[jboss-jira] [JBoss JIRA] (WFLY-8222) Regression against 7.0.GA, Kerberos over CLI

Martin Choma (JIRA) issues at jboss.org
Thu Feb 23 12:09:00 EST 2017 

Martin Choma created WFLY-8222:
----------------------------------

             Summary: Regression against 7.0.GA, Kerberos over CLI
                 Key: WFLY-8222
                 URL: https://issues.jboss.org/browse/WFLY-8222
             Project: WildFly
          Issue Type: Bug
          Components: Security
            Reporter: Martin Choma
            Assignee: Darran Lofthouse
            Priority: Blocker


It is not possible to authenticate to CLI using kerberos.
Same configuration works well against 7.0.0.GA 

{code:titl=server.log on TRACE level}
17:32:21,109 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-2) configuredMaxReceiveBuffer=16777215
17:32:21,109 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-2) relaxComplianceChecks=false
17:32:21,109 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-2) QOP={AUTH}
17:32:21,109 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-2) Our name 'remote at localhost.localdomain'
17:32:21,113 INFO  [stdout] (management I/O-2) Java config name: /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb5-945898887586223869.conf
17:32:21,113 INFO  [stdout] (management I/O-2) Loaded from Java config
17:32:21,114 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Unable to create SaslServer: javax.security.sasl.SaslException: ELY05029: [GSSAPI] Unable to create GSSContext [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos credentails)]
	at org.wildfly.security.sasl.gssapi.GssapiServer.<init>(GssapiServer.java:77)
	at org.wildfly.security.sasl.gssapi.GssapiServerFactory.createSaslServer(GssapiServerFactory.java:44)
	at org.wildfly.security.sasl.util.SecurityProviderSaslServerFactory.createSaslServer(SecurityProviderSaslServerFactory.java:77)
	at org.wildfly.security.sasl.util.FilterMechanismSaslServerFactory.createSaslServer(FilterMechanismSaslServerFactory.java:88)
	at org.wildfly.security.sasl.util.PropertiesSaslServerFactory.createSaslServer(PropertiesSaslServerFactory.java:56)
	at org.wildfly.security.sasl.util.AbstractDelegatingSaslServerFactory.createSaslServer(AbstractDelegatingSaslServerFactory.java:64)
	at org.wildfly.security.sasl.util.AbstractDelegatingSaslServerFactory.createSaslServer(AbstractDelegatingSaslServerFactory.java:64)
	at org.wildfly.security.sasl.util.SetMechanismInformationSaslServerFactory.createSaslServer(SetMechanismInformationSaslServerFactory.java:79)
	at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory.createSaslServer(AuthenticationCompleteCallbackSaslServerFactory.java:51)
	at org.wildfly.security.sasl.util.TrustManagerSaslServerFactory.createSaslServer(TrustManagerSaslServerFactory.java:72)
	at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory.createSaslServer(AuthenticationTimeoutSaslServerFactory.java:74)
	at org.wildfly.security.sasl.util.AbstractDelegatingSaslServerFactory.createSaslServer(AbstractDelegatingSaslServerFactory.java:64)
	at org.wildfly.security.sasl.util.ServerNameSaslServerFactory.createSaslServer(ServerNameSaslServerFactory.java:48)
	at org.wildfly.security.sasl.util.AbstractDelegatingSaslServerFactory.createSaslServer(AbstractDelegatingSaslServerFactory.java:64)
	at org.wildfly.security.sasl.util.ProtocolSaslServerFactory.createSaslServer(ProtocolSaslServerFactory.java:48)
	at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory.createSaslServer(SecurityIdentitySaslServerFactory.java:51)
	at org.wildfly.security.auth.server.SaslAuthenticationFactory.doCreate(SaslAuthenticationFactory.java:59)
	at org.wildfly.security.auth.server.SaslAuthenticationFactory.doCreate(SaslAuthenticationFactory.java:50)
	at org.wildfly.security.auth.server.AbstractMechanismAuthenticationFactory.createMechanism(AbstractMechanismAuthenticationFactory.java:54)
	at org.jboss.remoting3.remote.ServerConnectionOpenListener$Initial.handleEvent(ServerConnectionOpenListener.java:259)
	at org.jboss.remoting3.remote.ServerConnectionOpenListener$Initial.handleEvent(ServerConnectionOpenListener.java:125)
	at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
	at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
	at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
	at org.xnio.nio.WorkerThread.run(WorkerThread.java:567)
Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos credentails)
	at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:87)
	at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:127)
	at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:193)
	at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:427)
	at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:62)
	at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:154)
	at org.wildfly.security.sasl.gssapi.GssapiServer.<init>(GssapiServer.java:72)
	... 24 more

