Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1211539

Summary: Pass-through kerberos authentication on IBM JDK - principal is not passed to MSSQL driver
Product: [JBoss] JBoss Data Virtualization 6 Reporter: Juraj Duráni <jdurani>
Component: TeiidAssignee: Van Halbert <vhalbert>
Status: CLOSED WONTFIX QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.2.0CC: drieden, vhalbert
Target Milestone: ---Keywords: Documentation
Target Release: 6.2.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
If you are using the IBM Java Development Kit, Kerberos identification will fail under some circumstances. This is because the Kerberos principal is not passed to the driver. As a result, the user will see an exception. MSSQL is affected (pass-through configuration only) as is Impala (for both static and pass-through configurations).
 Story Points: ---
Clone Of: Environment:
OS: Fedora 20 java: IBM JDK 1.7 arch: x86_64
Last Closed: 2015-10-02 16:38:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Configuration file
none
VDB for static configuration
none
VDB for pass-through authentication none

Description Juraj Duráni 2015-04-14 09:26:22 UTC 
Description:

I have configured a datasource for MSSQL database. The datasource uses PassthroughIdentityLoginModule. I have also created a VDB which requires kerberos authentication. I am trying to pass credentials used for authentication CLIENT <=> TEIID to datasource so they can be used for authentication TEIID <=> MSSQL.

Method getConnection(..) (record in server log) is called with correct credentials, but SQLServerDriver throws an exception:
initAuthInit failed privileged exception:-java.security.PrivilegedActionException: org.ietf.jgss.GSSException, major code: 13, minor code: 0
major string: Invalid credentials
minor string: Cannot get credential from JAAS Subject for principal: default principal

Some ideas, but I am only guessing:
1. I have seen same exception (on client side) if system property "javax.security.auth.useSubjectCredsOnly" is set to false on client side. As this property is set to true in the server config (<property name="javax.security.auth.useSubjectCredsOnly" value="true"/>), it is probably not passed to the driver (or is being ignored).
2. SQLServerDriver sets two system properties by default (if no kerberos configuration file is specified) useDefaultCcache = true moduleBanner = false - see https://msdn.microsoft.com/en-us/library/gg558122%28v=sql.110%29.aspx - ibm kerberos login module will try to get TGT from ticket cache

------------------------
Steps to reproduce:

0. add dependency "ibm.jdk" to module org.jboss.security.negotiation (https://issues.jboss.org/browse/TEIID-3416)
1. start Teiid
2. adapt set-up-mssql-ibm.cli and run it to configure Teiid
3. deploy VDBs
4. connect to Teiid and run query SELECT "user" FROM us

------------------------
Additional information:

I have tried static kerberos configuration for same DS and there was no problem with it.
Comment 1 Juraj Duráni 2015-04-14 09:28:12 UTC 
Created attachment 1014225 [details]
Configuration file
Comment 2 Juraj Duráni 2015-04-14 09:28:40 UTC 
Created attachment 1014226 [details]
VDB for static configuration
Comment 3 Juraj Duráni 2015-04-14 09:29:18 UTC 
Created attachment 1014227 [details]
VDB for pass-through authentication
Comment 4 Juraj Duráni 2015-04-14 10:24:18 UTC 
Same problem with Impala (pass-through). But in this case even static configuration does not work.

Static configuration error:
ERROR [org.apache.thrift.transport.TSaslTransport] (Worker1_QueryProcessorQueue1) SASL negotiation failure: javax.security.sasl.SaslException: Final handshake failed [Caused by org.ietf.jgss.GSSException, major code: 11, minor code: 0
major string: General failure, unspecified at GSSAPI level
minor string: Input max size 0 less than computed required size 53]
Comment 5 Juraj Duráni 2015-04-14 10:26:49 UTC 
Additional info to Comment 4: IBM jdk is not supported - http://www.cloudera.com/content/cloudera/en/documentation/core/latest/topics/pcm_jdk_cdh_cm.html
Comment 6 David Le Sage 2015-09-03 03:55:49 UTC 
Release note errata - in progress.
Comment 7 David Le Sage 2015-09-03 05:11:31 UTC 
Release note draft completed.  Assigning back to Van for engineering.
Comment 8 JBoss JIRA Server 2015-09-30 16:39:03 UTC 
Steven Hawkins <shawkins> updated the status of jira TEIID-3425 to Resolved