4F E7 29 C6 75 CE 2A EB  ..H.....O.).u.*.
      0130: A4 EB 60 C7 DA 26 AB 75   17 8C 9E 0B 55 A6 69 5B  ..`..&.u....U.i[
      0140: 53 DF 41 F7 E0 48 01 53   44 F3 8A 8F 5A A4 81 E2  S.A..H.SD...Z...
      0150: 30 81 DF A0 03 02 01 11   A2 81 D7 04 81 D4 F2 C9  0...............
      0160: 95 00 E1 89 EB 9F AF 03   DB 8E 9C 9B F5 FF E4 AF  ................
      0170: BD AB 4C FA 87 FD 87 B4   0B C8 21 53 7C A2 D9 07  ..L.......!S....
      0180: 0D 63 D5 EA 76 D4 30 C4   17 ED 1D 90 6B 46 20 BE  .c..v.0.....kF .
      0190: 28 C0 02 87 7D D8 EC 21   0F 50 FC 39 D7 0B AD C3  (......!.P.9....
      01A0: 07 10 7A F4 79 71 0E 59   5C 8D 55 D6 71 54 4B 35  ..z.yq.Y\.U.qTK5
      01B0: EE E7 33 87 BD 21 78 79   76 49 DF FA 17 CA 5A B2  ..3..!xyvI....Z.
      01C0: A6 72 4C 6B E2 CB A6 8F   2E 8B 1B F4 DD 41 4D 85  .rLk.........AM.
      01D0: 5D 9A 92 5A 90 EB 2F 80   7A 02 F4 05 9A 54 1D D5  ]..Z../.z....T..
      01E0: 0F 04 12 53 29 1D A1 D3   5B 08 E4 FA 75 F0 AE 2E  ...S)...[...u...
      01F0: F6 07 0E 44 BD F2 6C 0F   3F 95 14 D6 75 2F 12 08  ...D..l.?...u/..
      0200: 0E F5 6E B9 CB 28 6A 5C   51 7E 4F 9D E0 2F 18 1C  ..n..(j\Q.O../..
      0210: 0D 0D 18 AA 31 FE 8E D2   42 AD CA 62 B1 EF 69 9D  ....1...B..b..i.
      0220: 88 82 57 36 58 B2 72 CF   35 54 B1 BE 9B 57 10 F5  ..W6X.r.5T...W..
      0230: 2C FF                                              ,.
      
      Failed to connect to the controller: The controller is not available at localhost.localdomain:9990: java.net.ConnectException: WFLYPRT0053: Could not connect to remote+http://localhost.localdomain:9990. The connection failed: WFLYPRT0053: Could not connect to remote+http://localhost.localdomain:9990. The connection failed: JBREM000202: Abrupt close on Remoting connection 79a3d728 to localhost.localdomain/127.0.0.1:9990 of endpoint "cli-client" <24aed80c>
      

            darran.lofthouse@redhat.com Darran Lofthouse
            darran.lofthouse@redhat.com Darran Lofthouse
            Martin Choma Martin Choma
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: