SPNEGO authentication jass.conf sample

Hello,
Someone has a jaas.conf sample file for this module ?
I have an exception with the file :
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/path/elastic.keytab"
useTicketCache=false
storeKey=true
principal=“HTTP/server_fqdn@realm”;
};
Exception :

[2015-06-05 12:34:39,940][TRACE][com.floragunn.searchguard.authentication.http.spnego.HTTPSpnegoAuthenticator] Service login not successful due to {}
java.security.PrivilegedActionException: GSSException: No credential found for: 1.2.840.113554.1.2.21.2.840.113554.1.2.2 usage: Accept
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:415)
at com.floragunn.searchguard.authentication.http.spnego.HTTPSpnegoAuthenticator.authenticate(HTTPSpnegoAuthenticator.java:122)

Reagrds,

https://github.com/floragunncom/search-guard/blob/master/src/test/resources/login.conf_template

Kerberos authentication is a somewhat complicated thing. if you run in trouble pls. share all kind of informations about your environment like:

Client and Server operating system(s), Kerberos implementation, krb5.conf, Browser, search guard/elasticsearch settings …

Best is to examine unit tests to see how to setup stuff:

https://github.com/floragunncom/search-guard/blob/master/src/test/java/com/floragunn/searchguard/SfSpNegoTest.java

https://github.com/floragunncom/search-guard/blob/master/src/test/java/com/floragunn/searchguard/AuthNAuthZTest.java

If you have a windows environment consider using waffle instead of plain kerberos.

···

Am Freitag, 5. Juni 2015 12:38:37 UTC+2 schrieb Alexandre LINTE:

Hello,
Someone has a jaas.conf sample file for this module ?
I have an exception with the file :
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/path/elastic.keytab"
useTicketCache=false
storeKey=true
principal=“HTTP/server_fqdn@realm”;
};
Exception :

[2015-06-05 12:34:39,940][TRACE][com.floragunn.searchguard.authentication.http.spnego.HTTPSpnegoAuthenticator] Service login not successful due to {}
java.security.PrivilegedActionException: GSSException: No credential found for: 1.2.840.113554.1.2.21.2.840.113554.1.2.2 usage: Accept
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:415)
at com.floragunn.searchguard.authentication.http.spnego.HTTPSpnegoAuthenticator.authenticate(HTTPSpnegoAuthenticator.java:122)

Reagrds,

Hello,

I do some others tests.
The module work with firefox.

But with curl it doesn’t.

curl --negotiate -u : -v http://es-lb:9200

curl --version

curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

Regards,

Alexandre

···

On Friday, June 5, 2015 at 12:57:37 PM UTC+2, in...@search-guard.com wrote:

https://github.com/floragunncom/search-guard/blob/master/src/test/resources/login.conf_template

Kerberos authentication is a somewhat complicated thing. if you run in trouble pls. share all kind of informations about your environment like:

Client and Server operating system(s), Kerberos implementation, krb5.conf, Browser, search guard/elasticsearch settings …

Best is to examine unit tests to see how to setup stuff:

https://github.com/floragunncom/search-guard/blob/master/src/test/java/com/floragunn/searchguard/SfSpNegoTest.java

https://github.com/floragunncom/search-guard/blob/master/src/test/java/com/floragunn/searchguard/AuthNAuthZTest.java

If you have a windows environment consider using waffle instead of plain kerberos.

Am Freitag, 5. Juni 2015 12:38:37 UTC+2 schrieb Alexandre LINTE:

Hello,
Someone has a jaas.conf sample file for this module ?
I have an exception with the file :
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/path/elastic.keytab"
useTicketCache=false
storeKey=true
principal=“HTTP/server_fqdn@realm”;
};
Exception :

[2015-06-05 12:34:39,940][TRACE][com.floragunn.searchguard.authentication.http.spnego.HTTPSpnegoAuthenticator] Service login not successful due to {}
java.security.PrivilegedActionException: GSSException: No credential found for: 1.2.840.113554.1.2.21.2.840.113554.1.2.2 usage: Accept
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:415)
at com.floragunn.searchguard.authentication.http.spnego.HTTPSpnegoAuthenticator.authenticate(HTTPSpnegoAuthenticator.java:122)

Reagrds,

before you execute curl don’t forget to kinit

then: curl --negotiate -u : -v -b ~/cookies.txt -c ~/cookies.txt http://es-lb:9200

if its not woking please post the output of kinit and the curl command and the content of ~/cookies.txt

···

Am Dienstag, 9. Juni 2015 17:12:09 UTC+2 schrieb Alexandre LINTE:

Hello,

I do some others tests.
The module work with firefox.

But with curl it doesn’t.

curl --negotiate -u : -v http://es-lb:9200

curl --version

curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

Regards,

Alexandre

On Friday, June 5, 2015 at 12:57:37 PM UTC+2, in...@search-guard.com wrote:

https://github.com/floragunncom/search-guard/blob/master/src/test/resources/login.conf_template

Kerberos authentication is a somewhat complicated thing. if you run in trouble pls. share all kind of informations about your environment like:

Client and Server operating system(s), Kerberos implementation, krb5.conf, Browser, search guard/elasticsearch settings …

Best is to examine unit tests to see how to setup stuff:

https://github.com/floragunncom/search-guard/blob/master/src/test/java/com/floragunn/searchguard/SfSpNegoTest.java

https://github.com/floragunncom/search-guard/blob/master/src/test/java/com/floragunn/searchguard/AuthNAuthZTest.java

If you have a windows environment consider using waffle instead of plain kerberos.

Am Freitag, 5. Juni 2015 12:38:37 UTC+2 schrieb Alexandre LINTE:

Hello,
Someone has a jaas.conf sample file for this module ?
I have an exception with the file :
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/path/elastic.keytab"
useTicketCache=false
storeKey=true
principal=“HTTP/server_fqdn@realm”;
};
Exception :

[2015-06-05 12:34:39,940][TRACE][com.floragunn.searchguard.authentication.http.spnego.HTTPSpnegoAuthenticator] Service login not successful due to {}
java.security.PrivilegedActionException: GSSException: No credential found for: 1.2.840.113554.1.2.21.2.840.113554.1.2.2 usage: Accept
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:415)
at com.floragunn.searchguard.authentication.http.spnego.HTTPSpnegoAuthenticator.authenticate(HTTPSpnegoAuthenticator.java:122)

Reagrds,

Yes I kinited

klist

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user@REALM

Valid starting Expires Service principal
06/09/15 17:29:38 06/10/15 03:27:56 krbtgt/REALM@REALM
renew until 06/16/15 17:27:56
06/09/15 17:29:44 06/10/15 03:27:56 HTTP/es-lb@REALM
renew until 06/16/15 17:27:56

curl --negotiate -u : -v -b ~/cookies.txt -c ~/cookies.txt http://es-lb:9200

  • About to connect() to es-lb port 9200 (#0)
  • Trying X.X.X.X… connected
  • Connected to es-lb (X.X.X.X) port 9200 (#0)

GET / HTTP/1.1
User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Host: es-lb:9200
Accept: /

< HTTP/1.1 401 Unauthorized
< WWW-Authenticate: Negotiate
< Content-Type: text/plain; charset=UTF-8
< Content-Length: 0
<

  • Connection #0 to host es-lb left intact
  • Issue another request to this URL: ‘http://es-lb:9200
  • Re-using existing connection! (#0) with host es-lb
  • Connected to es-lb (X.X.X.X) port 9200 (#0)
  • Server auth using GSS-Negotiate with user ‘’

GET / HTTP/1.1
Authorization: Negotiate base64encodedstring
User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Host: es-lb:9200
Accept: /

< HTTP/1.1 401 Unauthorized

  • Authentication problem. Ignoring this.
    < WWW-Authenticate: Negotiate
    < Content-Type: text/plain; charset=UTF-8
    < Content-Length: 0
    <
  • Connection #0 to host es-lb left intact
  • Closing connection #0

cat ~/cookies.txt

cat: /root/cookies.txt: No such file or directory

On server side I have the error of my first post.

Alexandre

···

On Tuesday, June 9, 2015 at 5:27:18 PM UTC+2, in...@search-guard.com wrote:

before you execute curl don’t forget to kinit

then: curl --negotiate -u : -v -b ~/cookies.txt -c ~/cookies.txt http://es-lb:9200

if its not woking please post the output of kinit and the curl command and the content of ~/cookies.txt

Am Dienstag, 9. Juni 2015 17:12:09 UTC+2 schrieb Alexandre LINTE:

Hello,

I do some others tests.
The module work with firefox.

But with curl it doesn’t.

curl --negotiate -u : -v http://es-lb:9200

curl --version

curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

Regards,

Alexandre

On Friday, June 5, 2015 at 12:57:37 PM UTC+2, in...@search-guard.com wrote:

https://github.com/floragunncom/search-guard/blob/master/src/test/resources/login.conf_template

Kerberos authentication is a somewhat complicated thing. if you run in trouble pls. share all kind of informations about your environment like:

Client and Server operating system(s), Kerberos implementation, krb5.conf, Browser, search guard/elasticsearch settings …

Best is to examine unit tests to see how to setup stuff:

https://github.com/floragunncom/search-guard/blob/master/src/test/java/com/floragunn/searchguard/SfSpNegoTest.java

https://github.com/floragunncom/search-guard/blob/master/src/test/java/com/floragunn/searchguard/AuthNAuthZTest.java

If you have a windows environment consider using waffle instead of plain kerberos.

Am Freitag, 5. Juni 2015 12:38:37 UTC+2 schrieb Alexandre LINTE:

Hello,
Someone has a jaas.conf sample file for this module ?
I have an exception with the file :
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/path/elastic.keytab"
useTicketCache=false
storeKey=true
principal=“HTTP/server_fqdn@realm”;
};
Exception :

[2015-06-05 12:34:39,940][TRACE][com.floragunn.searchguard.authentication.http.spnego.HTTPSpnegoAuthenticator] Service login not successful due to {}
java.security.PrivilegedActionException: GSSException: No credential found for: 1.2.840.113554.1.2.21.2.840.113554.1.2.2 usage: Accept
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:415)
at com.floragunn.searchguard.authentication.http.spnego.HTTPSpnegoAuthenticator.authenticate(HTTPSpnegoAuthenticator.java:122)

Reagrds,

Pls enable debug mode and start elasticsearch with a property -Dsearchguard.debug=true

This is a shortcut for

-Djavax.net.debug=all

-Dsun.security.krb5.debug=true

-Djava.security.debug=all

Looks like a problem with your keytab (but why then firefox is working?)

Use “ktpass” to generate a keytab and make sure you have to principals in there:

  • krbtgt/REALM@REALM

  • HTTP/es-lb@REALM
    and map your user to the HTTP/es-lb principal with ktpass -out -princ <host/domain.com> -mapUser useraccount@domain.com

Pls post your krb5.conf and look again if your jaas file is correct:

com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/path/elastic.keytab"
useTicketCache=false
storeKey=true
principal=“HTTP/server_fqdn@realm”; //SEEMS WRONG -> principal=“HTTP/es-lb@REALM”;
};

see https://github.com/floragunncom/search-guard/blob/master/src/test/resources/login.conf_template

···

Am Dienstag, 9. Juni 2015 17:43:39 UTC+2 schrieb Alexandre LINTE:

Yes I kinited

klist

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user@REALM

Valid starting Expires Service principal
06/09/15 17:29:38 06/10/15 03:27:56 krbtgt/REALM@REALM
renew until 06/16/15 17:27:56
06/09/15 17:29:44 06/10/15 03:27:56 HTTP/es-lb@REALM
renew until 06/16/15 17:27:56

curl --negotiate -u : -v -b ~/cookies.txt -c ~/cookies.txt http://es-lb:9200

  • About to connect() to es-lb port 9200 (#0)
  • Trying X.X.X.X… connected
  • Connected to es-lb (X.X.X.X) port 9200 (#0)

GET / HTTP/1.1
User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Host: es-lb:9200
Accept: /

< HTTP/1.1 401 Unauthorized
< WWW-Authenticate: Negotiate
< Content-Type: text/plain; charset=UTF-8
< Content-Length: 0
<

  • Connection #0 to host es-lb left intact
  • Issue another request to this URL: ‘http://es-lb:9200
  • Re-using existing connection! (#0) with host es-lb
  • Connected to es-lb (X.X.X.X) port 9200 (#0)
  • Server auth using GSS-Negotiate with user ‘’

GET / HTTP/1.1
Authorization: Negotiate base64encodedstring
User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Host: es-lb:9200
Accept: /

< HTTP/1.1 401 Unauthorized

  • Authentication problem. Ignoring this.
    < WWW-Authenticate: Negotiate
    < Content-Type: text/plain; charset=UTF-8
    < Content-Length: 0
    <
  • Connection #0 to host es-lb left intact
  • Closing connection #0

cat ~/cookies.txt

cat: /root/cookies.txt: No such file or directory

On server side I have the error of my first post.

