Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-2931

Regression in DR19, Elytron unable to authenticate with kerberos using jboss-cli

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 3.0.0.Beta29
    • None
    • Security
    • None
    • Hide
      /subsystem=elytron/configurable-sasl-server-factory=configured:list-add(name=filters, value={pattern-filter=GSSAPI})
      /subsystem=elytron/kerberos-security-factory=kerberosSecurityFactory:add(name=kerberosSecurityFactory, principal=remote/localhost.localdomain@JBOSS.ORG, path=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb.1141298291371780269.keytab, debug=true)
      /subsystem=elytron/filesystem-realm=fileSystemRealm:add(path=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/KerberosCLITestCase/fs-realm-users)
      /subsystem=elytron/simple-role-decoder=simpleRoleDecoder:add(attribute=Roles)
      /subsystem=elytron/regex-principal-transformer=principalTransformer:add(pattern=@.*, replacement=)
      /subsystem=elytron/security-domain=securityDomain:add(default-realm=fileSystemRealm, realms=[{realm => fileSystemRealm, role-decoder => simpleRoleDecoder}], pre-realm-principal-transformer=principalTransformer, permission-mapper=default-permission-mapper)
      /subsystem=elytron/sasl-authentication-factory=SaslAuthenticationFactory:add(security-domain=securityDomain, sasl-server-factory=configured, mechanism-configurations=[{mechanism-name => GSSAPI, credential-security-factory => kerberosSecurityFactory, mechanism-realm-configurations => [{realm-name => fileSystemRealm}]}])
      /subsystem=elytron/filesystem-realm=fileSystemRealm:add-identity(identity=jdukef3677204-8397-4dd5-bc7b-160d26c0aefb)
      /core-service=management/management-interface=http-interface:write-attribute(name=http-upgrade.sasl-authentication-factory, value=SaslAuthenticationFactory){allow-resource-service-restart=true}
      

      [1] https://doc-stage.usersys.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1.beta/html-single/how_to_set_up_sso_with_kerberos/#configure-krb-management-interfaces

      Show
      /subsystem=elytron/configurable-sasl-server-factory=configured:list-add(name=filters, value={pattern-filter=GSSAPI}) /subsystem=elytron/kerberos-security-factory=kerberosSecurityFactory:add(name=kerberosSecurityFactory, principal=remote/localhost.localdomain@JBOSS.ORG, path=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb.1141298291371780269.keytab, debug= true ) /subsystem=elytron/filesystem-realm=fileSystemRealm:add(path=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/KerberosCLITestCase/fs-realm-users) /subsystem=elytron/simple-role-decoder=simpleRoleDecoder:add(attribute=Roles) /subsystem=elytron/regex-principal-transformer=principalTransformer:add(pattern=@.*, replacement=) /subsystem=elytron/security-domain=securityDomain:add( default -realm=fileSystemRealm, realms=[{realm => fileSystemRealm, role-decoder => simpleRoleDecoder}], pre-realm-principal-transformer=principalTransformer, permission-mapper= default -permission-mapper) /subsystem=elytron/sasl-authentication-factory=SaslAuthenticationFactory:add(security-domain=securityDomain, sasl-server-factory=configured, mechanism-configurations=[{mechanism-name => GSSAPI, credential-security-factory => kerberosSecurityFactory, mechanism-realm-configurations => [{realm-name => fileSystemRealm}]}]) /subsystem=elytron/filesystem-realm=fileSystemRealm:add-identity(identity=jdukef3677204-8397-4dd5-bc7b-160d26c0aefb) /core-service=management/management- interface =http- interface :write-attribute(name=http-upgrade.sasl-authentication-factory, value=SaslAuthenticationFactory){allow-resource-service-restart= true } [1] https://doc-stage.usersys.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1.beta/html-single/how_to_set_up_sso_with_kerberos/#configure-krb-management-interfaces

      Trying to connect with jboss-cli to server using kerberos leads to error

      14:41:22,654 TRACE [org.wildfly.security.sasl.gssapi.server] (management task-7) Client selected security layer AUTH, with maxBuffer of 65536
      14:41:22,655 TRACE [org.jboss.remoting.remote.server] (management task-7) Server sending authentication rejected: javax.security.sasl.SaslException: ELY05123: [GSSAPI] No security layer selected but message length received
      	at org.wildfly.security.sasl.gssapi.GssapiServer.evaluateMessage(GssapiServer.java:245)
      	at org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:180)
      	at org.wildfly.security.sasl.gssapi.GssapiServer.evaluateResponse(GssapiServer.java:121)
      	at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58)
      	at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106)
      	at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1.evaluateResponse(SecurityIdentitySaslServerFactory.java:57)
      	at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:245)
      	at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:217)
      	at org.jboss.remoting3.remote.ServerConnectionOpenListener$AuthStepRunnable.run(ServerConnectionOpenListener.java:470)
      	at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:902)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at java.lang.Thread.run(Thread.java:745)
      

      Error message is little bit confusing as previous log message claims AUTH security layer is selected.

      Looking into code does not reveal meaning to me neither.

      GssapiServer.java
      	log.tracef("Client selected security layer %s, with maxBuffer of %d", selectedQop, maxBuffer);
      	if (relaxComplianceChecks == false && selectedQop == QOP.AUTH && maxBuffer != 0) {
      	    throw log.mechNoSecurityLayerButLengthReceived(getMechanismName()).toSaslException();
      	}
      

              darran.lofthouse@redhat.com Darran Lofthouse
              mchoma@redhat.com Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: