Please see https://issues.jboss.org/browse/JGRP-1847
Making this a blocker for JDG 6.3.GA
OK. Looks like this is not a blocker, according to Vojtech. But the configuration is not very intuitive. Could you please comment, Vojta?
When using EAP kerberos login module, the principal is configured there, e.g. <login-module code="Kerberos" flag="required"> .... <module-option name="principal" value="jgroups/node0/clustered"/> .... </login-module> One would expect, that this is sufficient. However, this principal name is not used and principal for joining node is constructed as "jgroups/server_name", so if I configure server_name to "node0" (which is expected), authentication fails. To make it working, one have to configure server_name to "node0/clustered": <SASL mech="GSSAPI" server_name="node0/clustered" .... /> IMHO this is very confusing, especially when we use for sever mode principal in form jgroups/server_fqdn/cache_conatiner_name.
Hi folks, Created a cloned docs bug to track this for docs, but I need some information about what exactly we want documented for this bug.
We should mention, that server principal is always constructed as "jgroups/server_name", therefore server principal in kerberos has to be also "jgroups/server_name" (if in kerberos is e.g. "jgroups/node1/mycache", than server name has to be "node1/mycache")
Thanks, Vojta. Copied comment to Bug 1116311 for docs. Setting needs_docs flag to + to indicate a docs bug has been created to deal with this issue.
Bela Ban <bela> updated the status of jira JGRP-1847 to Closed