← Back to team overview

openjdk team mailing list archive

[Bug 1861883] [NEW] JAAS Krb5LoginModule authenticates wrong principal

 

Public bug reported:

Up until recently we've used a JAAS configuration to allow Kafka to
authenticate against a Kerberos secured Zookeeper server using this JAAS
config:

Client {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    keyTab="/etc/security/keytabs/kafka.service.keytab"
    storeKey=true
    useTicketCache=false
    serviceName="zookeeper"
    principal="kafka/fqdn.redacted@xxxxxxxxxxx";
};

With OpenJDK 8 Update 242 (in Ubuntu Bionic: 8u242-b08-0ubuntu3~18.04)
this configuration fails to work in our environment under the following
conditions:

- In the JAAS config, the service principal is referenced to using its AD servicePrincipalName kafka/fqdn.redacted.
- The sAMAccountName differs, it is actually $48M300-TK9QSTNPCT80.
- Kafka gets itself a Kerberos ticket using the JAAS config above.

Turns out the principal is authenticated as
$48M300-TK9QSTNPCT80@xxxxxxxxxxx instead of
kafka/fqdn.redacted@xxxxxxxxxxx like it was before Update 242.
Krb5LoginModule seemed to pick "client_alias" before and "client" after
the upgrade (see debug output in section "Actual Result" of this bug
report.

However, the problem does *not* appear when JAAS is configured to use a
Kerberos ticket in the ticket cache for the same principal using this
JAAS config:

Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=false
useTicketCache=true;
};

Here, the principal is still authenticated correctly as
kafka/fqdn.redacted@xxxxxxxxxxx.

#####

Steps to reproduce:

- In AD there is a service principal with servicePrincipalName=kafka/fqdn.redacted and sAMAccountName=$48M300-TK9QSTNPCT80
- JAAS config is as follows:

Client {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    keyTab="/etc/security/keytabs/kafka.service.keytab"
    storeKey=true
    useTicketCache=false
    serviceName="zookeeper"
    principal="kafka/fqdn.redacted@xxxxxxxxxxx";
};

- Zookeeper client connects to Zookeeper the JAAS config above:
KAFKA_OPTS="-Djava.security.auth.login.config=/opt/kafka/kafka/config/kafka_jaas.conf
-Dsun.security.krb5.debug=true" bin/zookeeper-shell.sh
fqdn.redacted:2181

#####

Expected Result:

Zookeeper authenticates kafka/fqdn.redacted@xxxxxxxxxxx as it was before
the OpenJDK 8 Update 242 upgrade.

#####

Actual Result:

Zookeeper authenticates $48M300-TK9QSTNPCT80@xxxxxxxxxxx

See this log:

Connecting to fqdn.redacted:2181
Welcome to ZooKeeper!
JLine support is disabled
>>> KeyTabInputStream, readName(): EXAMPLE.COM
>>> KeyTabInputStream, readName(): kafka
>>> KeyTabInputStream, readName(): fqdn.redacted
>>> KeyTab: load() entry length: 99; type: 18
Looking for keys for: kafka/fqdn.redacted@xxxxxxxxxxx
Java config name: null
Native config name: /etc/krb5.conf
Loaded from native config
Added key: 18version: 1
>>> KdcAccessibility: reset
Looking for keys for: kafka/fqdn.redacted@xxxxxxxxxxx
Added key: 18version: 1
default etypes for default_tkt_enctypes: 18 17 16 23 18 17 16 23.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=example.com UDP:88, timeout=30000, number of retries =3, #bytes=197
>>> KDCCommunication: kdc=example.com UDP:88, timeout=30000,Attempt =1, #bytes=197
>>> KrbKdcReq send: #bytes read=195
>>>Pre-Authentication Data:
         PA-DATA type = 19
         PA-ETYPE-INFO2 etype = 18, salt = EXAMPLE.COMkafkafqdn.redacted, s2kparams = null

>>>Pre-Authentication Data:
         PA-DATA type = 2
         PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
         PA-DATA type = 16

>>>Pre-Authentication Data:
         PA-DATA type = 15

>>> KdcAccessibility: remove example.com
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
         sTime is Fri Jan 31 11:03:30 CET 2020 1580465010000
         suSec is 347467
         error code is 25
         error Message is Additional pre-authentication required
         sname is krbtgt/EXAMPLE.COM@xxxxxxxxxxx
         eData provided.
         msgType is 30
>>>Pre-Authentication Data:
         PA-DATA type = 19
         PA-ETYPE-INFO2 etype = 18, salt = EXAMPLE.COMkafkafqdn.redacted, s2kparams = null

>>>Pre-Authentication Data:
         PA-DATA type = 2
         PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
         PA-DATA type = 16

>>>Pre-Authentication Data:
         PA-DATA type = 15

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 18 17 16 23 18 17 16 23.
Looking for keys for: kafka/fqdn.redacted@xxxxxxxxxxx
Added key: 18version: 1
Looking for keys for: kafka/fqdn.redacted@xxxxxxxxxxx
Added key: 18version: 1
default etypes for default_tkt_enctypes: 18 17 16 23 18 17 16 23.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=example.com UDP:88, timeout=30000, number of retries =3, #bytes=282
>>> KDCCommunication: kdc=example.com UDP:88, timeout=30000,Attempt =1, #bytes=282
>>> KrbKdcReq send: #bytes read=88
>>> KrbKdcReq send: kdc=example.com TCP:88, timeout=30000, number of retries =3, #bytes=282
>>> KDCCommunication: kdc=example.com TCP:88, timeout=30000,Attempt =1, #bytes=282
>>>DEBUG: TCPClient reading 1617 bytes
>>> KrbKdcReq send: #bytes read=1617
>>> KdcAccessibility: remove example.com
Looking for keys for: kafka/fqdn.redacted@xxxxxxxxxxx
Added key: 18version: 1
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> CksumType: sun.security.krb5.internal.crypto.HmacSha1Aes256CksumType
>>> KrbAsRep cons in KrbAsReq.getReply kafka/fqdn.redacted

WATCHER::

WatchedEvent state:SyncConnected type:None path:null
Found ticket for $48M300-TK9QSTNPCT80@xxxxxxxxxxx to go to krbtgt/EXAMPLE.COM@xxxxxxxxxxx expiring on Fri Jan 31 21:03:30 CET 2020
Entered Krb5Context.initSecContext with state=STATE_NEW
Found ticket for $48M300-TK9QSTNPCT80@xxxxxxxxxxx to go to krbtgt/EXAMPLE.COM@xxxxxxxxxxx expiring on Fri Jan 31 21:03:30 CET 2020
Service ticket not found in the subject
>>> Credentials serviceCredsSingle: same realm
default etypes for default_tgs_enctypes: 18 17 16 23 18 17 16 23.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> CksumType: sun.security.krb5.internal.crypto.HmacSha1Aes256CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbKdcReq send: kdc=example.com TCP:88, timeout=30000, number of retries =3, #bytes=1494
>>> KDCCommunication: kdc=example.com TCP:88, timeout=30000,Attempt =1, #bytes=1494
>>>DEBUG: TCPClient reading 1496 bytes
>>> KrbKdcReq send: #bytes read=1496
>>> KdcAccessibility: remove example.com
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> TGS credentials serviceCredsSingle:
>>> DEBUG: ----Credentials----
        client: $48M300-TK9QSTNPCT80@xxxxxxxxxxx
        client alias: kafka/fqdn.redacted@xxxxxxxxxxx
        server: zookeeper/fqdn.redacted@xxxxxxxxxxx
        ticket: sname: zookeeper/fqdn.redacted@xxxxxxxxxxx
        startTime: 1580465010000
        endTime: 1580501010000
        ----Credentials end----
>>> KrbApReq: APOptions are 00000000 00000000 00000000 00000000
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Krb5Context setting mySeqNumber to: 94571730
Krb5Context setting peerSeqNumber to: 94571730


#####

Workaround:

There are two workarounds:

1. Changing the JAAS config to use a ticket in the ticket cache created
upfront using kinit. However this workaround can't be used in automated
environments where clients authenticate themselves using keytabs.

2. Downgrade from OpenJDK 8 Update 242 to Update 232. Using the same
configuration, the principal is authenticated as
kafka/fqdn.redacted@xxxxxxxxxxx. However, downgrading a package can only
be a temporary solution.

