Description of problem: qpid client fails to authenticate with GSSAPI mechanism and raises javax.security.auth.login.LoginException with following exception stack: [root@ibm-x3650-02 java]# java -Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.auth.login.config=${JAVACLI_EXAMPLE_PATH}/myjas.conf -Dsun.security.krb5.debug=true -Dqpid.sasl_mechs="GSSAPI" -Dqpid.sasl_protocol=qpidd -Dqpid.sasl_server_name=${TKRB5_FQDN} -Dlog4j.configuration=${JAVACLI_EXAMPLE_PATH}/log4j.xml -cp "$CLASSPATH" org.apache.qpid.example.jmsexample.requestResponse.Server log4j:WARN No appenders could be found for logger (org.apache.qpid.jndi.PropertiesFileInitialContextFactory). log4j:WARN Please initialize the log4j system properly. Config name: /etc/krb5.conf >>>KinitOptions cache name is /tmp/krb5cc_0 >>>DEBUG <CCacheInputStream> client principal is zlY7rEMKY53LFVJgh >>>DEBUG <CCacheInputStream> server principal is krbtgt/EXAMPLE.COM >>>DEBUG <CCacheInputStream> key type: 16 >>>DEBUG <CCacheInputStream> auth time: Tue Sep 20 06:43:28 EDT 2011 >>>DEBUG <CCacheInputStream> start time: Tue Sep 20 06:43:28 EDT 2011 >>>DEBUG <CCacheInputStream> end time: Wed Sep 21 06:43:28 EDT 2011 >>>DEBUG <CCacheInputStream> renew_till time: Wed Dec 31 19:00:00 EST 1969 >>> CCacheInputStream: readFlags() INITIAL; >>>DEBUG <CCacheInputStream> >>>DEBUG <CCacheInputStream> client principal is zlY7rEMKY53LFVJgh >>>DEBUG <CCacheInputStream> server principal is X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/EXAMPLE.COM >>>DEBUG <CCacheInputStream> key type: 0 >>>DEBUG <CCacheInputStream> auth time: Wed Dec 31 19:00:00 EST 1969 >>>DEBUG <CCacheInputStream> start time: Wed Dec 31 19:00:00 EST 1969 >>>DEBUG <CCacheInputStream> end time: Wed Dec 31 19:00:00 EST 1969 >>>DEBUG <CCacheInputStream> renew_till time: Wed Dec 31 19:00:00 EST 1969 >>> CCacheInputStream: readFlags() java.io.IOException: extra data given to DerValue constructor at sun.security.util.DerValue.init(DerValue.java:386) at sun.security.util.DerValue.<init>(DerValue.java:294) at sun.security.krb5.internal.Ticket.<init>(Ticket.java:91) at sun.security.krb5.internal.ccache.CCacheInputStream.readData(CCacheInputStream.java:256) at sun.security.krb5.internal.ccache.CCacheInputStream.readCred(CCacheInputStream.java:363) at sun.security.krb5.internal.ccache.FileCredentialsCache.load(FileCredentialsCache.java:189) at sun.security.krb5.internal.ccache.FileCredentialsCache.acquireInstance(FileCredentialsCache.java:84) at sun.security.krb5.internal.ccache.CredentialsCache.getInstance(CredentialsCache.java:82) at sun.security.krb5.Credentials.acquireTGTFromCache(Credentials.java:302) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:606) at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:559) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:616) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) at javax.security.auth.login.LoginContext$5.run(LoginContext.java:721) at javax.security.auth.login.LoginContext$5.run(LoginContext.java:719) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:718) at javax.security.auth.login.LoginContext.login(LoginContext.java:590) at sun.security.jgss.GSSUtil.login(GSSUtil.java:264) at sun.security.jgss.krb5.Krb5Util.getTicket(Krb5Util.java:153) at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:346) at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:344) at java.security.AccessController.doPrivileged(Native Method) at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Krb5InitCredential.java:343) at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:145) at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:123) at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:189) at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:220) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:213) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:180) at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:193) at org.apache.qpid.transport.ClientDelegate.connectionStart(ClientDelegate.java:149) at org.apache.qpid.transport.ClientDelegate.connectionStart(ClientDelegate.java:51) at org.apache.qpid.transport.ConnectionStart.dispatch(ConnectionStart.java:104) at org.apache.qpid.transport.ConnectionDelegate.control(ConnectionDelegate.java:49) at