Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-2931

Regression in DR19, Elytron unable to authenticate with kerberos using jboss-cli

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 3.0.0.Beta29
    • None
    • Security
    • None
    • Hide 
      /subsystem=elytron/configurable-sasl-server-factory=configured:list-add(name=filters, value={pattern-filter=GSSAPI})
/subsystem=elytron/kerberos-security-factory=kerberosSecurityFactory:add(name=kerberosSecurityFactory, principal=remote/localhost.localdomain@JBOSS.ORG, path=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb.1141298291371780269.keytab, debug=true)
/subsystem=elytron/filesystem-realm=fileSystemRealm:add(path=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/KerberosCLITestCase/fs-realm-users)
/subsystem=elytron/simple-role-decoder=simpleRoleDecoder:add(attribute=Roles)
/subsystem=elytron/regex-principal-transformer=principalTransformer:add(pattern=@.*, replacement=)
/subsystem=elytron/security-domain=securityDomain:add(default-realm=fileSystemRealm, realms=[{realm => fileSystemRealm, role-decoder => simpleRoleDecoder}], pre-realm-principal-transformer=principalTransformer, permission-mapper=default-permission-mapper)
/subsystem=elytron/sasl-authentication-factory=SaslAuthenticationFactory:add(security-domain=securityDomain, sasl-server-factory=configured, mechanism-configurations=[{mechanism-name => GSSAPI, credential-security-factory => kerberosSecurityFactory, mechanism-realm-configurations => [{realm-name => fileSystemRealm}]}])
/subsystem=elytron/filesystem-realm=fileSystemRealm:add-identity(identity=jdukef3677204-8397-4dd5-bc7b-160d26c0aefb)
/core-service=management/management-interface=http-interface:write-attribute(name=http-upgrade.sasl-authentication-factory, value=SaslAuthenticationFactory){allow-resource-service-restart=true}

      [1] https://doc-stage.usersys.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1.beta/html-single/how_to_set_up_sso_with_kerberos/#configure-krb-management-interfaces

      Show
      /subsystem=elytron/configurable-sasl-server-factory=configured:list-add(name=filters, value={pattern-filter=GSSAPI}) /subsystem=elytron/kerberos-security-factory=kerberosSecurityFactory:add(name=kerberosSecurityFactory, principal=remote/localhost.localdomain@JBOSS.ORG, path=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb.1141298291371780269.keytab, debug= true ) /subsystem=elytron/filesystem-realm=fileSystemRealm:add(path=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/KerberosCLITestCase/fs-realm-users) /subsystem=elytron/simple-role-decoder=simpleRoleDecoder:add(attribute=Roles) /subsystem=elytron/regex-principal-transformer=principalTransformer:add(pattern=@.*, replacement=) /subsystem=elytron/security-domain=securityDomain:add( default -realm=fileSystemRealm, realms=[{realm => fileSystemRealm, role-decoder => simpleRoleDecoder}], pre-realm-principal-transformer=principalTransformer, permission-mapper= default -permission-mapper) /subsystem=elytron/sasl-authentication-factory=SaslAuthenticationFactory:add(security-domain=securityDomain, sasl-server-factory=configured, mechanism-configurations=[{mechanism-name => GSSAPI, credential-security-factory => kerberosSecurityFactory, mechanism-realm-configurations => [{realm-name => fileSystemRealm}]}]) /subsystem=elytron/filesystem-realm=fileSystemRealm:add-identity(identity=jdukef3677204-8397-4dd5-bc7b-160d26c0aefb) /core-service=management/management- interface =http- interface :write-attribute(name=http-upgrade.sasl-authentication-factory, value=SaslAuthenticationFactory){allow-resource-service-restart= true } [1] https://doc-stage.usersys.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1.beta/html-single/how_to_set_up_sso_with_kerberos/#configure-krb-management-interfaces

      Trying to connect with jboss-cli to server using kerberos leads to error 

      14:41:22,654 TRACE [org.wildfly.security.sasl.gssapi.server] (management task-7) Client selected security layer AUTH, with maxBuffer of 65536
14:41:22,655 TRACE [org.jboss.remoting.remote.server] (management task-7) Server sending authentication rejected: javax.security.sasl.SaslException: ELY05123: [GSSAPI] No security layer selected but message length received
	at org.wildfly.security.sasl.gssapi.GssapiServer.evaluateMessage(GssapiServer.java:245)
	at org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:180)
	at org.wildfly.security.sasl.gssapi.GssapiServer.evaluateResponse(GssapiServer.java:121)
	at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58)
	at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106)
	at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1.evaluateResponse(SecurityIdentitySaslServerFactory.java:57)
	at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:245)
	at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:217)
	at org.jboss.remoting3.remote.ServerConnectionOpenListener$AuthStepRunnable.run(ServerConnectionOpenListener.java:470)
	at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:902)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)

      Error message is little bit confusing as previous log message claims AUTH security layer is selected.

      Looking into code does not reveal meaning to me neither.

      GssapiServer.java
      	log.tracef("Client selected security layer %s, with maxBuffer of %d", selectedQop, maxBuffer);
	if (relaxComplianceChecks == false && selectedQop == QOP.AUTH && maxBuffer != 0) {
	    throw log.mechNoSecurityLayerButLengthReceived(getMechanismName()).toSaslException();
	}

            darran.lofthouse@redhat.com Darran Lofthouse
            mchoma@redhat.com Martin Choma
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: