Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-20816

BadCredentialsException: Failed to retrieve user information for jusurb; nested exception is javax.naming.PartialResultException

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Minor
    • Resolution: Not A Defect
    • Environment:
      Linux debian 2.6.32-5-amd64
      java version "1.7.0_25"
      OpenJDK Runtime Environment (IcedTea 2.3.10) (7u25-2.3.10-1~deb7u1)
      OpenJDK 64-Bit Server VM (build 23.7-b01, mixed mode)
      Jenkins v1.540
    • Similar Issues:

      Description

      I suspect the ActiveDirectory server went down, and jenkins tried to authenticate currently logged on user and failed throwing this exception.
      Stack trace:

      org.acegisecurity.BadCredentialsException: Failed to retrieve user information for jusurb; nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: my.domainserver.xx:389 [Root exception is java.net.ConnectException: Connection refused]]
      	at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:309)
      	at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:193)
      	at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:137)
      	at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:30)
      	at org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices.loadUserDetails(TokenBasedRememberMeServices.java:308)
      	at org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices.autoLogin(TokenBasedRememberMeServices.java:218)
      	at hudson.plugins.active_directory.ActiveDirectorySecurityRealm$1.autoLogin(ActiveDirectorySecurityRealm.java:140)
      	at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:104)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessingFilter.java:174)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at jenkins.security.ApiTokenFilter.doFilter(ApiTokenFilter.java:64)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
      	at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
      	at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
      	at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:46)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
      	at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
      	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474)
      	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
      	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
      	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:533)
      	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
      	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
      	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428)
      	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
      	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
      	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
      	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
      	at org.eclipse.jetty.server.Server.handle(Server.java:370)
      	at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489)
      	at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:949)
      	at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1011)
      	at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:644)
      	at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
      	at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
      	at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668)
      	at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
      	at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      	at java.lang.Thread.run(Thread.java:724)
      Caused by: javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: my.domainserver.xx:389 [Root exception is java.net.ConnectException: Connection refused]]
      	at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(LdapNamingEnumeration.java:242)
      	at com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(LdapNamingEnumeration.java:189)
      	at hudson.plugins.active_directory.LDAPSearchBuilder.searchOne(LDAPSearchBuilder.java:44)
      	at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:263)
      	... 47 more
      Caused by: javax.naming.CommunicationException: my.domainserver.xx:389 [Root exception is java.net.ConnectException: Connection refused]
      	at com.sun.jndi.ldap.LdapReferralContext.<init>(LdapReferralContext.java:92)
      	at com.sun.jndi.ldap.LdapReferralException.getReferralContext(LdapReferralException.java:150)
      	at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreReferrals(LdapNamingEnumeration.java:357)
      	at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(LdapNamingEnumeration.java:226)
      	... 50 more
      Caused by: java.net.ConnectException: Connection refused
      	at java.net.PlainSocketImpl.socketConnect(Native Method)
      	at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:339)
      	at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:200)
      	at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:182)
      	at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
      	at java.net.Socket.connect(Socket.java:579)
      	at java.net.Socket.connect(Socket.java:528)
      	at java.net.Socket.<init>(Socket.java:425)
      	at java.net.Socket.<init>(Socket.java:208)
      	at com.sun.jndi.ldap.Connection.createSocket(Connection.java:366)
      	at com.sun.jndi.ldap.Connection.<init>(Connection.java:201)
      	at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:136)
      	at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1600)
      	at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2698)
      	at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
      	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
      	at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:152)
      	at com.sun.jndi.url.ldap.ldapURLContextFactory.getObjectInstance(ldapURLContextFactory.java:52)
      	at javax.naming.spi.NamingManager.getURLObject(NamingManager.java:601)
      	at javax.naming.spi.NamingManager.processURL(NamingManager.java:381)
      	at javax.naming.spi.NamingManager.processURLAddrs(NamingManager.java:361)
      	at javax.naming.spi.NamingManager.getObjectInstance(NamingManager.java:333)
      	at com.sun.jndi.ldap.LdapReferralContext.<init>(LdapReferralContext.java:111)
      	... 53 more
      

        Attachments

          Activity

          gameshas Justinas Urbanavicius created issue -
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          The issue had wrong components

          Show
          oleg_nenashev Oleg Nenashev added a comment - The issue had wrong components
          oleg_nenashev Oleg Nenashev made changes -
          Field Original Value New Value
          Component/s active-directory [ 15526 ]
          Component/s security [ 15508 ]
          Component/s ldap [ 17122 ]
          Hide
          danielbeck Daniel Beck added a comment -

          There does not seem to be a bug here. You integration Jenkins with Active Directory, cut the network connection between them, and things start failing. Jenkins tells you. Seems expected and useful.

          Show
          danielbeck Daniel Beck added a comment - There does not seem to be a bug here. You integration Jenkins with Active Directory, cut the network connection between them, and things start failing. Jenkins tells you. Seems expected and useful.
          danielbeck Daniel Beck made changes -
          Resolution Not A Defect [ 7 ]
          Status Open [ 1 ] Resolved [ 5 ]
          Hide
          gameshas Justinas Urbanavicius added a comment -

          I would expect a message, saying that jenkins cannot connect to active directory, probably due to connection failure, not to take down whole jenkins CI server throwing an expection wouldn't it be more logical ?

