[jboss-jira] [JBoss JIRA] (WFCORE-3881) CLI + Kerberos authentication fails in CD13
Darran Lofthouse (JIRA)
issues at jboss.org
Thu May 24 07:20:01 EDT 2018
[ https://issues.jboss.org/browse/WFCORE-3881?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13581557#comment-13581557 ]
Darran Lofthouse commented on WFCORE-3881:
------------------------------------------
>From the log this appears to be the underlying error: -
{noformat}
Caused by: javax.security.auth.login.LoginException: unable to find LoginModule class: com.sun.security.auth.module.Krb5LoginModule from [Module "org.jboss.as.cli" version 5.0.0.Final-redhat-20180517 from local module loader @13a57a3b (finder: local module finder @7ca48474 (roots: /home/mchoma/Repos/tests-ldap-kerberos/tests/target/dist/jboss-eap/modules,/home/mchoma/Repos/tests-ldap-kerberos/tests/target/dist/jboss-eap/modules/system/layers/base))]
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:794)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at sun.security.jgss.GSSUtil.login(GSSUtil.java:258)
at sun.security.jgss.krb5.Krb5Util.getTicket(Krb5Util.java:158)
at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:338)
at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:334)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Krb5InitCredential.java:333)
{noformat}
The following commit altered the dependencies of the CLI: -
https://github.com/wildfly/wildfly-core/commit/b48ea664f8129920ccde8b404d0cb295c93e4547
> CLI + Kerberos authentication fails in CD13
> -------------------------------------------
>
> Key: WFCORE-3881
> URL: https://issues.jboss.org/browse/WFCORE-3881
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Affects Versions: 5.0.0.Beta4
> Reporter: Martin Choma
> Assignee: Darran Lofthouse
> Priority: Blocker
> Fix For: 5.0.0.Beta5
>
> Attachments: jboss-cli-CD12.log, jboss-cli-CD13.log, org.jboss.eapqe.krbldap.eap71.tests.krb.mgmt.KerberosCLIGssapiTestCase-output-CD12.txt, org.jboss.eapqe.krbldap.eap71.tests.krb.mgmt.KerberosCLIGssapiTestCase-output-CD13.txt
>
>
> Use case: Administrator wants to connect to CLI using kerberos ticket. It is not possible in CD13 with error
> {code}
> Client authentication failed: javax.security.sasl.SaslException: ELY05108: Unable to create response token [Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))]
> {code}
> Attaching logs of server and client for CD12 (OK) and CD13 (NOK)
> In server log there is missing message {{Server received authentication request}} so it makes me think problem is on client side.
> Comparing client logs there is difference
> * CD13
> {code}
> 11:32:58,924 TRACE [org.jboss.remoting.remote.client] Client authentication failed: javax.security.sasl.SaslException: ELY05108: Unable to create response token [Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))]
> {code}
> * CD12
> compared to CD12
> {code}
> 11:31:16,946 TRACE [org.wildfly.security.sasl.gssapi] GSSContext established, transitioning to negotiate security layer.
> {code}
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
More information about the jboss-jira
mailing list