]
Steven Hawkins commented on TEIID-4499:
---------------------------------------
Actually that first diagnosis is not correct. With that change we would issue a gss
challenge, but that is only supported by socket connections. So the real issue here is
that passthough must not be enabled. Jan, is the odata servlet configured to turn off
passthrough authentication?
OData Kerberos cannot access VDB
--------------------------------
Key: TEIID-4499
URL:
https://issues.jboss.org/browse/TEIID-4499
Project: Teiid
Issue Type: Bug
Components: OData
Affects Versions: 8.12.6.6_3
Reporter: Jan Stastny
Assignee: Ramesh Reddy
Priority: Critical
Fix For: 9.2, 9.0.5, 9.1.1
When configured odata war for Kerberos using
https://teiid.gitbooks.io/documents/content/security/Kerberos_support_thr...
an error occurs when accessing a vdb, which is also secured by Kerberos.
The error is following:
{code:plain}
11:44:53,360 WARN [org.teiid.ODATA] (http-127.0.0.1:8080-1) TEIID16047 Could not process
OData 4 request: 08001 TEIID40055 org.teiid.core.TeiidException: TEIID40055
org.teiid.net.ConnectionException: TEIID40055 Wrong logon method is being used. Server is
not set up for GSS based authentication.: org.teiid.core.TeiidProcessingException: 08001
TEIID40055 org.teiid.core.TeiidException: TEIID40055 org.teiid.net.ConnectionException:
TEIID40055 Wrong logon method is being used. Server is not set up for GSS based
authentication.
at org.teiid.olingo.web.ODataFilter.internalDoFilter(ODataFilter.java:233)
[teiid-olingo-8.12.6.6_3-redhat-1.jar:8.12.6.6_3-redhat-1]
at org.teiid.olingo.web.ODataFilter.doFilter(ODataFilter.java:100)
[teiid-olingo-8.12.6.6_3-redhat-1.jar:8.12.6.6_3-redhat-1]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
[jbossweb-7.5.17.Final-redhat-1.jar:7.5.17.Final-redhat-1]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
[jbossweb-7.5.17.Final-redhat-1.jar:7.5.17.Final-redhat-1]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231)
[jbossweb-7.5.17.Final-redhat-1.jar:7.5.17.Final-redhat-1]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)
[jbossweb-7.5.17.Final-redhat-1.jar:7.5.17.Final-redhat-1]
at
org.jboss.security.negotiation.NegotiationAuthenticator$WrapperValve.invoke(NegotiationAuthenticator.java:492)
[jboss-negotiation-common-2.3.11.Final-redhat-1.jar:2.3.11.Final-redhat-1]
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:512)
[jbossweb-7.5.17.Final-redhat-1.jar:7.5.17.Final-redhat-1]
at
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
[jboss-as-web-7.5.9.Final-redhat-2.jar:7.5.9.Final-redhat-2]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:150)
[jbossweb-7.5.17.Final-redhat-1.jar:7.5.17.Final-redhat-1]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
[jbossweb-7.5.17.Final-redhat-1.jar:7.5.17.Final-redhat-1]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
[jbossweb-7.5.17.Final-redhat-1.jar:7.5.17.Final-redhat-1]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
[jbossweb-7.5.17.Final-redhat-1.jar:7.5.17.Final-redhat-1]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:854)
[jbossweb-7.5.17.Final-redhat-1.jar:7.5.17.Final-redhat-1]
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:654)
[jbossweb-7.5.17.Final-redhat-1.jar:7.5.17.Final-redhat-1]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
[jbossweb-7.5.17.Final-redhat-1.jar:7.5.17.Final-redhat-1]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_102]
Caused by: org.teiid.jdbc.TeiidSQLException: TEIID40055 org.teiid.core.TeiidException:
TEIID40055 org.teiid.net.ConnectionException: TEIID40055 Wrong logon method is being used.
Server is not set up for GSS based authentication.
at org.teiid.jdbc.TeiidSQLException.create(TeiidSQLException.java:135)
at org.teiid.jdbc.TeiidSQLException.create(TeiidSQLException.java:71)
at org.teiid.jdbc.EmbeddedProfile.connect(EmbeddedProfile.java:55)
at org.teiid.jdbc.TeiidDriver.connect(TeiidDriver.java:105)
at org.teiid.olingo.service.LocalClient.buildConnection(LocalClient.java:119)
[teiid-olingo-8.12.6.6_3-redhat-1.jar:8.12.6.6_3-redhat-1]
at org.teiid.olingo.service.LocalClient.open(LocalClient.java:89)
[teiid-olingo-8.12.6.6_3-redhat-1.jar:8.12.6.6_3-redhat-1]
at org.teiid.olingo.web.ODataFilter.internalDoFilter(ODataFilter.java:226)
[teiid-olingo-8.12.6.6_3-redhat-1.jar:8.12.6.6_3-redhat-1]
... 16 more
Caused by: org.teiid.core.TeiidException: TEIID40055 org.teiid.core.TeiidException:
TEIID40055 org.teiid.net.ConnectionException: TEIID40055 Wrong logon method is being used.
Server is not set up for GSS based authentication.
at org.teiid.core.util.ReflectionHelper.create(ReflectionHelper.java:308)
[teiid-common-core-8.12.6.6_3-redhat-1.jar:8.12.6.6_3-redhat-1]
at org.teiid.jdbc.ModuleHelper.createFromModule(ModuleHelper.java:53)
at org.teiid.jdbc.EmbeddedProfile.createServerConnection(EmbeddedProfile.java:60)
at org.teiid.jdbc.EmbeddedProfile.connect(EmbeddedProfile.java:50)
... 20 more
Caused by: org.teiid.core.TeiidException: TEIID40055 org.teiid.net.ConnectionException:
TEIID40055 Wrong logon method is being used. Server is not set up for GSS based
authentication.
at org.teiid.core.util.ReflectionHelper.create(ReflectionHelper.java:345)
[teiid-common-core-8.12.6.6_3-redhat-1.jar:8.12.6.6_3-redhat-1]
at org.teiid.core.util.ReflectionHelper.create(ReflectionHelper.java:306)
[teiid-common-core-8.12.6.6_3-redhat-1.jar:8.12.6.6_3-redhat-1]
... 23 more
Caused by: org.teiid.net.ConnectionException: TEIID40055 Wrong logon method is being
used. Server is not set up for GSS based authentication.
at
org.teiid.transport.LocalServerConnection.authenticate(LocalServerConnection.java:146)
at
org.teiid.transport.LocalServerConnection.<init>(LocalServerConnection.java:106)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
[rt.jar:1.8.0_102]
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
[rt.jar:1.8.0_102]
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
[rt.jar:1.8.0_102]
at java.lang.reflect.Constructor.newInstance(Constructor.java:423) [rt.jar:1.8.0_102]
at org.teiid.core.util.ReflectionHelper.create(ReflectionHelper.java:343)
[teiid-common-core-8.12.6.6_3-redhat-1.jar:8.12.6.6_3-redhat-1]
... 24 more
Caused by: org.teiid.client.security.LogonException: TEIID40055 Wrong logon method is
being used. Server is not set up for GSS based authentication.
