[jboss-jira] [JBoss JIRA] (WFCORE-2398) Legacy Kerberos in management, EAP search for HTTPS/localhost ticket

Darran Lofthouse (JIRA) issues at jboss.org
Tue Mar 28 10:24:00 EDT 2017 

     [ https://issues.jboss.org/browse/WFCORE-2398?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Darran Lofthouse updated WFCORE-2398:
-------------------------------------
    Fix Version/s: 3.0.0.Beta12


> Legacy Kerberos in management, EAP search for HTTPS/localhost ticket
> --------------------------------------------------------------------
>
>                 Key: WFCORE-2398
>                 URL: https://issues.jboss.org/browse/WFCORE-2398
>             Project: WildFly Core
>          Issue Type: Bug
>          Components: Security
>            Reporter: Martin Choma
>            Assignee: Darran Lofthouse
>            Priority: Blocker
>              Labels: regression
>             Fix For: 3.0.0.Beta12
>
>
> Accessing management interface secured by Kerberos + TLS causes EAP requests from KDC ticket HTTPS/localhost. Which was not necessary in EAP 7.0 and it worked fine with HTTP/localhost service name
> {code:title=server.log}
> 14:20:19,321 TRACE [org.jboss.as.domain.management.security] (management task-7) No mapping for name 'https/localhost.localdomain' to KeytabService, attempting to use host only match.
> 14:20:19,322 TRACE [org.jboss.as.domain.management.security] (management task-7) Selected KeytabService with principal 'HTTP/localhost.localdomain at JBOSS.ORG' for host 'localhost.localdomain'
> 14:20:19,322 INFO  [stdout] (management task-7) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.2269988831769483313.keytab for HTTP/localhost.localdomain at JBOSS.ORG
> 14:20:19,323 INFO  [stdout] (management task-7) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.2269988831769483313.keytab for HTTP/localhost.localdomain at JBOSS.ORG
> 14:20:19,323 INFO  [stdout] (management task-7) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.2269988831769483313.keytab for HTTP/localhost.localdomain at JBOSS.ORG
> 14:20:19,323 INFO  [stdout] (management task-7) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.2269988831769483313.keytab for HTTP/localhost.localdomain at JBOSS.ORG
> 14:20:19,524 WARN  [org.apache.directory.server.protocol.shared.kerberos.StoreUtils] (NioDatagramAcceptor-3) No server entry found for kerberos principal name HTTPS/localhost.localdomain at JBOSS.ORG
> 14:20:19,524 WARN  [org.apache.directory.server.KERBEROS_LOG] (NioDatagramAcceptor-3) No server entry found for kerberos principal name HTTPS/localhost.localdomain at JBOSS.ORG
> 14:20:19,524 WARN  [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] (NioDatagramAcceptor-3) Server not found in Kerberos database (7)
> 14:20:19,525 WARN  [org.apache.directory.server.KERBEROS_LOG] (NioDatagramAcceptor-3) Server not found in Kerberos database (7)
> 14:20:19,528 WARN  [org.apache.http.impl.auth.HttpAuthenticator] (main) NEGOTIATE authentication error: No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - Server not found in Kerberos database))
> 14:20:19,532 TRACE [org.jboss.as.domain.management.security] (management task-9) No mapping for name 'https/localhost.localdomain' to KeytabService, attempting to use host only match.
> 14:20:19,532 TRACE [org.jboss.as.domain.management.security] (management task-9) Selected KeytabService with principal 'HTTP/localhost.localdomain at JBOSS.ORG' for host 'localhost.localdomain'
> 14:20:19,533 INFO  [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.2269988831769483313.keytab for HTTP/localhost.localdomain at JBOSS.ORG
> 14:20:19,533 INFO  [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.2269988831769483313.keytab for HTTP/localhost.localdomain at JBOSS.ORG
> 14:20:19,533 INFO  [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.2269988831769483313.keytab for HTTP/localhost.localdomain at JBOSS.ORG
> 14:20:19,533 INFO  [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.2269988831769483313.keytab for HTTP/localhost.localdomain at JBOSS.ORG
> 		[Krb5LoginModule]: Entering logout
> 		[Krb5LoginModule]: logged out Subject
> {code}
> Also see network dump krb_https_management.pcap in attachement, where TGS-REQ for HTTPS/localhost is captured.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list