-
15. Re: Kerberos Authentication with JBoss EAP 6.1Alpha +Teiid 8.6 Beta 2 running as a Windows service
ayip Dec 4, 2013 11:35 AM (in response to rareddy)Ramesh
Thanks for the code. I mimic the code to see if I can generate the same error in my small java test program but the URL seems fine. Which is odd, I should get the same behaviour.
Anyways, I tried taking back a step and ended up with a worser error: javax.security.auth.login.LoginExceptio: Unable to authenticate - Failure unspecified at GSS-API level (Mechanism level: Specified version of key in not available (44))
I believe this is related to the kerberos version number. But I'm not sure how to resolve this ..or how I didn't encounter it last time...
Edit: to resolve that error, I did a klist purge on the client. This forces the tickets to be synchronize .. back to the same issue now
-
16. Re: Kerberos Authentication with JBoss EAP 6.1Alpha +Teiid 8.6 Beta 2 running as a Windows service
ayip Dec 5, 2013 11:06 AM (in response to ayip)I threw in the towels today... I can't figure out why the UsersRolesLoginModule is not picking up my properties files. I believe it has something to do with the SecurityContext when it tries to load the file (e.g. the Jboss Negotiate ToolKit deployment/context can not see my local files).. maybe this rings a bell?
anyways, I decided to use the simple DatabaseServerLoginModule and that worked in the first try (fine maybe, the second try).
I am able to pass the Jboss Negotiate Toolkit.
Now ... on to Teiid
Edit: Just a question, when jdbc connection to teiid uses Kerberos for authentication, teiid can use that same kerberos ticket to authenticate the user in the data sources (double-hop) ?
-
17. Re: Kerberos Authentication with JBoss EAP 6.1Alpha +Teiid 8.6 Beta 2 running as a Windows service
ayip Dec 6, 2013 8:20 AM (in response to ayip)odd error I am getting:
Caused by: javax.security.auth.login.LoginException: unable to find LoginModule class: com.sun.security.auth.module.Krb5LoginModule from [Module "org.jboss.teiid:main: from local module @519fbfd6 (finder: local module finder @4eeba477 (root: C:\jboss\modules, C:\jboss\modules\system\layers\base))]
But my jboss negotiation toolkit continues to work. They are both using the same security-domain ...
-
18. Re: Kerberos Authentication with JBoss EAP 6.1Alpha +Teiid 8.6 Beta 2 running as a Windows service
rareddy Dec 6, 2013 8:54 AM (in response to ayip)That is indeed strange, you are using Oracle JDK right? Can you attache the fullstack trace? If you use advance editor (click top right link) there is option to attach files.
-
19. Re: Re: Kerberos Authentication with JBoss EAP 6.1Alpha +Teiid 8.6 Beta 2 running as a Windows service
ayip Dec 6, 2013 10:31 AM (in response to rareddy)Hello Ramesh
Thanks for taking a look.
-
server.log.zip 32.9 KB
-
-
20. Re: Re: Re: Kerberos Authentication with JBoss EAP 6.1Alpha +Teiid 8.6 Beta 2 running as a Windows service
rareddy Dec 6, 2013 11:13 AM (in response to ayip)Andy,
Can you add the following line to "/jboss-eap-6.1/modules/system/layers/base/org/jboss/teiid/main/module.xml" in "dependencies" section
<module name="sun.jdk"/>
right after line
<module name="javax.api" />
Then restart the server, to see if the CNF exception goes away?
Ramesh..
-
21. Re: Kerberos Authentication with JBoss EAP 6.1Alpha +Teiid 8.6 Beta 2 running as a Windows service
ayip Dec 6, 2013 11:27 AM (in response to rareddy)That resolved it. Thanks Ramesh .. I'm one small step closer to success.
My new error is The username 'anonymouse" and/or password and/or payload token could not be authenticated by any membership domain.
I think that has something to do with the security-domain teiid-security.
-
22. Re: Kerberos Authentication with JBoss EAP 6.1Alpha +Teiid 8.6 Beta 2 running as a Windows service
rareddy Dec 6, 2013 11:40 AM (in response to ayip)"anonymous" is chosen as username, when username is not specified on the connection. When are you getting this exception?
-
23. Re: Re: Kerberos Authentication with JBoss EAP 6.1Alpha +Teiid 8.6 Beta 2 running as a Windows service
ayip Dec 6, 2013 12:13 PM (in response to rareddy)Here's the server log.
After the initial startup ... I did a secure test via the JBoss Negotiation Toolkit. This valid the JBoss EAP is able to use Kerberos to authenticate. This is using SPNEGO login module.
Afterward, I ran a small java program to test the jdbc connection to teiid. The connection string is:
jdbc:teiid:testSQL@mm://app2.corp.contoso.com:31000;authenticationType=KRB5;jaasName=SQLJDBCDriver;kerberosServicePrincipleName=~UTL~JBOSS@CORP.CONTOSO.COM
The log files show that the Kerberos Context is establish. But the user is showing up as anonymous JDBC.
In addition, further down the log, you an see that properties are not found (same issue as before).