at org.teiid.transport.LogonImpl.logon(LogonImpl.java:119)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_102]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
[rt.jar:1.8.0_102]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[rt.jar:1.8.0_102]
at java.lang.reflect.Method.invoke(Method.java:498) [rt.jar:1.8.0_102]
at org.teiid.transport.LocalServerConnection$1$1.call(LocalServerConnection.java:180)
at java.util.concurrent.FutureTask.run(FutureTask.java:266) [rt.jar:1.8.0_102]
at org.teiid.dqp.internal.process.DQPWorkContext.runInContext(DQPWorkContext.java:276)
at org.teiid.dqp.internal.process.DQPWorkContext.runInContext(DQPWorkContext.java:260)
at org.teiid.transport.LocalServerConnection$1.invoke(LocalServerConnection.java:178)
at com.sun.proxy.$Proxy81.logon(Unknown Source)
at
org.teiid.transport.LocalServerConnection.authenticate(LocalServerConnection.java:142)
... 30 more
{code}
Authentication of the user succeeded:
{code:plain}
principal is dv(a)EXAMPLE.COM
Will use keytab
Commit Succeeded
{code}
Authentication of the server succeeded:
{code:plain}
11:44:52,873 INFO [stdout] (http-127.0.0.1:8080-1) Acquire TGT from Cache
11:44:52,874 INFO [stdout] (http-127.0.0.1:8080-1) Principal is
HTTP/localhost(a)EXAMPLE.COM
11:44:52,874 INFO [stdout] (http-127.0.0.1:8080-1) null credentials from Ticket Cache
11:44:53,234 INFO [stdout] (http-127.0.0.1:8080-1) principal is
HTTP/localhost(a)EXAMPLE.COM
11:44:53,234 INFO [stdout] (http-127.0.0.1:8080-1) Will use keytab
11:44:53,236 INFO [stdout] (http-127.0.0.1:8080-1) Commit Succeeded
{code}
Initial request:
{code:plain}
12:44:52,325 DEBUG [MainClientExec] Opening connection {}->http://localhost:8080
12:44:52,327 DEBUG [DefaultHttpClientConnectionOperator] Connecting to
localhost/127.0.0.1:8080
12:44:52,328 DEBUG [DefaultHttpClientConnectionOperator] Connection established
127.0.0.1:47980<->127.0.0.1:8080
12:44:52,328 DEBUG [MainClientExec] Executing request GET
/odata4/kerberos_teiid/BQT1/smalla HTTP/1.1
12:44:52,328 DEBUG [MainClientExec] Target auth state: UNCHALLENGED
12:44:52,329 DEBUG [MainClientExec] Proxy auth state: UNCHALLENGED
12:44:52,330 DEBUG [headers] http-outgoing-0 >> GET
/odata4/kerberos_teiid/BQT1/smalla HTTP/1.1
12:44:52,330 DEBUG [headers] http-outgoing-0 >> Host: localhost:8080
12:44:52,330 DEBUG [headers] http-outgoing-0 >> Connection: Keep-Alive
