-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
Jenkins 1.605
Java OpenJDK 1.7.0_75
jabber-plugin 1.34
GSSAPI authentication is failing when trying to connect to my OpenFire server. It looks like an uncaught exception is preventing PLAIN authentication from being attempted.
Attached is the debug output that I have collected from hudson.plugins.jabber logging.
I would configure a gss.conf file, however, I have had no luck finding any useful or complete documentation about what needs to be included in this file and/or where it should be placed (do additional java options needto be passed to the Jenkins process?).
Thank you, in advance, for your assistance.
- is related to
-
-
- Resolved
-
[JENKINS-27488] gss.conf file not found
kutzi,
the jabber plugin was changed to use the smack 4 library in october of last year. have you used this plugin since then? we are only seeing this issue with plugin version >= 1.26, which is when the dependency on smack 4 was introduced.
>I understand that the situation for GSSAPI authentication is far from being satisfactory.
>The thing is that you probably know now - after debugging the issue on your side - infinitely more about how to configure it than I do.
>So if you could document your findings on the Wiki, this would be great. If you have other suggestions on how to improve default user behaviour reagrding this issue with the plugin, I'm also happy to hear it.
>
>Sorry, I do know basically nothing about GSSAPI. If you're looking for documentation/help, the Smack API site is probably a better location.
the official smack documentation doesn't have any information about configuring gss.conf or any krb5 configuration in general. smack docs only talk about the java api.
since the jabber plugin only supports gssapi auth (since smack 4 only supports gssapi auth), i'm not sure i understand how it's possible to use or develop this plugin without needing to configure or touch gssapi.
jay
jay hendren
added a comment - - edited kutzi,
the jabber plugin was changed to use the smack 4 library in october of last year. have you used this plugin since then? we are only seeing this issue with plugin version >= 1.26, which is when the dependency on smack 4 was introduced.
>I understand that the situation for GSSAPI authentication is far from being satisfactory.
>The thing is that you probably know now - after debugging the issue on your side - infinitely more about how to configure it than I do.
>So if you could document your findings on the Wiki, this would be great. If you have other suggestions on how to improve default user behaviour reagrding this issue with the plugin, I'm also happy to hear it.
>
>Sorry, I do know basically nothing about GSSAPI. If you're looking for documentation/help, the Smack API site is probably a better location.
the official smack documentation doesn't have any information about configuring gss.conf or any krb5 configuration in general. smack docs only talk about the java api.
since the jabber plugin only supports gssapi auth (since smack 4 only supports gssapi auth), i'm not sure i understand how it's possible to use or develop this plugin without needing to configure or touch gssapi.
jay 
kutzi
added a comment - No, I haven't used in since then. Maybe some short tests against a testserver.
kutzi
added a comment - No, I haven't used in since then. Maybe some short tests against a testserver. 
Dylan Canfield
added a comment - Kutzi,
Do you mind installing and testing the latest version of the plugin? I would greatly appreciate to see your results.
Dylan Canfield
added a comment - Kutzi,
Do you mind installing and testing the latest version of the plugin? I would greatly appreciate to see your results. kutzi
added a comment - Jay, I don't know why you think that smack 4 only supports gssapi. I can see e.g. here several other supported auths: http://www.igniterealtime.org/builds/smack/docs/4.0.6/javadoc/org/jivesoftware/smack/sasl/SASLMechanism.html
Maybe I'll find some time to test this in the next days but cannot promise anything.
The plugin has a reported 2000 installations. I'm pretty confidend at least some of them are at a reasonable new version and don't have the problems you have
kutzi
added a comment - Jay, I don't know why you think that smack 4 only supports gssapi. I can see e.g. here several other supported auths: http://www.igniterealtime.org/builds/smack/docs/4.0.6/javadoc/org/jivesoftware/smack/sasl/SASLMechanism.html
Maybe I'll find some time to test this in the next days but cannot promise anything.
The plugin has a reported 2000 installations. I'm pretty confidend at least some of them are at a reasonable new version and don't have the problems you have kutzi
added a comment - Also, I don't understand why you keep pressing this issue so much. I thought you had figured out a way to authenticate even with the latest version?
And again: the smack forum would be a better place to ask about xmpp/smack authentication details!
kutzi
added a comment - Also, I don't understand why you keep pressing this issue so much. I thought you had figured out a way to authenticate even with the latest version?
And again: the smack forum would be a better place to ask about xmpp/smack authentication details! jay hendren
added a comment - > Jay, I don't know why you think that smack 4 only supports gssapi. I can see e.g. here several other supported auths: http://www.igniterealtime.org/builds/smack/docs/4.0.6/javadoc/org/jivesoftware/smack/sasl/SASLMechanism.html
i apologize - i meant that smack 4 only supports sasl auth. non-sasl (a.k.a. simple) auth works, but is not available in smack 4.
where do you see the other supported auths? and how would i switch between them? (neither of us are java devs so it's a little bit challenging for us to grok java api docs)
> Also, I don't understand why you keep pressing this issue so much. I thought you had figured out a way to authenticate even with the latest version?
almost, but not quite. we found a manual way to authenticate, and the jenkins user would only be auth'd as long as the kerb ticket is valid. effectively, this means we need to manually authenticate the jenkins user once a day, which isn't acceptable. so really, we found a crummy workaround, but this doesn't resolve this bug report, and we're not entirely sure why or how our workaround solves the issue, or if it's really just a band-aid over a different problem.
personally, i don't believe the behavior described in this bug report ("gss.conf not found" exception) matches the expected behavior for this plugin (if i've supplied my jabber id and password to the jabber plugin, it should have all the information it needs - why is it complaining about something called "gss.conf"?).
> And again: the smack forum would be a better place to ask about xmpp/smack authentication details!
okay, i accept that this may be an upstream issue, but it seems to me that this kind of error shouldn't bubble up to the downstream consumer... i shouldn't need to know anything about gssapi in order to auth to an xmpp server through a jenkins plugin. i feel like that's really the crux of the issue.
kutzi, thanks for your time and help with this issue. i hope my little diatribe here clarifies why we keep bugging you 
jay hendren
added a comment - > Jay, I don't know why you think that smack 4 only supports gssapi. I can see e.g. here several other supported auths: http://www.igniterealtime.org/builds/smack/docs/4.0.6/javadoc/org/jivesoftware/smack/sasl/SASLMechanism.html
i apologize - i meant that smack 4 only supports sasl auth. non-sasl (a.k.a. simple) auth works, but is not available in smack 4.
where do you see the other supported auths? and how would i switch between them? (neither of us are java devs so it's a little bit challenging for us to grok java api docs)
> Also, I don't understand why you keep pressing this issue so much. I thought you had figured out a way to authenticate even with the latest version?
almost, but not quite. we found a manual way to authenticate, and the jenkins user would only be auth'd as long as the kerb ticket is valid. effectively, this means we need to manually authenticate the jenkins user once a day, which isn't acceptable. so really, we found a crummy workaround, but this doesn't resolve this bug report, and we're not entirely sure why or how our workaround solves the issue, or if it's really just a band-aid over a different problem.
personally, i don't believe the behavior described in this bug report ("gss.conf not found" exception) matches the expected behavior for this plugin (if i've supplied my jabber id and password to the jabber plugin, it should have all the information it needs - why is it complaining about something called "gss.conf"?).
> And again: the smack forum would be a better place to ask about xmpp/smack authentication details!
okay, i accept that this may be an upstream issue, but it seems to me that this kind of error shouldn't bubble up to the downstream consumer... i shouldn't need to know anything about gssapi in order to auth to an xmpp server through a jenkins plugin. i feel like that's really the crux of the issue.
kutzi, thanks for your time and help with this issue. i hope my little diatribe here clarifies why we keep bugging you 
Henning Block
added a comment - We're having the same issue. Since nobody seems to be willing to fix the bug, jay/dylan. Would you share an example gss.conf and the location to put the gss.conf as workaround?
Henning Block
added a comment - We're having the same issue. Since nobody seems to be willing to fix the bug, jay/dylan. Would you share an example gss.conf and the location to put the gss.conf as workaround? After spending almost two days using Procmon on Windows and Tomcat 8 I found that gss.conf should be placed in ${catalina.base} of your Tomcat installation.
Now I am trying to find out WHAT should be entered into gss.conf to work. Standard gss.conf with keytab file doesn't work.
Since out XMPP Server offers GSSAPI and PLAIN, it would be extremely helpful to have a setting in the Jabber Plugin on how to connect to the server, since the Enable SASL authentication Checkbox isn't displayed anymore (There exists also a ticket for that issue).
Edit:
Here is my gss.conf which was working for me after I set the proper RegKey
RegKey
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
"AllowTGTSessionKey"=dword:00000001
gss.conf
// Some comments here com.sun.security.jgss.accept { com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true client=TRUE; };
Aleks Milut
added a comment - - edited After spending almost two days using Procmon on Windows and Tomcat 8 I found that gss.conf should be placed in ${catalina.base} of your Tomcat installation.
Now I am trying to find out WHAT should be entered into gss.conf to work. Standard gss.conf with keytab file doesn't work.
Since out XMPP Server offers GSSAPI and PLAIN, it would be extremely helpful to have a setting in the Jabber Plugin on how to connect to the server, since the Enable SASL authentication Checkbox isn't displayed anymore (There exists also a ticket for that issue).
Edit:
Here is my gss.conf which was working for me after I set the proper RegKey
RegKey
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
"AllowTGTSessionKey"=dword:00000001
gss.conf
// Some comments here
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache= true
client=TRUE;
};
Florian Schmaus
added a comment - Could you try the plugin from the latest master, which is now using Smack 4.1.9, by issueing "mvn package" and report back if the issue still exists?
Florian Schmaus
added a comment - Could you try the plugin from the latest master, which is now using Smack 4.1.9, by issueing "mvn package" and report back if the issue still exists? 
I'm not using the plugin currently. When I used it last time several month ago, I didn't need to configure a gss.conf file.