17:32:21,115 TRACE [org.jboss.remoting.remote] (management I/O-2) Rejected invalid SASL mechanism GSSAPI
17:32:21,115 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Sent 5 bytes
17:32:21,115 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Flushed channel
17:32:21,115 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No buffers in queue for message header
17:32:21,115 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Allocated fresh buffers
17:32:21,115 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received 59 bytes
17:32:21,116 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received message java.nio.HeapByteBuffer[pos=0 lim=55 cap=8192]
17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Received java.nio.HeapByteBuffer[pos=0 lim=55 cap=8192]
17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capabilities request
17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: version 1
17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote endpoint name "cli-client"
17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: message close protocol supported
17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote version is "5.0.0.Beta17-redhat-1"
17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote channels in is "40"
17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote channels out is "40"
17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: authentication service
17:32:21,116 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Sent 77 bytes
17:32:21,116 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Flushed channel
17:32:21,118 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No buffers in queue for message header
17:32:21,118 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Allocated fresh buffers
17:32:21,118 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received EOF
17:32:21,118 TRACE [org.jboss.remoting.remote] (management I/O-2) Received connection end-of-stream
17:32:21,441 INFO  [org.jboss.eapqe.krbldap.eap7.utils.CustomCLIExecutor] (main) CLI executor output:
17:32:21,441 INFO  [org.jboss.eapqe.krbldap.eap7.utils.CustomCLIExecutor] (main) Java config name: /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb5-945898887586223869.conf
Loaded from Java config
>>>KinitOptions cache name is /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb5cc
>>>DEBUG <CCacheInputStream>  client principal is hnelson7259cb36-69b2-4e28-afb5-f668120a8dea at JBOSS.ORG
>>>DEBUG <CCacheInputStream> server principal is krbtgt/JBOSS.ORG at JBOSS.ORG
>>>DEBUG <CCacheInputStream> key type: 17
>>>DEBUG <CCacheInputStream> auth time: Thu Feb 23 17:32:11 CET 2017
>>>DEBUG <CCacheInputStream> start time: Thu Feb 23 17:32:11 CET 2017
>>>DEBUG <CCacheInputStream> end time: Fri Feb 24 01:32:11 CET 2017
>>>DEBUG <CCacheInputStream> renew_till time: null
>>> CCacheInputStream: readFlags()  INITIAL; PRE_AUTH;
Found ticket for hnelson7259cb36-69b2-4e28-afb5-f668120a8dea at JBOSS.ORG to go to krbtgt/JBOSS.ORG at JBOSS.ORG expiring on Fri Feb 24 01:32:11 CET 2017
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
default etypes for default_tgs_enctypes: 17.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
>>> KdcAccessibility: reset
>>> KrbKdcReq send: kdc=localhost.localdomain UDP:6088, timeout=5000, number of retries =3, #bytes=648