org.apache.qpid.transport.ConnectionDelegate.control(ConnectionDelegate.java:40) at org.apache.qpid.transport.Method.delegate(Method.java:163) at org.apache.qpid.transport.Connection.received(Connection.java:368) at org.apache.qpid.transport.Connection.received(Connection.java:58) at org.apache.qpid.transport.network.Assembler.emit(Assembler.java:95) at org.apache.qpid.transport.network.Assembler.assemble(Assembler.java:181) at org.apache.qpid.transport.network.Assembler.frame(Assembler.java:129) at org.apache.qpid.transport.network.Frame.delegate(Frame.java:133) at org.apache.qpid.transport.network.Assembler.received(Assembler.java:100) at org.apache.qpid.transport.network.Assembler.received(Assembler.java:42) at org.apache.qpid.transport.network.InputHandler.next(InputHandler.java:187) at org.apache.qpid.transport.network.InputHandler.received(InputHandler.java:103) at org.apache.qpid.transport.network.InputHandler.received(InputHandler.java:42) at org.apache.qpid.transport.network.io.IoReceiver.run(IoReceiver.java:128) at java.lang.Thread.run(Thread.java:636) javax.jms.JMSException: Error creating connection: GSS initiate failed at org.apache.qpid.client.AMQConnectionFactory.createConnection(AMQConnectionFactory.java:286) at org.apache.qpid.example.jmsexample.requestResponse.Server.runTest(Server.java:69) at org.apache.qpid.example.jmsexample.requestResponse.Server.main(Server.java:48) Caused by: org.apache.qpid.AMQConnectionFailureException: GSS initiate failed [error code 200: reply success] at org.apache.qpid.client.AMQConnection.<init>(AMQConnection.java:478) at org.apache.qpid.client.AMQConnectionFactory.createConnection(AMQConnectionFactory.java:276) ... 2 more Caused by: org.apache.qpid.AMQException: Cannot connect to broker: GSS initiate failed [error code 200: reply success] at org.apache.qpid.client.AMQConnectionDelegate_0_10.makeBrokerConnection(AMQConnectionDelegate_0_10.java:211) at org.apache.qpid.client.AMQConnection.makeBrokerConnection(AMQConnection.java:623) at org.apache.qpid.client.AMQConnection.<init>(AMQConnection.java:401) ... 3 more Caused by: org.apache.qpid.transport.ConnectionException: GSS initiate failed at org.apache.qpid.transport.ConnectionException.rethrow(ConnectionException.java:67) at org.apache.qpid.transport.Connection.connect(Connection.java:267) at org.apache.qpid.client.AMQConnectionDelegate_0_10.makeBrokerConnection(AMQConnectionDelegate_0_10.java:192) ... 5 more Caused by: org.apache.qpid.transport.ConnectionException: GSS initiate failed at org.apache.qpid.transport.Connection.exception(Connection.java:511) at org.apache.qpid.transport.ClientDelegate.connectionStart(ClientDelegate.java:157) at org.apache.qpid.transport.ClientDelegate.connectionStart(ClientDelegate.java:51) at org.apache.qpid.transport.ConnectionStart.dispatch(ConnectionStart.java:104) at org.apache.qpid.transport.ConnectionDelegate.control(ConnectionDelegate.java:49) at org.apache.qpid.transport.ConnectionDelegate.control(ConnectionDelegate.java:40) at org.apache.qpid.transport.Method.delegate(Method.java:163) at org.apache.qpid.transport.Connection.received(Connection.java:368) at org.apache.qpid.transport.Connection.received(Connection.java:58) at org.apache.qpid.transport.network.Assembler.emit(Assembler.java:95) at org.apache.qpid.transport.network.Assembler.assemble(Assembler.java:181) at org.apache.qpid.transport.network.Assembler.frame(Assembler.java:129) at org.apache.qpid.transport.network.Frame.delegate(Frame.java:133) at org.apache.qpid.transport.network.Assembler.received(Assembler.java:100) at org.apache.qpid.transport.network.Assembler.received(Assembler.java:42) at org.apache.qpid.transport.network.InputHandler.next(InputHandler.java:187) at org.apache.qpid.transport.network.InputHandler.received(InputHandler.java:103) at org.apache.qpid.transport.network.InputHandler.received(InputHandler.java:42) at org.apache.qpid.transport.network.io.IoReceiver.run(IoReceiver.java:128) at java.lang.Thread.run(Thread.java:636) Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))] at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212) at org.apache.qpid.transport.ClientDelegate.connectionStart(ClientDelegate.java:149) ... 