Alexandre

On Tuesday, June 9, 2015 at 5:27:18 PM UTC+2, in...@search-guard.com wrote:

before you execute curl don’t forget to kinit

then: curl --negotiate -u : -v -b ~/cookies.txt -c ~/cookies.txt http://es-lb:9200

if its not woking please post the output of kinit and the curl command and the content of ~/cookies.txt

Am Dienstag, 9. Juni 2015 17:12:09 UTC+2 schrieb Alexandre LINTE:

Hello,

I do some others tests.
The module work with firefox.

But with curl it doesn’t.

curl --negotiate -u : -v http://es-lb:9200

curl --version

curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

Regards,

Alexandre

On Friday, June 5, 2015 at 12:57:37 PM UTC+2, in...@search-guard.com wrote:

https://github.com/floragunncom/search-guard/blob/master/src/test/resources/login.conf_template

Kerberos authentication is a somewhat complicated thing. if you run in trouble pls. share all kind of informations about your environment like:

Client and Server operating system(s), Kerberos implementation, krb5.conf, Browser, search guard/elasticsearch settings …

Best is to examine unit tests to see how to setup stuff:

https://github.com/floragunncom/search-guard/blob/master/src/test/java/com/floragunn/searchguard/SfSpNegoTest.java

https://github.com/floragunncom/search-guard/blob/master/src/test/java/com/floragunn/searchguard/AuthNAuthZTest.java

If you have a windows environment consider using waffle instead of plain kerberos.

Am Freitag, 5. Juni 2015 12:38:37 UTC+2 schrieb Alexandre LINTE:

Hello,
Someone has a jaas.conf sample file for this module ?
I have an exception with the file :
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/path/elastic.keytab"
useTicketCache=false
storeKey=true
principal=“HTTP/server_fqdn@realm”;
};
Exception :

[2015-06-05 12:34:39,940][TRACE][com.floragunn.searchguard.authentication.http.spnego.HTTPSpnegoAuthenticator] Service login not successful due to {}
java.security.PrivilegedActionException: GSSException: No credential found for: 1.2.840.113554.1.2.21.2.840.113554.1.2.2 usage: Accept
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:415)
at com.floragunn.searchguard.authentication.http.spnego.HTTPSpnegoAuthenticator.authenticate(HTTPSpnegoAuthenticator.java:122)

Reagrds,

Hello,

Thanks for your time.
I take some network trace in order to examine the content of the “Authorization” request header.

I see a difference between curl and firefox…

    - Firefox use at first SPNEGO (OID 1.3.6.1.5.5.2) and inside KRB5 (OID 1.2.840.113545.1.2.2)

  - Curl use directly KRB5 (OID 1.2.840.113545.1.2.2)

Is there a way to force curl to work with SPNEGO/KRB5 et not only KRB5 ?

Regards,

Alexandre

···

On Tuesday, June 9, 2015 at 9:05:57 PM UTC+2, in...@search-guard.com wrote:

Pls enable debug mode and start elasticsearch with a property -Dsearchguard.debug=true

This is a shortcut for

-Djavax.net.debug=all

-Dsun.security.krb5.debug=true

-Djava.security.debug=all

Looks like a problem with your keytab (but why then firefox is working?)

Use “ktpass” to generate a keytab and make sure you have to principals in there:

  • krbtgt/REALM@REALM

Pls post your krb5.conf and look again if your jaas file is correct:

com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/path/elastic.keytab"
useTicketCache=false
storeKey=true
principal=“HTTP/server_fqdn@realm”; //SEEMS WRONG -> principal=“HTTP/es-lb@REALM”;
};

see https://github.com/floragunncom/search-guard/blob/master/src/test/resources/login.conf_template

Am Dienstag, 9. Juni 2015 17:43:39 UTC+2 schrieb Alexandre LINTE:

Yes I kinited

klist

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user@REALM

Valid starting Expires Service principal
06/09/15 17:29:38 06/10/15 03:27:56 krbtgt/REALM@REALM
renew until 06/16/15 17:27:56
06/09/15 17:29:44 06/10/15 03:27:56 HTTP/es-lb@REALM
renew until 06/16/15 17:27:56

curl --negotiate -u : -v -b ~/cookies.txt -c ~/cookies.txt http://es-lb:9200

  • About to connect() to es-lb port 9200 (#0)
  • Trying X.X.X.X… connected
  • Connected to es-lb (X.X.X.X) port 9200 (#0)

GET / HTTP/1.1
User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Host: es-lb:9200
Accept: /

< HTTP/1.1 401 Unauthorized
< WWW-Authenticate: Negotiate
< Content-Type: text/plain; charset=UTF-8
< Content-Length: 0
<

  • Connection #0 to host es-lb left intact
  • Issue another request to this URL: ‘http://es-lb:9200
  • Re-using existing connection! (#0) with host es-lb
  • Connected to es-lb (X.X.X.X) port 9200 (#0)
  • Server auth using GSS-Negotiate with user ‘’

GET / HTTP/1.1
Authorization: Negotiate base64encodedstring
User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Host: es-lb:9200
Accept: /

< HTTP/1.1 401 Unauthorized

  • Authentication problem. Ignoring this.
    < WWW-Authenticate: Negotiate
    < Content-Type: text/plain; charset=UTF-8
    < Content-Length: 0
    <
  • Connection #0 to host es-lb left intact
  • Closing connection #0

cat ~/cookies.txt

cat: /root/cookies.txt: No such file or directory

On server side I have the error of my first post.

Alexandre

On Tuesday, June 9, 2015 at 5:27:18 PM UTC+2, in...@search-guard.com wrote:

before you execute curl don’t forget to kinit

then: curl --negotiate -u : -v -b ~/cookies.txt -c ~/cookies.txt http://es-lb:9200

if its not woking please post the output of kinit and the curl command and the content of ~/cookies.txt

Am Dienstag, 9. Juni 2015 17:12:09 UTC+2 schrieb Alexandre LINTE:

Hello,

I do some others tests.
The module work with firefox.

But with curl it doesn’t.

curl --negotiate -u : -v http://es-lb:9200

curl --version

curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

Regards,

Alexandre

On Friday, June 5, 2015 at 12:57:37 PM UTC+2, in...@search-guard.com wrote:

https://github.com/floragunncom/search-guard/blob/master/src/test/resources/login.conf_template

Kerberos authentication is a somewhat complicated thing. if you run in trouble pls. share all kind of informations about your environment like:

Client and Server operating system(s), Kerberos implementation, krb5.conf, Browser, search guard/elasticsearch settings …

Best is to examine unit tests to see how to setup stuff:

https://github.com/floragunncom/search-guard/blob/master/src/test/java/com/floragunn/searchguard/SfSpNegoTest.java

https://github.com/floragunncom/search-guard/blob/master/src/test/java/com/floragunn/searchguard/AuthNAuthZTest.java

If you have a windows environment consider using waffle instead of plain kerberos.

Am Freitag, 5. Juni 2015 12:38:37 UTC+2 schrieb Alexandre LINTE:

Hello,
Someone has a jaas.conf sample file for this module ?
I have an exception with the file :
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/path/elastic.keytab"
useTicketCache=false
storeKey=true
principal=“HTTP/server_fqdn@realm”;
};
Exception :

[2015-06-05 12:34:39,940][TRACE][com.floragunn.searchguard.authentication.http.spnego.HTTPSpnegoAuthenticator] Service login not successful due to {}
java.security.PrivilegedActionException: GSSException: No credential found for: 1.2.840.113554.1.2.21.2.840.113554.1.2.2 usage: Accept
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:415)
at com.floragunn.searchguard.authentication.http.spnego.HTTPSpnegoAuthenticator.authenticate(HTTPSpnegoAuthenticator.java:122)

Reagrds,

trace with firefox :

trace with curl :

···

On Wednesday, June 10, 2015 at 2:36:13 PM UTC+2, Alexandre LINTE wrote:

Hello,

Thanks for your time.
I take some network trace in order to examine the content of the “Authorization” request header.

I see a difference between curl and firefox…

    - Firefox use at first SPNEGO (OID 1.3.6.1.5.5.2) and inside KRB5 (OID 1.2.840.113545.1.2.2)

  - Curl use directly KRB5 (OID 1.2.840.113545.1.2.2)

Is there a way to force curl to work with SPNEGO/KRB5 et not only KRB5 ?