-
server.log.zip 49.7 KB
-
-
24. Re: Re: Re: Kerberos Authentication with JBoss EAP 6.1Alpha +Teiid 8.6 Beta 2 running as a Windows service
rareddy Dec 6, 2013 2:27 PM (in response to ayip)For your Property files load error try setting "JBOSS_HOME" as
SET JBOSS_HOME = c:/jboss
In the window, where you are running the stansalone.bat or edit that file add above at the top of the file. If that fixes your issues. The code is not correctly converting backslashes into forward slashes to be valid URL.
turn on DEBUG log for context in standalone-teiid.xml in logging section, to see KRB messages
org.teiid.SECURITY
The way I see the logic working in Teiid is, even though the user is authenticated against Kerberos, it looking for additional user/passwd against "teiid-security" domain, that it is going to use to associate user kerberos authenticated ticket. This is because of to associate roles etc. I am not sure why we did not choose to avoid this step and make use of the kerberoes user as the target user of Teiid, then associate just the roles. So, for now add user name and password to connection url to make work.
See code teiid/runtime/src/main/java/org/teiid/transport/LogonImpl.java at master · teiid/teiid · GitHub
Ramesh..
-
25. Re: Re: Re: Re: Kerberos Authentication with JBoss EAP 6.1Alpha +Teiid 8.6 Beta 2 running as a Windows service
ayip Dec 9, 2013 8:40 AM (in response to rareddy)That seems odd because in the documentation it clearly stated username/password is not needed. Once I took out the security-domain attribute, my test application connected and queried some result.
If I add the username back into the connection string it picks up the username but fails to make the connection. Fails near the neogitiateGssLogin.
Is this considered a feature request or a bug?
Also, it would be nice to use the SPNEGO login module as it uses Kerberos to authenticate and passes the username to the next LoginModule for authorization.This negate the need to have both the security-domain and krb5-domain attributes in the jdbc authentication element.
-
26. Re: Re: Re: Re: Kerberos Authentication with JBoss EAP 6.1Alpha +Teiid 8.6 Beta 2 running as a Windows service
rareddy Dec 9, 2013 8:47 AM (in response to ayip)I did not mean to imply "teiid-security" domain is hard coded, SPENGO should should equally same.
I do not follow you, where did you take out the "security-domain" attribute? What I was saying is authentication still happens against the Kerberoes source, but a dummy user name, and password is being used to create a user for Teiid purposes. The question is, the why not use the principal from Kerberoes authentication for user. I would say this would be an enhancement, as nothing is broken right now.
Ramesh..
-
27. Re: Re: Re: Re: Re: Kerberos Authentication with JBoss EAP 6.1Alpha +Teiid 8.6 Beta 2 running as a Windows service
ayip Dec 9, 2013 9:41 AM (in response to rareddy)Sorry let me be a bit more clear.
As you've suggested previously, I should include a username and password in my connection url. But including them resulted in a different logon exception that seems to be conflicting with the kerberos authentication module. In order to get the Kerberos authentication to work, I did not include the username and password in my connection url and I took out the security-domain attribute from:
<transport name="jdbc" socket-binding="teiid-jdbc" protocol="teiid">
<authentication security-domain="teiid-security" krb5-domain="host"/>
</transport>
-
server-1.log.zip 32.2 KB
-
-
28. Re: Re: Re: Re: Re: Kerberos Authentication with JBoss EAP 6.1Alpha +Teiid 8.6 Beta 2 running as a Windows service
rareddy Dec 9, 2013 1:19 PM (in response to ayip)The reason you are getting error is because of the configuration issues you were having with the "defaultUser.properties" settings. Did you try the "SPENGO" domain in the place of "teiid-security"? The above is fine, but if you check the Teiid users that are logged in, you will see all "anonymous" users.
The enhancement here could be in the case that "username" is missing from the URL, then use "kerberosServicePrincipleName" as the default user, and add roles using security-domain defined on the transport. But this security domain, should use "useFirstPass" to avoid the authentication, but do authorizations to add roles to users.
-
29. Re: Kerberos Authentication with JBoss EAP 6.1Alpha +Teiid 8.6 Beta 2 running as a Windows service
ayip Dec 9, 2013 2:07 PM (in response to rareddy)You are correct. Once I used original user/user it worked fine. Must be something with what I set in the properties files. I was using
teiid-security-users.properties
User2@CORP.CONTOSO.COM=password
teiid-security-roles-properties
As for SPNEGO, I tried it but got a similar error where the username and/or password/or payload token could not be authenticated.
Here's my SPNEGO and Kerberos security domain
<security-domain name="host" cache-type="default>
<authentication>
<login-module code="Kerberos" flag="required">
<module-option name="storeKey" value="true"/>
<module-option name="useKeyTab" value="true"/>
<module-option name="principal" value="HTTP/JBOSS.CORP.CONTOSO.COM@CORP.CONTOSO.COM"/>
<module-option name="keyTab" value="${jboss.home.dir}\jboss.keytab"/>
<module-option name="doNotPrompt" value="true"/>
<module-option name="debug" value="true"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="SPNEGO" cache-type="default>
<authentication>
<login-module code="SPNEGO" flag="requisite">
<module-option name="password-stacking" value="true"/>
<module-option name="serverSecurityDomain" value="host"/>
<module-option name="debug" value="true"/>
</login-module>
<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="reuired">
<module-option name="password-stacking" value="true"/>
<module-option name="dsJndiName" value="java:/sqlserverJboss"/>
<module-option name="principalsQuery" value="select '' from Roles where username=?"/>
<module-option name="rolesQuery" value="select roles, 'Roles' from Roles where username=?"/>
</login-module>
</authentication>
</security-domain>
I had to add the org.jboss.security.negotiation dependency to the org.jboss.teiid module.xml
Is there a plan to add that enhancement?