SPNEGO authentication jass.conf sample

[Alexandre LINTE]

Hello,

Someone has a jaas.conf sample file for this module ?
I have an exception with the file :

com.sun.security.jgss.krb5.accept {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  keyTab="/path/elastic.keytab"
  useTicketCache=false
  storeKey=true
  principal="HTTP/server_fqdn@realm";
};

Exception :

[2015-06-05 12:34:39,940][TRACE][com.floragunn.searchguard.authentication.http.spnego.HTTPSpnegoAuthenticator] Service login not successful due to {}
java.security.PrivilegedActionException: GSSException: No credential found for: 1.2.840.113554.1.2.21.2.840.113554.1.2.2 usage: Accept
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:415)
        at com.floragunn.searchguard.authentication.http.spnego.HTTPSpnegoAuthenticator.authenticate(HTTPSpnegoAuthenticator.java:122)

Reagrds,

[in...@search-guard.com]

https://github.com/floragunncom/search-guard/blob/master/src/test/resources/login.conf_template

Kerberos authentication is a somewhat complicated thing. if you run in trouble pls. share all kind of informations about your environment like:

Client and Server operating system(s), Kerberos implementation, krb5.conf, Browser, search guard/elasticsearch settings ...

Best is to examine unit tests to see how to setup stuff:

https://github.com/floragunncom/search-guard/blob/master/src/test/java/com/floragunn/searchguard/SfSpNegoTest.java

https://github.com/floragunncom/search-guard/blob/master/src/test/java/com/floragunn/searchguard/AuthNAuthZTest.java

If you have a windows environment consider using waffle instead of plain kerberos.

[Alexandre LINTE]

Hello,

I do some others tests.
The module work with firefox.

But with curl it doesn't.

# curl --negotiate -u : -v http://es-lb:9200

# curl  --version
curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

Regards,

Alexandre

[in...@search-guard.com]

before you execute curl don't forget to kinit

then: curl --negotiate -u : -v -b ~/cookies.txt -c ~/cookies.txt  http://es-lb:9200

if its not woking please post the output of kinit and the curl command and the content of ~/cookies.txt

[Alexandre LINTE]

Yes I kinited

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user@REALM

Valid starting     Expires            Service principal
06/09/15 17:29:38  06/10/15 03:27:56  krbtgt/REALM@REALM
        renew until 06/16/15 17:27:56
06/09/15 17:29:44  06/10/15 03:27:56  HTTP/es-lb@REALM
        renew until 06/16/15 17:27:56

# curl --negotiate -u : -v -b ~/cookies.txt -c ~/cookies.txt http://es-lb:9200
* About to connect() to es-lb port 9200 (#0)
*   Trying X.X.X.X... connected
* Connected to es-lb (X.X.X.X) port 9200 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: es-lb:9200
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< WWW-Authenticate: Negotiate
< Content-Type: text/plain; charset=UTF-8
< Content-Length: 0
<
* Connection #0 to host es-lb left intact
* Issue another request to this URL: 'http://es-lb:9200'
* Re-using existing connection! (#0) with host es-lb
* Connected to es-lb (X.X.X.X) port 9200 (#0)
* Server auth using GSS-Negotiate with user ''
> GET / HTTP/1.1
> Authorization: Negotiate base64encodedstring
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: es-lb:9200
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
* Authentication problem. Ignoring this.
< WWW-Authenticate: Negotiate
< Content-Type: text/plain; charset=UTF-8
< Content-Length: 0
<
* Connection #0 to host es-lb left intact
* Closing connection #0

# cat ~/cookies.txt
cat: /root/cookies.txt: No such file or directory

On server side I have the error of my first post.

Alexandre

[in...@search-guard.com]

Pls enable debug mode and start elasticsearch with a property -Dsearchguard.debug=true

This is a shortcut for 

-Djavax.net.debug=all

-Dsun.security.krb5.debug=true

-Djava.security.debug=all

Looks like a problem with your keytab (but why then firefox is working?)

Use "ktpass" to generate a keytab and make sure you have to principals in there:

- krbtgt/REALM@REALM

- HTTP/es-lb@REALM

and map your user to the HTTP/es-lb principal with ktpass -out <keytab location> -princ <host/domain.com> -mapUser usera...@domain.com

Pls post your krb5.conf and look again if your jaas file is correct:

com.sun.security.jgss.krb5.accept {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  keyTab="/path/elastic.keytab"
  useTicketCache=false
  storeKey=true

  principal="HTTP/server_fqdn@realm"; //SEEMS WRONG -> principal="HTTP/es-lb@REALM";
};

see https://github.com/floragunncom/search-guard/blob/master/src/test/resources/login.conf_template

[Alexandre LINTE]

Hello,

Thanks for your time.
I take some network trace in order to examine the content of the "Authorization" request header.

I see a difference between curl and firefox...

        - Firefox use at first SPNEGO (OID 1.3.6.1.5.5.2) and inside KRB5 (OID 1.2.840.113545.1.2.2)
 
      - Curl use directly KRB5 (OID 1.2.840.113545.1.2.2)

Is there a way to force curl to work with SPNEGO/KRB5 et not only KRB5 ?

Regards,

Alexandre

[Alexandre LINTE]

trace with firefox :

trace with curl :

...

[Alexandre LINTE]

Hi again,

This problem is known with curl :
==> http://sourceforge.net/p/curl/bugs/1302/

Centos 6.x use a version of curl (7.19.7) that is uncompatible with SPNEGO.
Bug fixed in git the 23th July 2014.

Regards,

Alexandre