12:44:52,330 DEBUG [headers] http-outgoing-0 >> User-Agent: Apache-HttpClient/4.5.2
(Java/1.8.0_51)
12:44:52,330 DEBUG [headers] http-outgoing-0 >> Accept-Encoding: gzip,deflate
12:44:52,330 DEBUG [wire] http-outgoing-0 >> "GET
/odata4/kerberos_teiid/BQT1/smalla HTTP/1.1[\r][\n]"
12:44:52,330 DEBUG [wire] http-outgoing-0 >> "Host:
localhost:8080[\r][\n]"
12:44:52,331 DEBUG [wire] http-outgoing-0 >> "Connection:
Keep-Alive[\r][\n]"
12:44:52,331 DEBUG [wire] http-outgoing-0 >> "User-Agent:
Apache-HttpClient/4.5.2 (Java/1.8.0_51)[\r][\n]"
12:44:52,331 DEBUG [wire] http-outgoing-0 >> "Accept-Encoding:
gzip,deflate[\r][\n]"
12:44:52,331 DEBUG [wire] http-outgoing-0 >> "[\r][\n]"
{code}
Negotiate request from server:
{code:plain}
12:44:52,457 DEBUG [wire] http-outgoing-0 << "HTTP/1.1 401
Unauthorized[\r][\n]"
12:44:52,457 DEBUG [wire] http-outgoing-0 << "Server:
Apache-Coyote/1.1[\r][\n]"
12:44:52,457 DEBUG [wire] http-outgoing-0 << "Pragma: No-cache[\r][\n]"
12:44:52,457 DEBUG [wire] http-outgoing-0 << "Cache-Control:
no-cache[\r][\n]"
12:44:52,457 DEBUG [wire] http-outgoing-0 << "Expires: Thu, 01 Jan 1970
01:00:00 GMT+01:00[\r][\n]"
12:44:52,457 DEBUG [wire] http-outgoing-0 << "WWW-Authenticate:
Negotiate[\r][\n]"
12:44:52,457 DEBUG [wire] http-outgoing-0 << "Content-Type:
text/html;charset=utf-8[\r][\n]"
12:44:52,457 DEBUG [wire] http-outgoing-0 << "Content-Length:
996[\r][\n]"
12:44:52,457 DEBUG [wire] http-outgoing-0 << "Date: Mon, 10 Oct 2016 10:44:52
GMT[\r][\n]"
12:44:52,457 DEBUG [wire] http-outgoing-0 << "[\r][\n]"
12:44:52,457 DEBUG [wire] http-outgoing-0 <<
"<html><head><title>JBWEB000065: HTTP Status 401 -
</title><style><!--H1
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
H2
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
H3
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P
{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color
: black;}A.name {color : black;}HR {color : #525D76;}--></style>
</head><body><h1>JBWEB000065: HTTP Status 401 - </h1><HR
size="1" noshade="noshade"><p><b>JBWEB000309:
type</b> JBWEB000067: Status report</p><p><b>JBWEB000068:
message</b> <u></u></p><p><b>JBWEB000069:
description</b> <u>JBWEB000121: This request requires HTTP
authentication.</u></p><HR size="1"
noshade="noshade"></body></html>"
12:44:52,459 DEBUG [headers] http-outgoing-0 << HTTP/1.1 401 Unauthorized