18 more Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null)) at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Krb5InitCredential.java:351) at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:145) at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:123) at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:189) at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:220) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:213) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:180) at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:193) ... 19 more Caused by: javax.security.auth.login.LoginException: Unable to obtain Princpal Name for authentication at com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:750) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:646) at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:559) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:616) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) at javax.security.auth.login.LoginContext$5.run(LoginContext.java:721) at javax.security.auth.login.LoginContext$5.run(LoginContext.java:719) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:718) at javax.security.auth.login.LoginContext.login(LoginContext.java:590) at sun.security.jgss.GSSUtil.login(GSSUtil.java:264) at sun.security.jgss.krb5.Krb5Util.getTicket(Krb5Util.java:153) at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:346) at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:344) at java.security.AccessController.doPrivileged(Native Method) at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Krb5InitCredential.java:343) ... 26 more Server: Caught an Exception: javax.jms.JMSException: Error creating connection: GSS initiate failed It is proved that at the moment of above exception other clients (c++, python) are able to authenticate correctly: [root@ibm-x3650-02 java]# perftest --mechanism GSSAPI --count 1 -p 32804 --user zlY7rEMKY53LFVJgh --broker ibm-x3650-02. ... .com Processing 1 messages from qpid-perftest_sub_ready . done. Sending start 1 times to qpid-perftest_pub_start Processing 1 messages from qpid-perftest_pub_done . done. Processing 1 messages from qpid-perftest_sub_done . done. Total 2 transfers of 1024 bytes in 0.0427095 seconds. Publish transfers/sec: 24.5611 Average: 24.5611 Subscribe transfers/sec: 4.92387 Average: 4.92387 Total transfers/sec: 46.828 Total Mbytes/sec: 0.0457305 [root@ibm-x3650-02 java]# echo $? 0 Version-Release number of selected component (if applicable): python-qpid-0.10-1.el6.noarch python-qpid-qmf-0.10-10.el6.x86_64 qpid-cpp-client-0.10-6.el6.x86_64 qpid-cpp-client-devel-0.10-6.el6.x86_64 qpid-cpp-client-devel-docs-0.10-6.el6.noarch qpid-cpp-server-0.10-6.el6.x86_64 qpid-cpp-server-devel-0.10-6.el6.x86_64 qpid-cpp-server-store-0.10-6.el6.x86_64 qpid-cpp-server-xml-0.10-6.el6.x86_64 qpid-java-client-0.10-9.el6.noarch qpid-java-common-0.10-9.el6.noarch qpid-java-example-0.10-9.el6.noarch qpid-java-jca-0.10-9.el6.noarch qpid-qmf-0.10-10.el6.x86_64 qpid-qmf-debuginfo-0.10-10.el6.x86_64 qpid-qmf-devel-0.10-10.el6.x86_64 qpid-tools-0.10-5.el6.noarch ruby-qpid-0.7.946106-2.el6.x86_64 How reproducible: 100% Steps to Reproduce: 1. run qpid_ptest_authentication_krb5 test or alternatively: 1. set-up kerberos server for single host 2. run qpidd in auth=yes mode 3. launch a java client for instance: java -Djavax.security.auth.useSubjectCredsOnly=false \ -Djava.security.auth.login.config=${JAVACLI_EXAMPLE_PATH}/myjas.conf \ -Dsun.security.krb5.debug=true -Dqpid.sasl_mechs="GSSAPI" \ -Dqpid.sasl_protocol=qpidd -Dqpid.sasl_server_name=$(hostname) \ -Dlog4j.configuration=${JAVACLI_EXAMPLE_PATH}/log4j.xml \ -cp "$CLASSPATH" \ org.apache.qpid.example.jmsexample.requestResponse.Server myjas.conf: com.sun.security.jgss.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true useTicketCache=true; }; requestResponse.properties: java.naming.factory.initial = org.apache.qpid.jndi.PropertiesFileInitialContextFactory connectionfactory.qpidConnectionfactory = amqp://zlY7rEMKY53LFVJgh:@clientid/testpath?brokerlist='tcp://ibm-x3650-02. ... .com:32804' queue.requestQueue = request Actual results: client does not authenticate with GSSAPI. Expected results: client should authenticate with GSSAPI. Additional info:
The issue is observed also on packages: qpid-java-*0.10-6.el*.noarch