#####

** Affects: openjdk-8 (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-8 in Ubuntu.
https://bugs.launchpad.net/bugs/1861883

Title:
  JAAS Krb5LoginModule authenticates wrong principal

Status in openjdk-8 package in Ubuntu:
  New

Bug description:
  Up until recently we've used a JAAS configuration to allow Kafka to
  authenticate against a Kerberos secured Zookeeper server using this
  JAAS config:

  Client {
      com.sun.security.auth.module.Krb5LoginModule required
      useKeyTab=true
      keyTab="/etc/security/keytabs/kafka.service.keytab"
      storeKey=true
      useTicketCache=false
      serviceName="zookeeper"
      principal="kafka/fqdn.redacted@xxxxxxxxxxx";
  };

  With OpenJDK 8 Update 242 (in Ubuntu Bionic: 8u242-b08-0ubuntu3~18.04)
  this configuration fails to work in our environment under the
  following conditions:

  - In the JAAS config, the service principal is referenced to using its AD servicePrincipalName kafka/fqdn.redacted.
  - The sAMAccountName differs, it is actually $48M300-TK9QSTNPCT80.
  - Kafka gets itself a Kerberos ticket using the JAAS config above.

  Turns out the principal is authenticated as
  $48M300-TK9QSTNPCT80@xxxxxxxxxxx instead of
  kafka/fqdn.redacted@xxxxxxxxxxx like it was before Update 242.
  Krb5LoginModule seemed to pick "client_alias" before and "client"
  after the upgrade (see debug output in section "Actual Result" of this
  bug report.

  However, the problem does *not* appear when JAAS is configured to use
  a Kerberos ticket in the ticket cache for the same principal using
  this JAAS config:

  Client {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=false
  useTicketCache=true;
  };

  Here, the principal is still authenticated correctly as
  kafka/fqdn.redacted@xxxxxxxxxxx.

  #####

  Steps to reproduce:

  - In AD there is a service principal with servicePrincipalName=kafka/fqdn.redacted and sAMAccountName=$48M300-TK9QSTNPCT80
  - JAAS config is as follows:

  Client {
      com.sun.security.auth.module.Krb5LoginModule required
      useKeyTab=true
      keyTab="/etc/security/keytabs/kafka.service.keytab"
      storeKey=true
      useTicketCache=false
      serviceName="zookeeper"
      principal="kafka/fqdn.redacted@xxxxxxxxxxx";
  };

  - Zookeeper client connects to Zookeeper the JAAS config above:
  KAFKA_OPTS="-Djava.security.auth.login.config=/opt/kafka/kafka/config/kafka_jaas.conf
  -Dsun.security.krb5.debug=true" bin/zookeeper-shell.sh
  fqdn.redacted:2181

  #####

  Expected Result:

  Zookeeper authenticates kafka/fqdn.redacted@xxxxxxxxxxx as it was
  before the OpenJDK 8 Update 242 upgrade.

  #####

  Actual Result:

  Zookeeper authenticates $48M300-TK9QSTNPCT80@xxxxxxxxxxx

  See this log:

  Connecting to fqdn.redacted:2181
  Welcome to ZooKeeper!
  JLine support is disabled
  >>> KeyTabInputStream, readName(): EXAMPLE.COM
  >>> KeyTabInputStream, readName(): kafka
  >>> KeyTabInputStream, readName(): fqdn.redacted
  >>> KeyTab: load() entry length: 99; type: 18
  Looking for keys for: kafka/fqdn.redacted@xxxxxxxxxxx
  Java config name: null
  Native config name: /etc/krb5.conf
  Loaded from native config
  Added key: 18version: 1
  >>> KdcAccessibility: reset
  Looking for keys for: kafka/fqdn.redacted@xxxxxxxxxxx
  Added key: 18version: 1
  default etypes for default_tkt_enctypes: 18 17 16 23 18 17 16 23.
  >>> KrbAsReq creating message
  >>> KrbKdcReq send: kdc=example.com UDP:88, timeout=30000, number of retries =3, #bytes=197
  >>> KDCCommunication: kdc=example.com UDP:88, timeout=30000,Attempt =1, #bytes=197
  >>> KrbKdcReq send: #bytes read=195
  >>>Pre-Authentication Data:
           PA-DATA type = 19
           PA-ETYPE-INFO2 etype = 18, salt = EXAMPLE.COMkafkafqdn.redacted, s2kparams = null

  >>>Pre-Authentication Data:
           PA-DATA type = 2
           PA-ENC-TIMESTAMP
  >>>Pre-Authentication Data:
           PA-DATA type = 16

  >>>Pre-Authentication Data:
           PA-DATA type = 15

  >>> KdcAccessibility: remove example.com
  >>> KDCRep: init() encoding tag is 126 req type is 11
  >>>KRBError:
           sTime is Fri Jan 31 11:03:30 CET 2020 1580465010000
           suSec is 347467
           error code is 25
           error Message is Additional pre-authentication required
           sname is krbtgt/EXAMPLE.COM@xxxxxxxxxxx
           eData provided.
           msgType is 30
  >>>Pre-Authentication Data:
           PA-DATA type = 19
           PA-ETYPE-INFO2 etype = 18, salt = EXAMPLE.COMkafkafqdn.redacted, s2kparams = null

  >>>Pre-Authentication Data:
           PA-DATA type = 2
           PA-ENC-TIMESTAMP
  >>>Pre-Authentication Data:
           PA-DATA type = 16

  >>>Pre-Authentication Data:
           PA-DATA type = 15

  KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
  default etypes for default_tkt_enctypes: 18 17 16 23 18 17 16 23.
  Looking for keys for: kafka/fqdn.redacted@xxxxxxxxxxx
  Added key: 18version: 1
  Looking for keys for: kafka/fqdn.redacted@xxxxxxxxxxx
  Added key: 18version: 1
  default etypes for default_tkt_enctypes: 18 17 16 23 18 17 16 23.
  >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
  >>> KrbAsReq creating message
  >>> KrbKdcReq send: kdc=example.com UDP:88, timeout=30000, number of retries =3, #bytes=282
  >>> KDCCommunication: kdc=example.com UDP:88, timeout=30000,Attempt =1, #bytes=282
  >>> KrbKdcReq send: #bytes read=88
  >>> KrbKdcReq send: kdc=example.com TCP:88, timeout=30000, number of retries =3, #bytes=282
  >>> KDCCommunication: kdc=example.com TCP:88, timeout=30000,Attempt =1, #bytes=282
  >>>DEBUG: TCPClient reading 1617 bytes
  >>> KrbKdcReq send: #bytes read=1617
  >>> KdcAccessibility: remove example.com
  Looking for keys for: kafka/fqdn.redacted@xxxxxxxxxxx
  Added key: 18version: 1
  >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
  >>> CksumType: sun.security.krb5.internal.crypto.HmacSha1Aes256CksumType
  >>> KrbAsRep cons in KrbAsReq.getReply kafka/fqdn.redacted

  WATCHER::

  WatchedEvent state:SyncConnected type:None path:null
  Found ticket for $48M300-TK9QSTNPCT80@xxxxxxxxxxx to go to krbtgt/EXAMPLE.COM@xxxxxxxxxxx expiring on Fri Jan 31 21:03:30 CET 2020
  Entered Krb5Context.initSecContext with state=STATE_NEW
  Found ticket for $48M300-TK9QSTNPCT80@xxxxxxxxxxx to go to krbtgt/EXAMPLE.COM@xxxxxxxxxxx expiring on Fri Jan 31 21:03:30 CET 2020
  Service ticket not found in the subject
  >>> Credentials serviceCredsSingle: same realm
  default etypes for default_tgs_enctypes: 18 17 16 23 18 17 16 23.
  >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
  >>> CksumType: sun.security.krb5.internal.crypto.HmacSha1Aes256CksumType
  >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
  >>> KrbKdcReq send: kdc=example.com TCP:88, timeout=30000, number of retries =3, #bytes=1494
  >>> KDCCommunication: kdc=example.com TCP:88, timeout=30000,Attempt =1, #bytes=1494
  >>>DEBUG: TCPClient reading 1496 bytes
  >>> KrbKdcReq send: #bytes read=1496
  >>> KdcAccessibility: remove example.com
  >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
  >>> TGS credentials serviceCredsSingle:
  >>> DEBUG: ----Credentials----
          client: $48M300-TK9QSTNPCT80@xxxxxxxxxxx
          client alias: kafka/fqdn.redacted@xxxxxxxxxxx
          server: zookeeper/fqdn.redacted@xxxxxxxxxxx
          ticket: sname: zookeeper/fqdn.redacted@xxxxxxxxxxx
          startTime: 1580465010000
          endTime: 1580501010000
          ----Credentials end----
  >>> KrbApReq: APOptions are 00000000 00000000 00000000 00000000
  >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
  Krb5Context setting mySeqNumber to: 94571730
  Krb5Context setting peerSeqNumber to: 94571730

  
  #####

  Workaround:

  There are two workarounds:

  1. Changing the JAAS config to use a ticket in the ticket cache
  created upfront using kinit. However this workaround can't be used in
  automated environments where clients authenticate themselves using
  keytabs.

  2. Downgrade from OpenJDK 8 Update 242 to Update 232. Using the same
  configuration, the principal is authenticated as
  kafka/fqdn.redacted@xxxxxxxxxxx. However, downgrading a package can
  only be a temporary solution.

  #####

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjdk-8/+bug/1861883/+subscriptions


Follow ups