          Show
          gameshas Justinas Urbanavicius added a comment - I would expect a message, saying that jenkins cannot connect to active directory, probably due to connection failure, not to take down whole jenkins CI server throwing an expection wouldn't it be more logical ?
          Hide
          danielbeck Daniel Beck added a comment -

          message, saying that jenkins cannot connect to active directory, probably due to connection failure

          That's what it does. (Granted, it's in programmerese, but still.)

          take down whole jenkins CI server throwing an expection

          The error seems to be UI (+auth related subsystems like CLI) only, so builds etc. should continue running. Don't they?

          wouldn't it be more logical?

          So this is about the cosmetic issue how the issue is presented to the user?

          Show
          danielbeck Daniel Beck added a comment - message, saying that jenkins cannot connect to active directory, probably due to connection failure That's what it does. (Granted, it's in programmerese, but still.) take down whole jenkins CI server throwing an expection The error seems to be UI (+auth related subsystems like CLI) only, so builds etc. should continue running. Don't they? wouldn't it be more logical? So this is about the cosmetic issue how the issue is presented to the user?
          Hide
          gameshas Justinas Urbanavicius added a comment -

          yes, by saying, that it took down jenkins, i mean, i got a page, that looked mutilated, with stack trace, and i couldn't navigate from that page, except for forward back buttons on the browser, that didn't really help, until the connection got restored after a few refreshes.
          an error message with explanation and server's name would be really appreciated and more informative to me as the end user and anyone that does not know java.

          Show
          gameshas Justinas Urbanavicius added a comment - yes, by saying, that it took down jenkins, i mean, i got a page, that looked mutilated, with stack trace, and i couldn't navigate from that page, except for forward back buttons on the browser, that didn't really help, until the connection got restored after a few refreshes. an error message with explanation and server's name would be really appreciated and more informative to me as the end user and anyone that does not know java.
          Hide
          danielbeck Daniel Beck added a comment -

          Was it a page with "angry Jenkins" (https://github.com/jenkinsci/jenkins/blob/master/war/src/main/webapp/images/rage.png), or one completely "without design"?

          Show
          danielbeck Daniel Beck added a comment - Was it a page with "angry Jenkins" ( https://github.com/jenkinsci/jenkins/blob/master/war/src/main/webapp/images/rage.png ), or one completely "without design"?
          Hide
          gameshas Justinas Urbanavicius added a comment -

          can't really remember but i think with angry jenkins, it looks familiar

          Show
          gameshas Justinas Urbanavicius added a comment - can't really remember but i think with angry jenkins, it looks familiar
          Hide
          danielbeck Daniel Beck added a comment -

          The problem is that, especially given how extensible Jenkins is, accounting for all possible failures is impossible. So some will show the angry Jenkins error page.

          Note also that this page is way more helpful to many users (and the developers handling the error report later) than a nice, but uninformative "an error occurred that we assume is vague related to authentication" page could ever be.

          I'm currently working on improving that page (e.g. actually link to the wiki page explaining how to report issues and how the Jenkins project uses Jira), and will incorporate a simpler error message in addition to the full stack trace. It would probably look like one of the following in your case:

          Failed to retrieve user information for jusurb; nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: my.domainserver.xx:389 [Root exception is java.net.ConnectException: Connection refused]]

          Failed to retrieve user information for jusurb; nested exception is [Root exception is: my.domainserver.xx:389 [Root exception is: Connection refused]]

          While still not ideal, it's clear from either that it's a network connection issue involving your AD server, and the user jusurb.

          Show
          danielbeck Daniel Beck added a comment - The problem is that, especially given how extensible Jenkins is, accounting for all possible failures is impossible. So some will show the angry Jenkins error page. Note also that this page is way more helpful to many users (and the developers handling the error report later) than a nice, but uninformative "an error occurred that we assume is vague related to authentication" page could ever be. I'm currently working on improving that page (e.g. actually link to the wiki page explaining how to report issues and how the Jenkins project uses Jira), and will incorporate a simpler error message in addition to the full stack trace. It would probably look like one of the following in your case: Failed to retrieve user information for jusurb; nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: my.domainserver.xx:389 [Root exception is java.net.ConnectException: Connection refused] ] Failed to retrieve user information for jusurb; nested exception is [Root exception is: my.domainserver.xx:389 [Root exception is: Connection refused] ] While still not ideal, it's clear from either that it's a network connection issue involving your AD server, and the user jusurb.
          Hide
          gameshas Justinas Urbanavicius added a comment -

          i totally agree with you. I've seen some applications that display a user friendly error and have a link or a button "more details" that then clicked, shows the stack trace and error code or more related information, that is helpful for developers. It's both user friendly and informative.

          Show
          gameshas Justinas Urbanavicius added a comment - i totally agree with you. I've seen some applications that display a user friendly error and have a link or a button "more details" that then clicked, shows the stack trace and error code or more related information, that is helpful for developers. It's both user friendly and informative.
          rtyler R. Tyler Croy made changes -
          Workflow JNJira [ 152627 ] JNJira + In-Review [ 194290 ]

            People

            Assignee:
            kohsuke Kohsuke Kawaguchi
            Reporter:
            gameshas Justinas Urbanavicius
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: