0017000: Krb5LoginModule.attemptAuthentication KrbException: Message stream modified (41) - CentOS Bug Tracker

ID	Project	Category	View Status	Date Submitted	Last Update

0017000	CentOS-7	krb5	public	2020-02-03 12:10	2020-05-08 09:34

Reporter	cir	Assigned To
Priority	urgent	Severity	major	Reproducibility	always
Status	new	Resolution	open

Summary	0017000: Krb5LoginModule.attemptAuthentication KrbException: Message stream modified (41)
Description	Nach update von openJDK 1.8.0_232-b09 auf 1.8.0_242-b08: KrbException: Message stream modified (41) Nach update von java 1.8.0_232-b09 auf 1.8.0_242-b08: kommt KrbException: Message stream modified (41) Login Konfiguration: serverSecurityDomain { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true debug=true keyTab="/etc/some.keytab" doNotPrompt=true storeKey=true realm=someRealm principal="somePrincipal"; }; /etc/krb5.conf: # Configuration snippets may be placed in this directory as well includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false # default_realm = EXAMPLE.COM default_ccache_name = KEYRING:persistent:%{uid} [realms] # EXAMPLE.COM = { # kdc = kerberos.example.com # admin_server = kerberos.example.com # } [domain_realm] # .example.com = EXAMPLE.COM # example.com = EXAMPLE.COM
Additional Information	javax.security.auth.login.LoginException: Message stream modified (41) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:808) at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:618) at sun.reflect.GeneratedMethodAccessor170.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) at javax.security.auth.login.LoginContext.login(LoginContext.java:587) at com.silbergrau.security.negotiation.spnego.SPNEGOLoginModule.getServerSubject(SPNEGOLoginModule.java:46) at com.silbergrau.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:73) at com.silbergrau.security.tomcat.auth.module.proxy.LoginModuleProxy.login(LoginModuleProxy.java:6) at sun.reflect.GeneratedMethodAccessor154.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) at javax.security.auth.login.LoginContext.login(LoginContext.java:587) at org.apache.catalina.realm.JAASRealm.authenticate(JAASRealm.java:410) at org.apache.catalina.realm.JAASRealm.authenticate(JAASRealm.java:327) at com.silbergrau.security.negotiation.NegotiationAuthenticator.doAuthenticate(NegotiationAuthenticator.java:12) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:572) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:770) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1415) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) Caused by: KrbException: Message stream modified (41) at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:53) at sun.security.krb5.KrbAsRep.decrypt(KrbAsRep.java:159) at sun.security.krb5.KrbAsRep.decryptUsingKeyTab(KrbAsRep.java:121) at sun.security.krb5.KrbAsReqBuilder.resolve(KrbAsReqBuilder.java:308) at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:447) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:780) ... 41 more
Tags	Kernel 3.10.0-693.21.1.el7.x86_64

abrt_hash
URL

kdhoe 2020-02-25 08:48 reporter ~0036377	Ran in to the same issue. Solution is to remove the line "renew_lifetime = 7d" from your krb5.conf. It should start working again.

cir 2020-02-25 17:15 reporter ~0036381	no, uncommented the line renew_lifetime = 7d and still the same issue.

bfilipek 2020-03-05 09:43 reporter ~0036462	Removing line "renew_lifetime = 7d" from krb5.conf also works for me.

rg 2020-03-19 19:14 reporter ~0036535	If this hasn't been worked around yet, can you try this: Edit the java.security file located in the active JDK on the clusters, and add or alter the sun.security.krb5.disableReferrals parameter so that it is set to true: sun.security.krb5.disableReferrals=true

Date Modified	Username	Field	Change
2020-02-03 12:10	cir	New Issue
2020-02-03 12:10	cir	Tag Attached: Kernel 3.10.0-693.21.1.el7.x86_64
2020-02-25 08:48	kdhoe	Note Added: 0036377
2020-02-25 17:15	cir	Note Added: 0036381
2020-03-05 09:43	bfilipek	Note Added: 0036462
2020-03-19 19:14	rg	Note Added: 0036535