12:44:52,459 DEBUG [headers] http-outgoing-0 << Server: Apache-Coyote/1.1
12:44:52,459 DEBUG [headers] http-outgoing-0 << Pragma: No-cache
12:44:52,460 DEBUG [headers] http-outgoing-0 << Cache-Control: no-cache
12:44:52,460 DEBUG [headers] http-outgoing-0 << Expires: Thu, 01 Jan 1970 01:00:00
GMT+01:00
12:44:52,460 DEBUG [headers] http-outgoing-0 << WWW-Authenticate: Negotiate
12:44:52,460 DEBUG [headers] http-outgoing-0 << Content-Type:
text/html;charset=utf-8
12:44:52,460 DEBUG [headers] http-outgoing-0 << Content-Length: 996
12:44:52,460 DEBUG [headers] http-outgoing-0 << Date: Mon, 10 Oct 2016 10:44:52
GMT
{code}
Response to auth server:
{code:plain}
Found ticket for dv(a)EXAMPLE.COM to go to krbtgt/EXAMPLE.COM(a)EXAMPLE.COM expiring on Mon
Oct 10 20:44:52 CEST 2016
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
12:44:52,846 DEBUG [SPNegoScheme] Sending response
'YIIEjgYGKwYBBQUCoIIEgjCCBH6gDTALBgkqhkiG9xIBAgKhBAMCAfaiggRlBIIEYWCCBF0GCSqGSIb3EgECAgEAboIETDCCBEigAwIBBaEDAgEOogcDBQAgAAAAo4IBBmGCAQIwgf+gAwIBBaEbGxlNVy5MQUIuRU5HLkJPUy5SRURIQVQuQ09NohwwGqADAgEAoRMwERsESFRUUBsJbG9jYWxob3N0o4G8MIG5oAMCARGhAwIBBKKBrASBqdJuL2wF7+W0MD1qISt66VAyhitq77SR6vLKWJnpc/Yx60ch80GepVlYdoYxee0qW+d4u6aw3p0BaOWSgSMRoDnr9bSUn+tQXNevIfKE+oUM+5lC4afhAF0PB4dcJC7z6/wLZ9drDImvyhntm9lq/yv5LW76gSbVd9SjO58ZvD3cYRJnuF3CaFhm5ol0ce84ojZdX5mVvVBUU3+Vo1rh6SSEKda+xoBkK/ykggMnMIIDI6ADAgERooIDGgSCAxaG8huKFUf6vR0wVfeI1caKfIPtGC9rDSw5DYTz1dz43F8GI9we3YG9NC6kEi1zPdA4A2dxfBqgUl+/YkBdQco4udBCwLXNmziHCS5ypypBJsFdgFzRi/9hXukmqofSGIlKVJWH3ap1ap+37Amfm6LxZuQFDyY526onGXdWoAB0Jbcpsi74Ti5x3sRGZqoF5FTwUqI0pQYI+hLDh2GeBNXBNOHqdMXNfnLFOr+LpnNhl7ROxkWsBxNPv/4MmRLPsF/cGrc924L6R4PQvP7qVjGKUxayEoBPP/go5xb2b2z+TjruspzbJ5dw1wKAOH2RGlDJ5om0PUSqaxe0h2WhL9rXBOGVONTSv7lYQ2pcgaOqR6FutB5PZGP0B73ekwhbRfrt6zxLpHzZFnrSeV9lz1U4r8Bkyxuze3cuQGcL/cNTBbhE83cbNY8VJlu4E+6LmZ9ll3vpjNq3735S6gFArsOJ38FcLO0Kqj1rZr7/r9TRsV9f8agDnWusc5lQzZc+4H0BIeAPD34ApJxGogA63/8yF1Pl3uc1Rp+a6blQHLLCRZthIpi8LVF8rSizTkTDWUrTw+X5wGDunjslrUmClW25qzGeLTZpELrJXkKFstUnL4blaPboyPk8qDecaRed+dIjteVS9CgF51AtHrO9vhWgrr41TL+H8akHfjI6Q9GIgravWLSkNrVMsrNyVAlc1hdUAovLXJFfxS3Mg0OugjG3rJhSCiQqLCuhIRL8OB4Fz4Pa24fpBG0G/Rv1RrhuQaKoxNsZxuR67zzF+v7+4PRKK39y0cqFWBf95YV4SWz7qzXmZYcaDcVhrFzp723ecWunVa6Qt5YUZ3+pkKV+NGGb95PjS7HtvXZo4ko5tJX1QI+ke4I3j3cThrWlV5y3rNC2IKiE8eRNI6rKRGdvpYLwkL0B5AkJleqGjdiqZVy6Q2w/YdHN2oTOs8qUgIVgPHJMyRLUTT872ZOWdmmHWJuIe3sVkr1RLFDV2csmYggSZCbjCczFvlmKrcn6OLqVRGN3sNm6a9Q45wZimLvIkxePHag3vvtp'
