search

payara / Payara

Payara Server is an open source middleware platform that supports reliable and secure deployments of Java EE (Jakarta EE) and MicroProfile applications in any environment: on premise, in the cloud or hybrid.
http://www.payara.fish
Other
883 stars 306 forks source link

Authentication via PAMRealm (with Kerberos and LDAP) not working #4065

Closed TimoScheuer closed 4 years ago

TimoScheuer commented 5 years ago

Description

On a Ubuntu 18.04 I configured pam to use Kerberos (heimdal) plus LDAP (OpenLDAP). Locally on the system everythings works as expected.

Using Payara authentication via PAMRealm (com.sun.enterprise.security.auth.realm.pam.PamRealm) does not complete. In the log file "/var/log/auth.log" I can read the following: Jun 30 15:49:13 europa java: pam_krb5(sshd:auth): user timo authenticated as timo@MYREALM.COM Jun 30 15:49:13 europa java: pam_krb5(sshd:account): (user timo) cannot get principal from cache: Operation not permitted The payara server is run with root permission.

The authentication via Kerberos seems to be successful because I find the corresponding credentiial cache file in "/tmp" and it contains a valid ticket: ` root@myserver:/opt/payara5# sudo -u timo klist -c /tmp/krb5cc_1000_CVOZph Credentials cache: FILE:/tmp/krb5cc_1000_CVOZph Principal: timo@MYREALM.COM

Issued Expires Principal Jun 30 15:49:13 2019 Jul 1 15:49:13 2019 krbtgt/MYREALM.COM@MYREALM.COM `

Expected Outcome

Authentication without any error.

Current Outcome

The authentication process in payara (via PAMRealm) does not complete. It throws the following exception (from log file): WEB9102: Web Login Failed: com.sun.enterprise.security.auth.login.common.LoginException: Login failed: Failed Pam Login for timo]]

If I run payara as user "timo" (the user I tried to log in as) then the authentication process completes. Hence it seems to be a persmission problem.

Steps to reproduce (Only for bug reports)

Set up pam with heimdal kerberos and use the PAMRealm.

Samples

Context (Optional)

Environment

fturizo commented 4 years ago

Due to the nature of this request and that the requester fell unresponsive, we'll close this issue. Feel free to raise a new issue if this problem is still present with the current release of Payara Server 5.x, and please present a clear reproducer test case that can be used to analyze the problem. We recommend using Docker images and an orchestrator (Compose, K8S, etc.) to allow us to quickly identify the problem.

TimoScheuer commented 1 year ago

Meanwhile I found out what causes the problem. It also holds for the recent Payara6 versions .

You experience this problem if Payara is not run as root user. In this case the PAM module has insufficient permissions in the operating system.

If you run Payara with root user then everything works fine.