Regards,

Alexandre

On Tuesday, June 9, 2015 at 9:05:57 PM UTC+2, in...@search-guard.com wrote:

Pls enable debug mode and start elasticsearch with a property -Dsearchguard.debug=true

This is a shortcut for

-Djavax.net.debug=all

-Dsun.security.krb5.debug=true

-Djava.security.debug=all

Looks like a problem with your keytab (but why then firefox is working?)

Use “ktpass” to generate a keytab and make sure you have to principals in there:

  • krbtgt/REALM@REALM

Pls post your krb5.conf and look again if your jaas file is correct:

com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/path/elastic.keytab"
useTicketCache=false
storeKey=true
principal=“HTTP/server_fqdn@realm”; //SEEMS WRONG -> principal=“HTTP/es-lb@REALM”;
};

see https://github.com/floragunncom/search-guard/blob/master/src/test/resources/login.conf_template

Am Dienstag, 9. Juni 2015 17:43:39 UTC+2 schrieb Alexandre LINTE:

Yes I kinited

klist

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user@REALM

Valid starting Expires Service principal
06/09/15 17:29:38 06/10/15 03:27:56 krbtgt/REALM@REALM
renew until 06/16/15 17:27:56
06/09/15 17:29:44 06/10/15 03:27:56 HTTP/es-lb@REALM
renew until 06/16/15 17:27:56

curl --negotiate -u : -v -b ~/cookies.txt -c ~/cookies.txt http://es-lb:9200

  • About to connect() to es-lb port 9200 (#0)
  • Trying X.X.X.X… connected
  • Connected to es-lb (X.X.X.X) port 9200 (#0)

GET / HTTP/1.1
User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Host: es-lb:9200
Accept: /

< HTTP/1.1 401 Unauthorized
< WWW-Authenticate: Negotiate
< Content-Type: text/plain; charset=UTF-8
< Content-Length: 0
<

  • Connection #0 to host es-lb left intact
  • Issue another request to this URL: ‘http://es-lb:9200
  • Re-using existing connection! (#0) with host es-lb
  • Connected to es-lb (X.X.X.X) port 9200 (#0)
  • Server auth using GSS-Negotiate with user ‘’

GET / HTTP/1.1
Authorization: Negotiate base64encodedstring
User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Host: es-lb:9200
Accept: /

< HTTP/1.1 401 Unauthorized

  • Authentication problem. Ignoring this.
    < WWW-Authenticate: Negotiate
    < Content-Type: text/plain; charset=UTF-8
    < Content-Length: 0
    <
  • Connection #0 to host es-lb left intact
  • Closing connection #0

cat ~/cookies.txt

cat: /root/cookies.txt: No such file or directory

On server side I have the error of my first post.

Alexandre

On Tuesday, June 9, 2015 at 5:27:18 PM UTC+2, in...@search-guard.com wrote:

before you execute curl don’t forget to kinit

then: curl --negotiate -u : -v -b ~/cookies.txt -c ~/cookies.txt http://es-lb:9200

if its not woking please post the output of kinit and the curl command and the content of ~/cookies.txt

Am Dienstag, 9. Juni 2015 17:12:09 UTC+2 schrieb Alexandre LINTE:

Hello,

I do some others tests.
The module work with firefox.

But with curl it doesn’t.

curl --negotiate -u : -v http://es-lb:9200

curl --version

curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

Regards,

Alexandre

On Friday, June 5, 2015 at 12:57:37 PM UTC+2, in...@search-guard.com wrote:

https://github.com/floragunncom/search-guard/blob/master/src/test/resources/login.conf_template

Kerberos authentication is a somewhat complicated thing. if you run in trouble pls. share all kind of informations about your environment like:

Client and Server operating system(s), Kerberos implementation, krb5.conf, Browser, search guard/elasticsearch settings …

Best is to examine unit tests to see how to setup stuff:

Hi again,

This problem is known with curl :
==> http://sourceforge.net/p/curl/bugs/1302/

Centos 6.x use a version of curl (7.19.7) that is uncompatible with SPNEGO.
Bug fixed in git the 23th July 2014.

Regards,

Alexandre

···

On Wednesday, June 10, 2015 at 2:38:36 PM UTC+2, Alexandre LINTE wrote:

trace with firefox :

trace with curl :

On Wednesday, June 10, 2015 at 2:36:13 PM UTC+2, Alexandre LINTE wrote:

Hello,

Thanks for your time.
I take some network trace in order to examine the content of the “Authorization” request header.

I see a difference between curl and firefox…

    - Firefox use at first SPNEGO (OID 1.3.6.1.5.5.2) and inside KRB5 (OID 1.2.840.113545.1.2.2)

  - Curl use directly KRB5 (OID 1.2.840.113545.1.2.2)

Is there a way to force curl to work with SPNEGO/KRB5 et not only KRB5 ?

Regards,

Alexandre

On Tuesday, June 9, 2015 at 9:05:57 PM UTC+2, in...@search-guard.com wrote:

Pls enable debug mode and start elasticsearch with a property -Dsearchguard.debug=true

This is a shortcut for

-Djavax.net.debug=all

-Dsun.security.krb5.debug=true

-Djava.security.debug=all

Looks like a problem with your keytab (but why then firefox is working?)

Use “ktpass” to generate a keytab and make sure you have to principals in there:

  • krbtgt/REALM@REALM

Pls post your krb5.conf and look again if your jaas file is correct:

com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/path/elastic.keytab"
useTicketCache=false
storeKey=true
principal=“HTTP/server_fqdn@realm”; //SEEMS WRONG -> principal=“HTTP/es-lb@REALM”;
};

see https://github.com/floragunncom/search-guard/blob/master/src/test/resources/login.conf_template

Am Dienstag, 9. Juni 2015 17:43:39 UTC+2 schrieb Alexandre LINTE:

Yes I kinited

klist

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user@REALM

Valid starting Expires Service principal
06/09/15 17:29:38 06/10/15 03:27:56 krbtgt/REALM@REALM
renew until 06/16/15 17:27:56
06/09/15 17:29:44 06/10/15 03:27:56 HTTP/es-lb@REALM
renew until 06/16/15 17:27:56

curl --negotiate -u : -v -b ~/cookies.txt -c ~/cookies.txt http://es-lb:9200

  • About to connect() to es-lb port 9200 (#0)
  • Trying X.X.X.X… connected
  • Connected to es-lb (X.X.X.X) port 9200 (#0)

GET / HTTP/1.1
User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Host: es-lb:9200
Accept: /

< HTTP/1.1 401 Unauthorized
< WWW-Authenticate: Negotiate
< Content-Type: text/plain; charset=UTF-8
< Content-Length: 0
<

  • Connection #0 to host es-lb left intact
  • Issue another request to this URL: ‘http://es-lb:9200
  • Re-using existing connection! (#0) with host es-lb
  • Connected to es-lb (X.X.X.X) port 9200 (#0)
  • Server auth using GSS-Negotiate with user ‘’

GET / HTTP/1.1
Authorization: Negotiate base64encodedstring
User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Host: es-lb:9200
Accept: /

< HTTP/1.1 401 Unauthorized

  • Authentication problem. Ignoring this.
    < WWW-Authenticate: Negotiate
    < Content-Type: text/plain; charset=UTF-8
    < Content-Length: 0
    <
  • Connection #0 to host es-lb left intact
  • Closing connection #0

cat ~/cookies.txt

cat: /root/cookies.txt: No such file or directory

On server side I have the error of my first post.

Alexandre

On Tuesday, June 9, 2015 at 5:27:18 PM UTC+2, in...@search-guard.com wrote:

before you execute curl don’t forget to kinit

then: curl --negotiate -u : -v -b ~/cookies.txt -c ~/cookies.txt http://es-lb:9200

if its not woking please post the output of kinit and the curl command and the content of ~/cookies.txt

Am Dienstag, 9. Juni 2015 17:12:09 UTC+2 schrieb Alexandre LINTE:

Hello,

I do some others tests.
The module work with firefox.

But with curl it doesn’t.

curl --negotiate -u : -v http://es-lb:9200

curl --version

curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

Regards,

Alexandre

On Friday, June 5, 2015 at 12:57:37 PM UTC+2, in...@search-guard.com wrote:

https://github.com/floragunncom/search-guard/blob/master/src/test/resources/login.conf_template

Kerberos authentication is a somewhat complicated thing. if you run in trouble pls. share all kind of informations about your environment like:

Client and Server operating system(s), Kerberos implementation, krb5.conf, Browser, search guard/elasticsearch settings …

Best is to examine unit tests to see how to setup stuff: