kdc Server not found in database: HTTP/localhost@OUR.TLD: no such entry found in hdb
[WARN ][com.floragunn.dlic.auth.http.kerberos.HTTPSpnegoAuthenticator] Service login not successful due to java.security.PrivilegedActionException: GSSException: No credential found for: 1.2.840.113554.1.2.2 usage: Accept
[libdefaults] | |
dns_lookup_realm = false | |
dns_lookup_kdc = false | |
forwardable=true | |
dns_canonicalize_hostname = false | |
rdns = false | |
ignore_acceptor_hostname = true |
Ticket cache: FILE:/tmp/krb5cc_3942_cacbU16950Default principal: fwe...@OUR.TLD
Valid starting Expires Service principal10/06/16 11:04:02 10/07/16 08:45:31 krbtgt/OUR...@OUR.TLD10/06/16 11:04:03 10/07/16 08:45:31 HTTP/some_nod...@OUR.TLD
[2016-10-06 11:12:17,330][WARN ][com.floragunn.dlic.auth.http.kerberos.HTTPSpnegoAuthenticator] Service login not successful due to java.security.PrivilegedActionException: GSSException: No credential found for: 1.2.840.113554.1.2.2 usage: Accept
I updated the gist with the info from `curl -V`.I resolved the DNS issue (see earlier reply), and now I'm seeing the entry of the Service principal in `klist` after issuing the curl command:
Ticket cache: FILE:/tmp/krb5cc_3942_cacbU16950Default principal: fwe...@OUR.TLDValid starting Expires Service principal10/06/16 11:04:02 10/07/16 08:45:31 krbtgt/OUR...@OUR.TLD
10/06/16 11:04:03 10/07/16 08:45:31 HTTP/some_node.our.tld@OUR.TLD
However, I'm getting `401 Unauthorized`.
[2016-10-06 12:36:04,001][WARN ][com.floragunn.dlic.auth.http.kerberos.HTTPSpnegoAuthenticator] Service login not successful due to java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)
[2016-10-06 13:14:05,691][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] Open SSL OpenSSL 1.0.2h 3 May 2016 available[2016-10-06 13:14:06,022][INFO ][com.floragunn.searchguard.ssl.SearchGuardKeyStore] sslTransportClientProvider:OPENSSL with ciphers [TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA]
java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)
rbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES128 CTS mode with HMAC SHA1-96
klist -k /etc/elasticsearch/searchguard.in2p3.fr.keytab -eKeytab name: FILE:/etc/elasticsearch/searchguard.in2p3.fr.keytabKVNO Principal---- -------------------------------------------------------------------------- 1 HTTP/node42....@OUR.TLD (aes128-cts-hmac-sha1-96)
Is ldap required?
[2017-01-31 15:34:16,942][DEBUG][com.floragunn.searchguard.auth.BackendRegistry] Try to extract auth creds from http spnego
[2017-01-31 15:34:16,943][WARN ][rest.suppressed ] path: /, params: {}
java.lang.NoClassDefFoundError: Could not initialize class com.sun.security.auth.module.Krb5LoginModule
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:278)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:718)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687)
at javax.security.auth.login.LoginContext.login(LoginContext.java:595)
at com.floragunn.dlic.auth.http.kerberos.util.JaasKrbUtil.loginUsingKeytab(JaasKrbUtil.java:85)
at com.floragunn.dlic.auth.http.kerberos.HTTPSpnegoAuthenticator.extractCredentials0(HTTPSpnegoAuthenticator.java:203)
at com.floragunn.dlic.auth.http.kerberos.HTTPSpnegoAuthenticator.access$300(HTTPSpnegoAuthenticator.java:53)
at com.floragunn.dlic.auth.http.kerberos.HTTPSpnegoAuthenticator$2.run(HTTPSpnegoAuthenticator.java:174)
at com.floragunn.dlic.auth.http.kerberos.HTTPSpnegoAuthenticator$2.run(HTTPSpnegoAuthenticator.java:171)
at java.security.AccessController.doPrivileged(Native Method)
at com.floragunn.dlic.auth.http.kerberos.HTTPSpnegoAuthenticator.extractCredentials(HTTPSpnegoAuthenticator.java:171)
at com.floragunn.searchguard.auth.BackendRegistry.authenticate(BackendRegistry.java:436)
at com.floragunn.searchguard.filter.SearchGuardRestFilter.process(SearchGuardRestFilter.java:56)
at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:264)
at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:161)
at org.elasticsearch.http.HttpServer.internalDispatchRequest(HttpServer.java:153)
at org.elasticsearch.http.HttpServer$Dispatcher.dispatchRequest(HttpServer.java:101)
at org.elasticsearch.http.netty.NettyHttpServerTransport.dispatchRequest(NettyHttpServerTransport.java:451)
at com.floragunn.searchguard.ssl.http.netty.SearchGuardSSLNettyHttpServerTransport.dispatchRequest(SearchGuardSSLNettyHttpServerTransport.java:162)
at org.elasticsearch.http.netty.HttpRequestHandler.messageReceived(HttpRequestHandler.java:61)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.elasticsearch.http.netty.pipelining.HttpPipeliningHandler.messageReceived(HttpPipeliningHandler.java:60)
at org.jboss.netty.channel.SimpleChannelHandler.handleUpstream(SimpleChannelHandler.java:88)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.messageReceived(SimpleChannelUpstreamHandler.java:124)
at org.elasticsearch.http.netty.cors.CorsHandler.messageReceived(CorsHandler.java:87)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.jboss.netty.handler.codec.http.HttpChunkAggregator.messageReceived(HttpChunkAggregator.java:145)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.jboss.netty.handler.codec.http.HttpContentDecoder.messageReceived(HttpContentDecoder.java:108)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296)
at org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:459)
at org.jboss.netty.handler.codec.replay.ReplayingDecoder.callDecode(ReplayingDecoder.java:536)
at org.jboss.netty.handler.codec.replay.ReplayingDecoder.messageReceived(ReplayingDecoder.java:435)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.elasticsearch.common.netty.OpenChannelsHandler.handleUpstream(OpenChannelsHandler.java:75)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296)
at org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:462)
at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:443)
at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255)
at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)
at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)
at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)
at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
java.security.PrivilegedActionException: GSSException: No credential found for: 1.2.840.113554.1.2.2 usage: Accept