back to the auth server
12:44:52,846 DEBUG [MainClientExec] Proxy auth state: UNCHALLENGED
12:44:52,846 DEBUG [headers] http-outgoing-0 >> GET
/odata4/kerberos_teiid/BQT1/smalla HTTP/1.1
12:44:52,846 DEBUG [headers] http-outgoing-0 >> Host: localhost:8080
12:44:52,846 DEBUG [headers] http-outgoing-0 >> Connection: Keep-Alive
12:44:52,846 DEBUG [headers] http-outgoing-0 >> User-Agent: Apache-HttpClient/4.5.2
(Java/1.8.0_51)
12:44:52,846 DEBUG [headers] http-outgoing-0 >> Accept-Encoding: gzip,deflate
12:44:52,846 DEBUG [headers] http-outgoing-0 >> Authorization: Negotiate
YIIEjgYGKwYBBQUCoIIEgjCCBH6gDTALBgkqhkiG9xIBAgKhBAMCAfaiggRlBIIEYWCCBF0GCSqGSIb3EgECAgEAboIETDCCBEigAwIBBaEDAgEOogcDBQAgAAAAo4IBBmGCAQIwgf+gAwIBBaEbGxlNVy5MQUIuRU5HLkJPUy5SRURIQVQuQ09NohwwGqADAgEAoRMwERsESFRUUBsJbG9jYWxob3N0o4G8MIG5oAMCARGhAwIBBKKBrASBqdJuL2wF7+W0MD1qISt66VAyhitq77SR6vLKWJnpc/Yx60ch80GepVlYdoYxee0qW+d4u6aw3p0BaOWSgSMRoDnr9bSUn+tQXNevIfKE+oUM+5lC4afhAF0PB4dcJC7z6/wLZ9drDImvyhntm9lq/yv5LW76gSbVd9SjO58ZvD3cYRJnuF3CaFhm5ol0ce84ojZdX5mVvVBUU3+Vo1rh6SSEKda+xoBkK/ykggMnMIIDI6ADAgERooIDGgSCAxaG8huKFUf6vR0wVfeI1caKfIPtGC9rDSw5DYTz1dz43F8GI9we3YG9NC6kEi1zPdA4A2dxfBqgUl+/YkBdQco4udBCwLXNmziHCS5ypypBJsFdgFzRi/9hXukmqofSGIlKVJWH3ap1ap+37Amfm6LxZuQFDyY526onGXdWoAB0Jbcpsi74Ti5x3sRGZqoF5FTwUqI0pQYI+hLDh2GeBNXBNOHqdMXNfnLFOr+LpnNhl7ROxkWsBxNPv/4MmRLPsF/cGrc924L6R4PQvP7qVjGKUxayEoBPP/go5xb2b2z+TjruspzbJ5dw1wKAOH2RGlDJ5om0PUSqaxe0h2WhL9rXBOGVONTSv7lYQ2pcgaOqR6FutB5PZGP0B73ekwhbRfrt6zxLpHzZFnrSeV9lz1U4r8Bkyxuze3cuQGcL/cNTBbhE83cbNY8VJlu4E+6LmZ9ll3vpjNq3735S6gFArsOJ38FcLO0Kqj1rZr7/r9TRsV9f8agDnWusc5lQzZc+4H0BIeAPD34ApJxGogA63/8yF1Pl3uc1Rp+a6blQHLLCRZthIpi8LVF8rSizTkTDWUrTw+X5wGDunjslrUmClW25qzGeLTZpELrJXkKFstUnL4blaPboyPk8qDecaRed+dIjteVS9CgF51AtHrO9vhWgrr41TL+H8akHfjI6Q9GIgravWLSkNrVMsrNyVAlc1hdUAovLXJFfxS3Mg0OugjG3rJhSCiQqLCuhIRL8OB4Fz4Pa24fpBG0G/Rv1RrhuQaKoxNsZxuR67zzF+v7+4PRKK39y0cqFWBf95YV4SWz7qzXmZYcaDcVhrFzp723ecWunVa6Qt5YUZ3+pkKV+NGGb95PjS7HtvXZo4ko5tJX1QI+ke4I3j3cThrWlV5y3rNC2IKiE8eRNI6rKRGdvpYLwkL0B5AkJleqGjdiqZVy6Q2w/YdHN2oTOs8qUgIVgPHJMyRLUTT872ZOWdmmHWJuIe3sVkr1RLFDV2csmYggSZCbjCczFvlmKrcn6OLqVRGN3sNm6a9Q45wZimLvIkxePHag3vvtp
12:44:52,846 DEBUG [wire] http-outgoing-0 >> "GET
/odata4/kerberos_teiid/BQT1/smalla HTTP/1.1[\r][\n]"
12:44:52,846 DEBUG [wire] http-outgoing-0 >> "Host:
localhost:8080[\r][\n]"
12:44:52,847 DEBUG [wire] http-outgoing-0 >> "Connection:
Keep-Alive[\r][\n]"
12:44:52,847 DEBUG [wire] http-outgoing-0 >> "User-Agent:
Apache-HttpClient/4.5.2 (Java/1.8.0_51)[\r][\n]"
12:44:52,847 DEBUG [wire] http-outgoing-0 >> "Accept-Encoding:
gzip,deflate[\r][\n]"
12:44:52,847 DEBUG [wire] http-outgoing-0 >> "Authorization: Negotiate
YIIEjgYGKwYBBQUCoIIEgjCCBH6gDTALBgkqhkiG9xIBAgKhBAMCAfaiggRlBIIEYWCCBF0GCSqGSIb3EgECAgEAboIETDCCBEigAwIBBaEDAgEOogcDBQAgAAAAo4IBBmGCAQIwgf+gAwIBBaEbGxlNVy5MQUIuRU5HLkJPUy5SRURIQVQuQ09NohwwGqADAgEAoRMwERsESFRUUBsJbG9jYWxob3N0o4G8MIG5oAMCARGhAwIBBKKBrASBqdJuL2wF7+W0MD1qISt66VAyhitq77SR6vLKWJnpc/Yx60ch80GepVlYdoYxee0qW+d4u6aw3p0BaOWSgSMRoDnr9bSUn+tQXNevIfKE+oUM+5lC4afhAF0PB4dcJC7z6/wLZ9drDImvyhntm9lq/yv5LW76gSbVd9SjO58ZvD3cYRJnuF3CaFhm5ol0ce84ojZdX5mVvVBUU3+Vo1rh6SSEKda+xoBkK/ykggMnMIIDI6ADAgERooIDGgSCAxaG8huKFUf6vR0wVfeI1caKfIPtGC9rDSw5DYTz1dz43F8GI9we3YG9NC6kEi1zPdA4A2dxfBqgUl+/YkBdQco4udBCwLXNmziHCS5ypypBJsFdgFzRi/9hXukmqofSGIlKVJWH3ap1ap+37Amfm6LxZuQFDyY526onGXdWoAB0Jbcpsi74Ti5x3sRGZqoF5FTwUqI0pQYI+hLDh2GeBNXBNOHqdMXNfnLFOr+LpnNhl7ROxkWsBxNPv/4MmRLPsF/cGrc924L6R4PQvP7qVjGKUxayEoBPP/go5xb2b2z+TjruspzbJ5dw1wKAOH2RGlDJ5om0PUSqaxe0h2WhL9rXBOGVONTSv7lYQ2pcgaOqR6FutB5PZGP0B73ekwhbRfrt6zxLpHzZFnrSeV9lz1U4r8Bkyxuze3cuQGcL/cNTBbhE83cbNY8VJlu4E+6LmZ9ll3vpjNq3735S6gFArsOJ38FcLO0Kqj1rZr7/r9TRsV9f8agDnWusc5lQzZc+4H0BIeAPD34ApJxGogA63/8yF1Pl3uc1Rp+a6blQHLLCRZthIpi8LVF8rSizTkTDWUrTw+X5wGDunjslrUmClW25qzGeLTZpELrJXkKFstUnL4blaPboyPk8qDecaRed+dIjteVS9CgF51AtHrO9vhWgrr41TL+H8akHfjI6Q9GIgravWLSkNrVMsrNyVAlc1hdUAovLXJFfxS3Mg0OugjG3rJhSCiQqLCuhIRL8OB4Fz4Pa24fpBG0G/Rv1RrhuQaKoxNsZxuR67zzF+v7+4PRKK39y0cqFWBf95YV4SWz7qzXmZYcaDcVhrFzp723ecWunVa6Qt5YUZ3+pkKV+NGGb95PjS7HtvXZo4ko5tJX1QI+ke4I3j3cThrWlV5y3rNC2IKiE8eRNI6rKRGdvpYLwkL0B5AkJleqGjdiqZVy6Q2w/YdHN2oTOs8qUgIVgPHJMyRLUTT872ZOWdmmHWJuIe3sVkr1RLFDV2csmYggSZCbjCczFvlmKrcn6OLqVRGN3sNm6a9Q45wZimLvIkxePHag3vvtp[\r][\n]"
12:44:52,847 DEBUG [wire] http-outgoing-0 >> "[\r][\n]"
{code}
Last server logs before error:
{code:plain}
11:44:53,246 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule]
(http-127.0.0.1:8080-1) Logged in 'host' LoginContext
11:44:53,247 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule]
(http-127.0.0.1:8080-1) Creating new GSSContext.
