Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Blocker
    • Resolution: Done
    • Affects Version/s: 3.0.0.Beta31
    • Fix Version/s: 3.0.0.CR1
    • Component/s: Security
    • Labels:
      None
    • Steps to Reproduce:
      Hide
      • secured management interface (9993) with Elytron server SSL context
      • with kerberos ticket connect using jboss-cli.sh
        jboss-cli.sh -c --controller=remote+https://localhost.localdomain:9993 -Dwildfly.config.url=/path/to/wildfly-config.xml -Djavax.security.auth.useSubjectCredsOnly=false :whoami
      Show
      secured management interface (9993) with Elytron server SSL context with kerberos ticket connect using jboss-cli.sh jboss-cli.sh -c --controller=remote+https: //localhost.localdomain:9993 -Dwildfly.config.url=/path/to/wildfly-config.xml -Djavax.security.auth.useSubjectCredsOnly= false :whoami

      Description

      I am unable to connect with jboss-cli.sh using GS2-KRB5-PLUS. This is not duplicity to JBEAP-12688. In this case even SASL client is not created.

      In server.log I see

      17:25:10,564 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Initialized connection from /127.0.0.1:37230 to /127.0.0.1:9993 with options {org.jboss.remoting3.RemotingOptions.SASL_PROTOCOL=>remote}
      17:25:10,564 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Accepted connection from /127.0.0.1:37230 to localhost.localdomain/127.0.0.1:9993
      17:25:10,564 TRACE [org.jboss.remoting.remote] (management I/O-2) Setting read listener to org.jboss.remoting3.remote.ServerConnectionOpenListener$Initial@2cb6a081
      17:25:10,564 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No buffers in queue for message header
      17:25:10,564 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Allocated fresh buffers
      17:25:10,564 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No read bytes available
      17:25:10,565 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Sent 28 bytes
      17:25:10,565 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Flushed channel
      17:25:10,576 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No buffers in queue for message header
      17:25:10,577 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Allocated fresh buffers
      17:25:10,577 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received 56 bytes
      17:25:10,577 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received message java.nio.HeapByteBuffer[pos=0 lim=52 cap=8192]
      17:25:10,577 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Received java.nio.HeapByteBuffer[pos=0 lim=52 cap=8192]
      17:25:10,577 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capabilities request
      17:25:10,577 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: version 1
      17:25:10,577 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote endpoint name "cli-client"
      17:25:10,577 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: message close protocol supported
      17:25:10,577 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote version is "5.0.0.CR5-redhat-1"
      17:25:10,577 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote channels in is "40"
      17:25:10,577 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote channels out is "40"
      17:25:10,577 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: authentication service
      17:25:10,580 TRACE [org.jboss.remoting.remote.server] (management I/O-2) No EXTERNAL mechanism due to unverified SSL peer
      17:25:10,583 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Added mechanism GS2-KRB5-PLUS
      17:25:10,583 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Added mechanism PLAIN
      17:25:10,583 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No buffers in queue for message header
      17:25:10,583 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Allocated fresh buffers
      17:25:10,583 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No read bytes available
      17:25:10,583 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Sent 88 bytes
      17:25:10,583 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Flushed channel
      17:25:10,637 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No buffers in queue for message header
      17:25:10,637 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Allocated fresh buffers
      17:25:10,637 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No read bytes available
      17:25:10,637 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No buffers in queue for message header
      17:25:10,637 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Allocated fresh buffers
      17:25:10,637 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No read bytes available
      17:25:10,638 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No buffers in queue for message header
      17:25:10,638 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Allocated fresh buffers
      17:25:10,638 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received EOF
      17:25:10,638 TRACE [org.jboss.remoting.remote] (management I/O-2) Received connection end-of-stream
      17:25:10,971 INFO  [org.jboss.eapqe.krbldap.utils.CustomCLIExecutor] (main) CLI executor output:
      17:25:10,971 INFO  [org.jboss.eapqe.krbldap.utils.CustomCLIExecutor] (main) Failed to connect to the controller: Unable to authenticate against controller at localhost.localdomain:9993: Authentication failed: none of the mechanisms presented by the server (GS2-KRB5-PLUS, PLAIN) are supported
      

      In jboss-cli.log I see.

      17:14:21,557 TRACE [org.wildfly.security] Created SaslClient [null] for mechanisms [GS2-KRB5-PLUS]
      17:14:21,557 TRACE [org.jboss.remoting.remote.connection] Connection error detail: javax.security.sasl.SaslException: Authentication failed: none of the mechanisms presented by the server (GS2-KRB5-PLUS, PLAIN) are supported
              at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:438)
              at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:242)
              at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
              at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
              at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
              at org.xnio.nio.WorkerThread.run(WorkerThread.java:571)
      
      17:14:21,558 DEBUG [org.jboss.remoting.remote.connection] JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: none of the mechanisms presented by the server (GS2-KRB5-PLUS, PLAIN) are supported
      17:14:21,559 TRACE [org.jboss.remoting.endpoint] Registered exception result: javax.security.sasl.SaslException: Authentication failed: none of the mechanisms presented by the server (GS2-KRB5-PLUS, PLAIN) are supported
              at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:438)
              at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:242)
              at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
              at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
              at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
              at org.xnio.nio.WorkerThread.run(WorkerThread.java:571)
      

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  honza889 Jan Kalina
                  Reporter:
                  honza889 Jan Kalina
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: