[
https://issues.jboss.org/browse/TEIID-3425?page=com.atlassian.jira.plugin...
]
Juraj Duráni commented on TEIID-3425:
-------------------------------------
Same problem with Impala (pass-through). But in this case even static configuration does
not work.
Static configuration error:
ERROR [org.apache.thrift.transport.TSaslTransport] (Worker1_QueryProcessorQueue1) SASL
negotiation failure: javax.security.sasl.SaslException: Final handshake failed [Caused by
org.ietf.jgss.GSSException, major code: 11, minor code: 0
major string: General failure, unspecified at GSSAPI level
minor string: Input max size 0 less than computed required size 53]
Pass-through kerberos authentication on IBM JDK - principal is not
passed to MSSQL driver
-----------------------------------------------------------------------------------------
Key: TEIID-3425
URL:
https://issues.jboss.org/browse/TEIID-3425
Project: Teiid
Issue Type: Bug
Affects Versions: 8.7.1
Environment: OS: Fedora 20
java: IBM JDK 1.7
arch: x86_64
Reporter: Juraj Duráni
Assignee: Steven Hawkins
Attachments: set-up-mssql-ibm.cli, sql2012krb-static-vdb.xml, sql2012krb-vdb.xml
I have configured a datasource for MSSQL database. The datasource uses
PassthroughIdentityLoginModule. I have also created a VDB which requires kerberos
authentication. I am trying to pass credentials used for authentication CLIENT <=>
TEIID to datasource so they can be used for authentication TEIID <=> MSSQL.
Method getConnection(..) (record in server log) is called with correct credentials, but
SQLServerDriver throws an exception:
initAuthInit failed privileged exception:-java.security.PrivilegedActionException:
org.ietf.jgss.GSSException, major code: 13, minor code: 0
major string: Invalid credentials
minor string: Cannot get credential from JAAS Subject for principal: default principal
Some ideas, but I am only guessing:
1. I have seen same exception (on client side) if system property
"javax.security.auth.useSubjectCredsOnly" is set to false on client side. As
this property is set to true in the server config (<property
name="javax.security.auth.useSubjectCredsOnly" value="true"/>), it
is probably not passed to the driver (or is being ignored).
2. SQLServerDriver sets two system properties by default (if no kerberos configuration
file is specified) useDefaultCcache = true moduleBanner = false - see
https://msdn.microsoft.com/en-us/library/gg558122%28v=sql.110%29.aspx - ibm kerberos login
module will try to get TGT from ticket cache
I have tried static kerberos configuration for same DS and there was no problem with it.
--
This message was sent by Atlassian JIRA
(v6.3.11#6341)