Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-27488

gss.conf file not found

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Component/s: jabber-plugin
    • Labels:
      None
    • Environment:
      Jenkins 1.605
      Java OpenJDK 1.7.0_75
      jabber-plugin 1.34
    • Similar Issues:

      Description

      GSSAPI authentication is failing when trying to connect to my OpenFire server. It looks like an uncaught exception is preventing PLAIN authentication from being attempted.

      Attached is the debug output that I have collected from hudson.plugins.jabber logging.

      I would configure a gss.conf file, however, I have had no luck finding any useful or complete documentation about what needs to be included in this file and/or where it should be placed (do additional java options needto be passed to the Jenkins process?).

      Thank you, in advance, for your assistance.

        Attachments

          Issue Links

            Activity

            Hide
            flow Florian Schmaus added a comment -

            Could you try the plugin from the latest master, which is now using Smack 4.1.9,  by issueing "mvn package" and report back if the issue still exists?

            Show
            flow Florian Schmaus added a comment - Could you try the plugin from the latest master, which is now using Smack 4.1.9,  by issueing "mvn package" and report back if the issue still exists?
            Hide
            acoberlin Aleks Milut added a comment - - edited

            After spending almost two days using Procmon on Windows and Tomcat 8 I found that gss.conf should be placed in ${catalina.base} of your Tomcat installation.
            Now I am trying to find out WHAT should be entered into gss.conf to work. Standard gss.conf with keytab file doesn't work.
            Since out XMPP Server offers GSSAPI and PLAIN, it would be extremely helpful to have a setting in the Jabber Plugin on how to connect to the server, since the Enable SASL authentication Checkbox isn't displayed anymore (There exists also a ticket for that issue).

            Edit:
            Here is my gss.conf which was working for me after I set the proper RegKey

            RegKey
            [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
            "AllowTGTSessionKey"=dword:00000001

            gss.conf

            // Some comments here
            com.sun.security.jgss.accept {  
                com.sun.security.auth.module.Krb5LoginModule required 
            	useTicketCache=true
            	client=TRUE;
            };
            
            Show
            acoberlin Aleks Milut added a comment - - edited After spending almost two days using Procmon on Windows and Tomcat 8 I found that gss.conf should be placed in ${catalina.base} of your Tomcat installation. Now I am trying to find out WHAT should be entered into gss.conf to work. Standard gss.conf with keytab file doesn't work. Since out XMPP Server offers GSSAPI and PLAIN, it would be extremely helpful to have a setting in the Jabber Plugin on how to connect to the server, since the Enable SASL authentication Checkbox isn't displayed anymore (There exists also a ticket for that issue). Edit: Here is my gss.conf which was working for me after I set the proper RegKey RegKey [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters] "AllowTGTSessionKey"=dword:00000001 gss.conf // Some comments here com.sun.security.jgss.accept { com.sun.security.auth.module.Krb5LoginModule required useTicketCache= true client=TRUE; };
            Hide
            hblock Henning Block added a comment -

            We're having the same issue. Since nobody seems to be willing to fix the bug, jay/dylan. Would you share an example gss.conf and the location to put the gss.conf as workaround?

            Show
            hblock Henning Block added a comment - We're having the same issue. Since nobody seems to be willing to fix the bug, jay/dylan. Would you share an example gss.conf and the location to put the gss.conf as workaround?
            Hide
            jayhendren jay hendren added a comment -

            > Jay, I don't know why you think that smack 4 only supports gssapi. I can see e.g. here several other supported auths: http://www.igniterealtime.org/builds/smack/docs/4.0.6/javadoc/org/jivesoftware/smack/sasl/SASLMechanism.html

            i apologize - i meant that smack 4 only supports sasl auth. non-sasl (a.k.a. simple) auth works, but is not available in smack 4.

            where do you see the other supported auths? and how would i switch between them? (neither of us are java devs so it's a little bit challenging for us to grok java api docs)

            > Also, I don't understand why you keep pressing this issue so much. I thought you had figured out a way to authenticate even with the latest version?

            almost, but not quite. we found a manual way to authenticate, and the jenkins user would only be auth'd as long as the kerb ticket is valid. effectively, this means we need to manually authenticate the jenkins user once a day, which isn't acceptable. so really, we found a crummy workaround, but this doesn't resolve this bug report, and we're not entirely sure why or how our workaround solves the issue, or if it's really just a band-aid over a different problem.

            personally, i don't believe the behavior described in this bug report ("gss.conf not found" exception) matches the expected behavior for this plugin (if i've supplied my jabber id and password to the jabber plugin, it should have all the information it needs - why is it complaining about something called "gss.conf"?).

            > And again: the smack forum would be a better place to ask about xmpp/smack authentication details!

            okay, i accept that this may be an upstream issue, but it seems to me that this kind of error shouldn't bubble up to the downstream consumer... i shouldn't need to know anything about gssapi in order to auth to an xmpp server through a jenkins plugin. i feel like that's really the crux of the issue.

            kutzi, thanks for your time and help with this issue. i hope my little diatribe here clarifies why we keep bugging you

            Show
            jayhendren jay hendren added a comment - > Jay, I don't know why you think that smack 4 only supports gssapi. I can see e.g. here several other supported auths: http://www.igniterealtime.org/builds/smack/docs/4.0.6/javadoc/org/jivesoftware/smack/sasl/SASLMechanism.html i apologize - i meant that smack 4 only supports sasl auth. non-sasl (a.k.a. simple) auth works, but is not available in smack 4. where do you see the other supported auths? and how would i switch between them? (neither of us are java devs so it's a little bit challenging for us to grok java api docs) > Also, I don't understand why you keep pressing this issue so much. I thought you had figured out a way to authenticate even with the latest version? almost, but not quite. we found a manual way to authenticate, and the jenkins user would only be auth'd as long as the kerb ticket is valid. effectively, this means we need to manually authenticate the jenkins user once a day, which isn't acceptable. so really, we found a crummy workaround, but this doesn't resolve this bug report, and we're not entirely sure why or how our workaround solves the issue, or if it's really just a band-aid over a different problem. personally, i don't believe the behavior described in this bug report ("gss.conf not found" exception) matches the expected behavior for this plugin (if i've supplied my jabber id and password to the jabber plugin, it should have all the information it needs - why is it complaining about something called "gss.conf"?). > And again: the smack forum would be a better place to ask about xmpp/smack authentication details! okay, i accept that this may be an upstream issue, but it seems to me that this kind of error shouldn't bubble up to the downstream consumer... i shouldn't need to know anything about gssapi in order to auth to an xmpp server through a jenkins plugin. i feel like that's really the crux of the issue. kutzi, thanks for your time and help with this issue. i hope my little diatribe here clarifies why we keep bugging you
            Hide
            kutzi kutzi added a comment -

            Also, I don't understand why you keep pressing this issue so much. I thought you had figured out a way to authenticate even with the latest version?

            And again: the smack forum would be a better place to ask about xmpp/smack authentication details!

            Show
            kutzi kutzi added a comment - Also, I don't understand why you keep pressing this issue so much. I thought you had figured out a way to authenticate even with the latest version? And again: the smack forum would be a better place to ask about xmpp/smack authentication details!

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              dylancanfield Dylan Canfield
              Votes:
              6 Vote for this issue
              Watchers:
              8 Start watching this issue

                Dates

                Created:
                Updated: