Bug 1328997

Summary: [GSS] (6.4.z) server instances cannot find keytab during domain startup
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: dhorton
Component: Domain ManagementAssignee: Miroslav Sochurek <msochure>
Status: CLOSED CURRENTRELEASE QA Contact: Martin Simka <msimka>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4.7CC: bmaxwell, brian.stansberry, dandread, ihradek, jtruhlar, msochure, rnetuka, tfonteyn
Target Milestone: CR1   
Target Release: EAP 6.4.9   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-17 12:57:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1324262    

Description dhorton 2016-04-20 20:32:24 UTC 
Description of problem:

In domain mode, the server instances cannot find the keytab if the ApplicationRealm is configured to use kerberos as the server-identity:

<security-realm name="ApplicationRealm"> 
  <server-identities> 
    <kerberos> 
      <keytab principal="remote/imahost.imadomain.net@VM29" path="/path/to/keytab"/> 
    </kerberos> 
  </server-identities> 
  <authentication> 
    <kerberos remove-realm="true"/> 
  </authentication> 
  <authorization> 
    <properties path="application-roles.properties" relative-to="jboss.domain.config.dir"/> 
  </authorization> 
</security-realm>

This results in the following error and the server instances fail to start:

[Server:server-one] 12:46:45,315 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) JBAS014612: Operation ("validate-authentication") failed - address: ([
[Server:server-one]     ("core-service" => "management"),
[Server:server-one]     ("security-realm" => "ApplicationRealm")
[Server:server-one] ]) - failure description: "JBAS021009: Kerberos is enabled for authentication on security realm 'ApplicationRealm' but no Keytab has been added to the server-identity."
[Server:server-one] 12:46:45,319 FATAL [org.jboss.as.server] (Controller Boot Thread) JBAS015957: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details.
[Server:server-one] 12:46:45,342 INFO  [org.jboss.as] (MSC service thread 1-4) JBAS015950: JBoss EAP 6.4.7.GA (AS 7.5.7.Final-redhat-3) stopped in 18ms
Comment 1 Vlado Pakan 2016-06-03 06:59:58 UTC 
PR: https://github.com/jbossas/jboss-eap/pull/2780
Comment 4 Ivo Hradek 2016-06-22 11:06:11 UTC 
Verified with EAP 6.4.9.CP.CR1
Comment 6 Petr Penicka 2017-01-17 12:57:27 UTC 
Retroactively bulk-closing issues from released EAP 6.4 cummulative patches.
Comment 7 Petr Penicka 2017-01-17 12:58:17 UTC 
Retroactively bulk-closing issues from released EAP 6.4 cummulative patches.