Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1107613 - SASL GSSAPI auth doesn't use principal configured login_module
SASL GSSAPI auth doesn't use principal configured login_module
Status: NEW
Product: JBoss Data Grid 6
Classification: JBoss
Component: JGroups (Show other bugs)
6.3.0
Unspecified Unspecified
unspecified Severity high
: ---
: 6.3.0
Assigned To: Tristan Tarrant
Martin Gencur
:
Depends On:
Blocks: 1116311
  Show dependency treegraph
 
Reported: 2014-06-10 07:04 EDT by Vojtech Juranek
Modified: 2018-09-12 18:33 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Known Issue
Doc Text:
In Red Hat JBoss Data Grid, the server principal is always constructed as <literal>jgroups/server_name</literal> and is not loaded from the Kerberos login module. Using a different principal results in an authentication failure. This is a known issue in JBoss Data Grid 6.4 and the workaround for this issue is to use <literal>jgroups/server_name</literal> as the server principal.
Story Points: ---
Clone Of:
: 1116311 (view as bug list)
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker JGRP-1847 Major Closed SASL GSSAPI auth doesn't use principal configured login_module 2015-06-23 06:02:12 EDT

  None (edit)
Description Vojtech Juranek 2014-06-10 07:04:07 EDT 
Please see https://issues.jboss.org/browse/JGRP-1847
Comment 1 Martin Gencur 2014-06-10 07:10:08 EDT 
Making this a blocker for JDG 6.3.GA
Comment 3 Martin Gencur 2014-06-11 03:10:04 EDT 
OK. Looks like this is not a blocker, according to Vojtech. But the configuration is not very intuitive. Could you please comment, Vojta?
Comment 4 Vojtech Juranek 2014-06-11 03:54:38 EDT 
When using EAP kerberos login module, the principal is configured there, e.g.

<login-module code="Kerberos" flag="required">
        ....
        <module-option name="principal" value="jgroups/node0/clustered@INFINISPAN.ORG"/>
        ....
</login-module>

One would expect, that this is sufficient. However, this principal name is not used and principal for joining node is constructed as "jgroups/server_name", so if I configure server_name to "node0" (which is expected), authentication fails. To make it working, one have to configure server_name to "node0/clustered":

<SASL mech="GSSAPI"
         server_name="node0/clustered"
         .... 
/>

IMHO this is very confusing, especially when we use for sever mode principal in form jgroups/server_fqdn/cache_conatiner_name.
Comment 5 Misha H. Ali 2014-07-04 04:23:26 EDT 
Hi folks,

Created a cloned docs bug to track this for docs, but I need some information about what exactly we want documented for this bug.
Comment 6 Vojtech Juranek 2014-07-04 04:55:00 EDT 
We should mention, that server principal is always constructed as "jgroups/server_name", therefore server principal in kerberos has to be also "jgroups/server_name" (if in kerberos is e.g. "jgroups/node1/mycache", than server name has to be "node1/mycache")
Comment 7 Misha H. Ali 2014-07-06 19:10:00 EDT 
Thanks, Vojta. Copied comment to Bug 1116311 for docs. Setting needs_docs flag to + to indicate a docs bug has been created to deal with this issue.
Comment 8 JBoss JIRA Server 2015-06-23 06:02:13 EDT 
Bela Ban <bela@jboss.com> updated the status of jira JGRP-1847 to Closed
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.