[
https://issues.jboss.org/browse/WFCORE-3881?page=com.atlassian.jira.plugi...
]
Darran Lofthouse commented on WFCORE-3881:
------------------------------------------
From the log this appears to be the underlying error: -
{noformat}
Caused by: javax.security.auth.login.LoginException: unable to find LoginModule class:
com.sun.security.auth.module.Krb5LoginModule from [Module "org.jboss.as.cli"
version 5.0.0.Final-redhat-20180517 from local module loader @13a57a3b (finder: local
module finder @7ca48474 (roots:
/home/mchoma/Repos/tests-ldap-kerberos/tests/target/dist/jboss-eap/modules,/home/mchoma/Repos/tests-ldap-kerberos/tests/target/dist/jboss-eap/modules/system/layers/base))]
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:794)
at
javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at
javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at sun.security.jgss.GSSUtil.login(GSSUtil.java:258)
at sun.security.jgss.krb5.Krb5Util.getTicket(Krb5Util.java:158)
at
sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:338)
at
sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:334)
at java.security.AccessController.doPrivileged(Native Method)
at
sun.security.jgss.krb5.Krb5InitCredential.getTgt(Krb5InitCredential.java:333)
{noformat}
The following commit altered the dependencies of the CLI: -
https://github.com/wildfly/wildfly-core/commit/b48ea664f8129920ccde8b404d...
CLI + Kerberos authentication fails in CD13
-------------------------------------------
Key: WFCORE-3881
URL:
https://issues.jboss.org/browse/WFCORE-3881
Project: WildFly Core
Issue Type: Bug
Components: Security
Affects Versions: 5.0.0.Beta4
Reporter: Martin Choma
Assignee: Darran Lofthouse
Priority: Blocker
Fix For: 5.0.0.Beta5
Attachments: jboss-cli-CD12.log, jboss-cli-CD13.log,
org.jboss.eapqe.krbldap.eap71.tests.krb.mgmt.KerberosCLIGssapiTestCase-output-CD12.txt,
org.jboss.eapqe.krbldap.eap71.tests.krb.mgmt.KerberosCLIGssapiTestCase-output-CD13.txt
Use case: Administrator wants to connect to CLI using kerberos ticket. It is not possible
in CD13 with error
{code}
Client authentication failed: javax.security.sasl.SaslException: ELY05108: Unable to
create response token [Caused by GSSException: No valid credentials provided (Mechanism
level: Attempt to obtain new INITIATE credentials failed! (null))]
{code}
Attaching logs of server and client for CD12 (OK) and CD13 (NOK)
In server log there is missing message {{Server received authentication request}} so it
makes me think problem is on client side.
Comparing client logs there is difference
* CD13
{code}
11:32:58,924 TRACE [org.jboss.remoting.remote.client] Client authentication failed:
javax.security.sasl.SaslException: ELY05108: Unable to create response token [Caused by
GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new
INITIATE credentials failed! (null))]
{code}
* CD12
compared to CD12
{code}
11:31:16,946 TRACE [org.wildfly.security.sasl.gssapi] GSSContext established,
transitioning to negotiate security layer.
{code}
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)