11:44:53,283 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule]
(http-127.0.0.1:8080-1) context.getCredDelegState() = true
11:44:53,284 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule]
(http-127.0.0.1:8080-1) context.getMutualAuthState() = true
11:44:53,284 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule]
(http-127.0.0.1:8080-1) context.getSrcName() = dv(a)EXAMPLE.COM
11:44:53,284 INFO [stdout] (http-127.0.0.1:8080-1) [Krb5LoginModule]: Entering logout
11:44:53,285 INFO [stdout] (http-127.0.0.1:8080-1) [Krb5LoginModule]: logged out
Subject
11:44:53,285 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule]
(http-127.0.0.1:8080-1) Storing username 'dv(a)EXAMPLE.COM' and empty password
11:44:53,304 DEBUG [org.jboss.security.negotiation.NegotiationAuthenticator]
(http-127.0.0.1:8080-1) authenticated principal =
GenericPrincipal[5tV-f1mRV7tGghx2rk4krdFH_1476096292858(odata,user,)]
{code}
VDB used:
{code:xml}
<vdb name="kerberos_teiid" version="1">
<property name="security-domain" value="EXAMPLE.COM"/>
<property name="authentication-type" value="GSS"/>
.
.
.
</vdb>
{code}
Request URL:
{code:plain}
http://localhost:8080/odata4/kerberos_teiid/BQT1/smalla
{code}
Server configuration:
{code:xml}
<security-domain name="host">
<authentication>
<login-module code="Kerberos" flag="required"
module="org.jboss.security.negotiation">
<module-option name="storeKey" value="true"/>
<module-option name="useKeyTab" value="true"/>
<module-option name="keyTab"
value="${jboss.home.dir}/HTTP_localhost"/>
<module-option name="principal"
value="HTTP/localhost(a)EXAMPLE.COM"/>
<module-option name="doNotPrompt" value="true"/>
<module-option name="useTicketCache"
value="true"/>
<module-option name="debug" value="true"/>
<module-option name="refreshKrb5Config"
value="false"/>
<module-option name="isInitiator" value="true"/>
<module-option name="addGSSCredential"
value="true"/>
<module-option name="delegationCredential"
value="USE"/>
<module-option name="ticketCache"
value="/tmp/krb5cc_1000"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="EXAMPLE.COM">
<authentication>
<login-module code="SPNEGO" flag="requisite"
module="org.jboss.security.negotiation">
<module-option name="password-stacking"
value="useFirstPass"/>
<module-option name="serverSecurityDomain"
value="host"/>
</login-module>
</authentication>
<mapping>
<mapping-module code="SimpleRoles" type="role">
<module-option name="dv(a)EXAMPLE.COM"
value="user,odata"/>
</mapping-module>
</mapping>
</security-domain>
{code}
Kerberos client configuration:
{code:plain}
ClientDV {
com.sun.security.auth.module.Krb5LoginModule required
storeKey="true"
useKeyTab="true"
keyTab="${dv.test.krb.dir}/dv.keytab"
principal="dv(a)EXAMPLE.COM"
doNotPrompt="true"
refreshKrb5Config="false"
useTicketCache="true"
ticketCache="/tmp/krb5cc_1000"
debug="true";
};
{code}
KRB5 configuration file is passed to server by setting system-property
java.security.krb5.conf:
{code:xml}
<system-properties>
<property name="java.security.krb5.conf"
value="${jboss.home.dir}/krb5.conf"/>
<property name="java.security.krb5.debug"
value="true"/>
</system-properties>
{code}