>>> KDCCommunication: kdc=localhost.localdomain UDP:6088, timeout=5000,Attempt =1, #bytes=648
>>> KrbKdcReq send: #bytes read=634
>>> KdcAccessibility: remove localhost.localdomain:6088
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
>>> KrbApReq: APOptions are 00000000 00000000 00000000 00000000
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
Krb5Context setting mySeqNumber to: 951540638
Krb5Context setting peerSeqNumber to: 0
Created InitSecContextToken:
0000: 01 00 6E 82 02 2C 30 82   02 28 A0 03 02 01 05 A1  ..n..,0..(......
0010: 03 02 01 0E A2 07 03 05   00 00 00 00 00 A3 82 01  ................
0020: 2C 61 82 01 28 30 82 01   24 A0 03 02 01 05 A1 0B  ,a..(0..$.......
0030: 1B 09 4A 42 4F 53 53 2E   4F 52 47 A2 2A 30 28 A0  ..JBOSS.ORG.*0(.
0040: 03 02 01 00 A1 21 30 1F   1B 06 72 65 6D 6F 74 65  .....!0...remote
0050: 1B 15 6C 6F 63 61 6C 68   6F 73 74 2E 6C 6F 63 61  ..localhost.loca
0060: 6C 64 6F 6D 61 69 6E A3   81 E3 30 81 E0 A0 03 02  ldomain...0.....
0070: 01 11 A2 81 D8 04 81 D5   AF 46 53 89 B1 22 66 A6  .........FS.."f.
0080: C7 3C 9B 50 EB 36 7C D7   95 45 C9 46 BE A7 17 43  .<.P.6...E.F...C
0090: CD 9E DB B1 34 F7 1E 89   A4 D8 7B 2D 37 F9 4D DE  ....4......-7.M.
00A0: 8C B6 9D 07 83 2B 3E BF   80 34 34 CB 52 B9 01 95  .....+>..44.R...
00B0: AF 07 D1 8A 15 F8 7D 29   56 03 63 36 13 44 17 0B  .......)V.c6.D..
00C0: C9 31 CD 6F 41 35 5D B2   5A 5F 25 27 20 8D DE 9A  .1.oA5].Z_%' ...
00D0: 1B A9 26 A9 22 E2 81 4C   18 BB F9 15 27 A4 75 68  ..&."..L....'.uh
00E0: AF FE F4 2D 84 6D 44 24   73 C8 18 C0 3E 85 3E 0C  ...-.mD$s...>.>.
00F0: 6E 2C 89 FA 54 0B F6 E4   D3 C9 DA A3 61 14 5F 97  n,..T.......a._.
0100: 1D FE 6A 70 D7 C7 9C D2   91 D7 D0 B0 88 20 A1 C8  ..jp......... ..
0110: 53 42 DD 6B DB 3C 39 DC   2C DF 8A 52 C9 8B E4 0B  SB.k.<9.,..R....
0120: AD 05 B8 81 08 0E D2 4E   83 F9 23 C8 DC F1 9A 42  .......N..#....B
0130: BD 44 A4 DB CB E6 64 9B   9D 53 FA F3 4E 77 99 5F  .D....d..S..Nw._
0140: AE 0C B3 52 11 B5 6E 65   FB 2C 6E D9 49 A4 81 E2  ...R..ne.,n.I...
0150: 30 81 DF A0 03 02 01 11   A2 81 D7 04 81 D4 13 3B  0..............;
0160: BB 37 F0 B9 F9 C3 60 E0   80 DA A2 8D 0C E9 8A 34  .7....`........4
0170: DA E1 55 CB 4F 09 EB 36   3A F4 68 D3 90 D9 0F CD  ..U.O..6:.h.....
0180: 0F BA 50 1C A9 5C 70 84   1B CD 43 12 33 41 8A CA  ..P..\p...C.3A..
0190: 46 B0 21 4B 10 D7 22 5C   EC D0 79 C1 0D 5E 1C 58  F.!K.."\..y..^.X
01A0: 64 7C 75 43 77 96 82 1F   3A AD A2 C1 C4 9B 96 5B  d.uCw...:......[
01B0: 0D 1B DC 60 BD 76 91 69   53 DE 2F 34 CF 9E 0B EE  ...`.v.iS./4....
01C0: 8D D9 98 E0 37 AB 8D 2F   0D 61 B5 8C 10 43 20 2B  ....7../.a...C +
01D0: 6D 36 E1 0F 5B 23 22 8A   76 1B 55 0C 2E A1 8C D7  m6..[#".v.U.....
01E0: 8C 6F D2 07 2B 26 3B BF   54 74 9B 76 4A 78 2B E8  .o..+&;.Tt.vJx+.
01F0: 70 E3 81 08 E9 8B A3 F1   69 A3 E2 BE 1D 5B 8F 3A  p.......i....[.:
0200: 0F 34 3D 2D 01 69 C4 FC   67 FB 13 4B F3 D9 BE 94  .4=-.i..g..K....
0210: 9D 24 75 92 32 13 4B 8B   18 D0 FF 3B F9 51 19 90  .$u.2.K....;.Q..
0220: 44 63 61 BF A0 91 9E 76   9D 42 AA 3D B3 46 64 0A  Dca....v.B.=.Fd.
0230: 0D 19                                              ..

Failed to connect to the controller: Unable to authenticate against controller at localhost.localdomain:9990: Authentication failed: all available authentication mechanisms failed:
   GSSAPI: Server rejected authentication
{code}




--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list