View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0017000CentOS-7krb5public2020-02-03 12:102020-03-19 19:14
Reportercir 
PriorityurgentSeveritymajorReproducibilityalways
Status newResolutionopen 
Product Version 
Target VersionFixed in Version 
Summary0017000: Krb5LoginModule.attemptAuthentication KrbException: Message stream modified (41)
DescriptionNach update von openJDK 1.8.0_232-b09 auf 1.8.0_242-b08: KrbException: Message stream modified (41)

Nach update von java 1.8.0_232-b09 auf 1.8.0_242-b08: kommt KrbException: Message stream modified (41)

Login Konfiguration:

serverSecurityDomain {
  com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true debug=true keyTab="/etc/some.keytab" doNotPrompt=true storeKey=true realm=someRealm principal="somePrincipal";
};

/etc/krb5.conf:

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
# default_realm = EXAMPLE.COM
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
Additional Informationjavax.security.auth.login.LoginException: Message stream modified (41)
        at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:808)
        at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:618)
        at sun.reflect.GeneratedMethodAccessor170.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
        at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
        at com.silbergrau.security.negotiation.spnego.SPNEGOLoginModule.getServerSubject(SPNEGOLoginModule.java:46)
        at com.silbergrau.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:73)
        at com.silbergrau.security.tomcat.auth.module.proxy.LoginModuleProxy.login(LoginModuleProxy.java:6)
        at sun.reflect.GeneratedMethodAccessor154.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
        at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
        at org.apache.catalina.realm.JAASRealm.authenticate(JAASRealm.java:410)
        at org.apache.catalina.realm.JAASRealm.authenticate(JAASRealm.java:327)
        at com.silbergrau.security.negotiation.NegotiationAuthenticator.doAuthenticate(NegotiationAuthenticator.java:12)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:572)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:770)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1415)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:748)
Caused by: KrbException: Message stream modified (41)
        at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:53)
        at sun.security.krb5.KrbAsRep.decrypt(KrbAsRep.java:159)
        at sun.security.krb5.KrbAsRep.decryptUsingKeyTab(KrbAsRep.java:121)
        at sun.security.krb5.KrbAsReqBuilder.resolve(KrbAsReqBuilder.java:308)
        at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:447)
        at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:780)
        ... 41 more


TagsKernel 3.10.0-693.21.1.el7.x86_64
abrt_hash
URL

Activities

kdhoe

kdhoe

2020-02-25 08:48

reporter   ~0036377

Ran in to the same issue.
Solution is to remove the line "renew_lifetime = 7d" from your krb5.conf. It should start working again.
cir

cir

2020-02-25 17:15

reporter   ~0036381

no, uncommented the line renew_lifetime = 7d and still the same issue.
bfilipek

bfilipek

2020-03-05 09:43

reporter   ~0036462

Removing line "renew_lifetime = 7d" from krb5.conf also works for me.
rg

rg

2020-03-19 19:14

reporter   ~0036535

If this hasn't been worked around yet, can you try this:

Edit the java.security file located in the active JDK on the clusters, and add or alter the sun.security.krb5.disableReferrals parameter so that it is set to true:
sun.security.krb5.disableReferrals=true

Issue History

Date Modified Username Field Change
2020-02-03 12:10 cir New Issue
2020-02-03 12:10 cir Tag Attached: Kernel 3.10.0-693.21.1.el7.x86_64
2020-02-25 08:48 kdhoe Note Added: 0036377
2020-02-25 17:15 cir Note Added: 0036381
2020-03-05 09:43 bfilipek Note Added: 0036462
2020-03-19 19:14 rg Note Added: 0036535