irods / irods_auth_plugin_kerberos Goto Github PK
View Code? Open in Web Editor NEWSource code for the kerberos auth plugin for irods
License: Other
Source code for the kerberos auth plugin for irods
License: Other
iRODS Kerberos Auth Plugin -------------------------- To build the Kerberos Auth Plugin, you will need to have: - the iRODS Development Tools (irods-dev and irods-runtime) installed for your platform http://irods.org/download
Hi Folks,
We've upgraded our zone federation master to 4.1-stable (via packages we built in our CI that identify as 4.1.9, and found (of course) that we needed the kerberos plugin. Trying to install this we get
dpkg -i irods-auth-plugin-krb-1.2.deb
(Reading database ... 234426 files and directories currently installed.)
Unpacking irods-auth-plugin-krb (from irods-auth-plugin-krb-1.2.deb) ...
Local iRODS is 4.1.9
This plugin requires iRODS 4.1.8
dpkg: error processing irods-auth-plugin-krb-1.2.deb (--install):
subprocess new pre-installation script returned error exit status 1
Errors were encountered while processing:
irods-auth-plugin-krb-1.2.deb
So we set our CI to build this, only we modify the REQUIRED_VERSION="4.1.8" line in packaging/irods_auth_plugin_krb.list.template to 4.1.9;
cat packaging/irods_auth_plugin_krb.list.template | sed s/4\.1\.8/4.1.9/g > packaging/irods_auth_plugin_krb.list.template
./packaging/build.sh
However this gives;
+------------------------------------+
| iRODS Plugin Build Script |
+------------------------------------+
Tue Jun 28 14:52:41 UTC 2016
Build Environment...
Detected OS [Ubuntu]
Detected OS Version [12.04]
Detected Plugin Name [irods_auth_plugin_krb]
Detected EPM Package Name [irods-auth-plugin-krb]
Detected Plugin Version to Build [1.2]
Detected Plugin Version Integer [12]
Detected Project Directory [/builds/upstream/irods_auth_plugin_kerberos]
Detected Packaging Directory [/builds/upstream/irods_auth_plugin_kerberos/packaging]
Detected Target Build Directory [/builds/upstream/irods_auth_plugin_kerberos/build]
Detected EPM List File [/builds/upstream/irods_auth_plugin_kerberos/packaging/irods_auth_plugin_krb.list]
Detected CPUs [16]
Compile Command [make -j 19]
Building...
make -C krb
make[1]: Entering directory `/builds/upstream/irods_auth_plugin_kerberos/krb'
g++ -DRODS_SERVER -I/usr/include/irods -I/usr/include/irods/jansson/src -I/usr/include/irods/boost -I/usr/include/irods/jansson/src -fPIC -c -g -o .objs/libkrb.o libkrb.cpp
Building Auth Plugins
g++ -DRODS_SERVER -I/usr/include/irods -I/usr/include/irods/jansson/src -I/usr/include/irods/boost -I/usr/include/irods/jansson/src -fPIC "-Wl,-E" -shared -o .././libkrb.so .objs/libkrb.o /usr/lib/libirods_client.a -lgssapi_krb5
make[1]: Leaving directory `/builds/upstream/irods_auth_plugin_kerberos/krb'
Creating Package...
Running EPM :: Generating Ubuntu DEBs
epm: Product names should only contain letters and numbers!
epm: Error - missing %product, %copyright, %vendor, %license,
%readme, or %version attributes in list file!
How do we get this plugin to make a package for 4.1-stable? Our production system is usable for non kerberised id's, but not for those that use Kerberos..
similar to irods/irods#2143 for libnative and libosauth.
Hi Folks,
When attempting to install this via packaging with the icommands, dev and runtime packages for a client, it failed to install with what I believe are two separate reasons.
First, it expects files to be present that are not there until the other packages are installed
Second, and more problematically, the post install script /var/lib/dpkg/info/irods-auth-plugin-krb.postinst expects /etc/irods/service_account.config to be present to set ownership and permissions, however this file is not created/added by the icommands or auth plugin package, only the cat or resource packages (I presume);
root@bc-29-2-01:~# dpkg -i irods-*.deb
Selecting previously unselected package irods-auth-plugin-krb.
(Reading database ... 265003 files and directories currently installed.)
Unpacking irods-auth-plugin-krb (from irods-auth-plugin-krb-1.2-ubuntu12-x86_64.deb) ...
Traceback (most recent call last):
File "<string>", line 1, in <module>
IOError: [Errno 2] No such file or directory: '/var/lib/irods/VERSION.json'
dpkg: error processing irods-auth-plugin-krb-1.2-ubuntu12-x86_64.deb (--install):
subprocess new pre-installation script returned error exit status 1
Selecting previously unselected package irods-dev.
Unpacking irods-dev (from irods-dev-4.1.8-ubuntu12-x86_64.deb) ...
Selecting previously unselected package irods-icommands.
Unpacking irods-icommands (from irods-icommands-4.1.8-ubuntu12-x86_64.deb) ...
Selecting previously unselected package irods-runtime.
Unpacking irods-runtime (from irods-runtime-4.1.8-ubuntu12-x86_64.deb) ...
Setting up irods-dev (4.1.8) ...
Setting up irods-icommands (4.1.8) ...
###########################################################
#
# The iCommands have been installed into your path.
#
# They require your environment to be configured
# for communication with an iRODS server.
#
# Place the following configuration information into
# your irods_environment.json file and edit as appropriate:
#
# ~/.irods/irods_environment.json
#
###########################################################
{
"irods_host": "FULLY.QUALIFIED.DOMAIN.NAME",
"irods_port": 1247,
"irods_default_resource": "demoResc",
"irods_home": "/tempZone/home/USERNAME",
"irods_cwd": "/tempZone/home/USERNAME",
"irods_user_name": "USERNAME",
"irods_zone_name": "tempZone",
"irods_client_server_negotiation": "request_server_negotiation",
"irods_client_server_policy": "CS_NEG_REFUSE",
"irods_encryption_key_size": 32,
"irods_encryption_salt_size": 8,
"irods_encryption_num_hash_rounds": 16,
"irods_encryption_algorithm": "AES-256-CBC",
"irods_default_hash_scheme": "SHA256",
"irods_match_hash_policy": "compatible"
}
Setting up irods-runtime (4.1.8) ...
Processing triggers for man-db ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Errors were encountered while processing:
irods-auth-plugin-krb-1.2-ubuntu12-x86_64.deb
then, even after removing (inc purging) and reading we get a different, and not verbose error;
root@bc-29-2-01:~# dpkg -i irods-auth-plugin-krb-1.2-ubuntu12-x86_64.deb
(Reading database ... 283670 files and directories currently installed.)
Unpacking irods-auth-plugin-krb (from irods-auth-plugin-krb-1.2-ubuntu12-x86_64.deb) ...
Setting up irods-auth-plugin-krb (1.2) ...
dpkg: error processing irods-auth-plugin-krb (--install):
subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
irods-auth-plugin-krb
This was the package from your downloads site, and was on Ubuntu 12.
Can I ask that the permissions are set only if the file exists, and that there is a test for installing with the icommands please?
We can't use Kerberos with V4 on our test clients until this is resolved (unless you want us to switch to run-in-place) :-).
Thanks!
John
referenced from irods/irods#2848
It appears that Kerberos authentication doesn't work out-of-the-box with 4.1.x even with the latest release 4.1.4 and irods-auth-plugin-krb-1.2, which I built from the github repo.
Using the settings instructed in docs.irods.org I get the following message client-side
Level 0: DEBUG: On iRODS-Server side:GSS-API error Acquiring credentials.: Unspecified GSS failure. Minor code may provide more information
Level 1: DEBUG: On iRODS-Server side:GSS-API error Acquiring credentials.:
[-] libkrb.cpp:1194:krb_auth_client_request : status [KRB_ERROR_ACQUIRING_CREDS] errno [] -- message [call to rcAuthRequest failed.]
failed with error -965000 KRB_ERROR_ACQUIRING_CREDS
and in serverside rodsLog the following
Aug 24 11:20:45 pid:5371 DEBUG: On iRODS-Server side:GSS-API error Acquiring credentials.: Unspecified GSS failure. Minor code may provide more information
Aug 24 11:20:45 pid:5371 DEBUG: On iRODS-Server side:GSS-API error Acquiring credentials.:
Aug 24 11:20:45 pid:5371 ERROR: [-] iRODS/server/api/src/rsAuthPluginRequest.cpp:85:rsAuthPluginRequest : status [KRB_ERROR_ACQUIRING_CREDS] errno [] -- message []
[-] libkrb.cpp:1237:krb_auth_agent_request : status [KRB_ERROR_ACQUIRING_CREDS] errno [] -- message [Setting up KRB credentials failed.]
[-] libkrb.cpp:220:krb_setup_creds : status [KRB_ERROR_ACQUIRING_CREDS] errno [] -- message [Failed acquiring credentials.]
Aug 24 11:20:45 pid:5371 DEBUG: On iRODS-Server side:GSS-API error accepting context: Invalid token was supplied
Aug 24 11:20:45 pid:5371 DEBUG: On iRODS-Server side:GSS-API error accepting context: Unknown error
Aug 24 11:20:45 pid:5371 ERROR: [-] iRODS/server/core/src/rodsAgent.cpp:346:agentMain : status [KRB_ACCEPT_SEC_CONTEXT_ERROR] errno [] -- message [Failed during auth plugin agent start for scheme: "krb".]
[-] libkrb.cpp:892:krb_auth_agent_start : status [KRB_ACCEPT_SEC_CONTEXT_ERROR] errno [] -- message [Failed to establish server side context.]
[-] libkrb.cpp:783:krb_establish_context_serverside : status [KRB_ACCEPT_SEC_CONTEXT_ERROR] errno [] -- message [Error accepting KRB security context for client: "(null)".]
When digging into the Kerberos auth module source code and the workings of the Kerberos client side GSSAPI library, the reason appeared to be that GSS API wasn't provided a Kerberos keytab.
I managed to go around the issue by setting an environment variable KRB5_KTNAME in the server to point the keytab. This variable is used by the GSS API Kerberos library to force the loading of a specified keytab file. This works for me.
Whenever we use a GSS function such as gss_import_name
or gss_display_name
, responsibility for the memory allocated for the output buffer is given to the calling application: https://www.gnu.org/software/gss/manual/html_node/Name-Manipulation.html
There are several places throughout the plugin where the output name buffer may not be freed and we should probably do so. This is achieved in most cases by using gss_release_buffer
or gss_release_name
.
krb/libkrb.cpp:1271:41: error: too many arguments to function call, expected single argument '_kvp', have 2 arguments
irods::kvp_string( kvp, resp_str );
Presumably since irods/irods@ef65cbd.
krb/libkrb.cpp:1362:37: error: use of undeclared identifier 'parseUserName'
parseUserName( _resp->username, user…
Presumably since irods/irods@a153e90.
dpkg -i irods-auth-plugin-krb-1.4-ubuntu12-x86_64.deb irods-database-plugin-oracle-1.9-ubuntu12-x86_64.deb irods-dev-4.1.10-ubuntu12-x86_64.deb irods-icat-4.1.10-ubuntu12-x86_64.deb
(Reading database ... 242303 files and directories currently installed.)
Preparing to replace irods-auth-plugin-krb 1.3 (using irods-auth-plugin-krb-1.4-ubuntu12-x86_64.deb) ...
Local iRODS is 4.1.9
This plugin requires iRODS 4.1.10
dpkg: error processing irods-auth-plugin-krb-1.4-ubuntu12-x86_64.deb (--install):
subprocess new pre-installation script returned error exit status 1
Preparing to replace irods-database-plugin-oracle 1.9 (using irods-database-plugin-oracle-1.9-ubuntu12-x86_64.deb) ...
Unpacking replacement irods-database-plugin-oracle ...
Preparing to replace irods-dev 4.1.9 (using irods-dev-4.1.10-ubuntu12-x86_64.deb) ...
Unpacking replacement irods-dev ...
Preparing to replace irods-icat 4.1.9 (using irods-icat-4.1.10-ubuntu12-x86_64.deb) ...
Upgrading Existing iRODS Installation
Unpacking replacement irods-icat ...
Setting up irods-dev (4.1.10) ...
Setting up irods-icat (4.1.10) ...
System start/stop links for /etc/init.d/irods already exist.
Configuration Schema Version is already up to date (version=2).
Stopping iRODS server...
Catalog Schema Version is already up to date (version=4).
Starting iRODS server...
Confirming catalog_schema_version... Success
Validating [/usr/local/iRODS/.irods/irods_environment.json]... Success
Validating [/etc/irods/server_config.json]... Success
Validating [/etc/irods/hosts_config.json]... Success
Validating [/etc/irods/host_access_control_config.json]... Success
Validating [/etc/irods/database_config.json]... Success
Processing triggers for ureadahead ...
Processing triggers for man-db ...
Setting up irods-database-plugin-oracle (1.9) ...
Errors were encountered while processing:
irods-auth-plugin-krb-1.4-ubuntu12-x86_64.deb
re-running the installation of just the plugin works fine, but it looks like the version check is done in slightly the wrong place. Prior installation was 4.1.9-preview6.
Hi folks,
I understand that Kerberos support is being moved into the new authentication plugin #54 however, as I understand it, that is not yet released. 4.3.0 is released, however there is no corresponding plugin.
Is there a plan to release the plugin to allow people with it installed in 4.2.7 to upgrade to 4.3.0?
cheers
John
When using the KRB auth module with kanki-irodsclient
, the client fails to load the module because of undefined boost symbols. The KRB auth works flawlessly with irods-icommands
since all the icommands binaries happen to come bundled with all necessary boost symbols.
While Kanki on the other hand, is linked against boost, but doesn't carry the same static symbols as the icommands do. I believe its best to include boost in the plugin library itself without depending on the loading executable.
ERROR: [-] iRODS/lib/core/src/clientLogin.cpp:293:clientLogin : status [PLUGIN_ERROR] errno [] -- message []
[-] iRODS/lib/core/src/irods_krb_object.cpp:34:resolve : status [PLUGIN_ERROR] errno [] -- message [Failed to load the KRB auth plugin.]
[-] iRODS/lib/core/src/irods_auth_manager.cpp:76:init_from_type : status [PLUGIN_ERROR] errno [] -- message [Failed to load auth plugin.]
[-] iRODS/lib/core/src/irods_auth_manager.cpp:55:load_auth_plugin : status [PLUGIN_ERROR] errno [] -- message [Failed to load plugin: "krb".]
[-] iRODS/lib/core/include/irods_load_plugin.hpp:194:load_plugin : status [PLUGIN_ERROR] errno [] -- message [failed to open shared object file [/var/lib/irods/plugins/auth/libkrb.so] :: dlerror: is [/var/lib/irods/plugins/auth/libkrb.so: undefined symbol: _ZN5boost6system16generic_categoryEv]]
I forked this repo and made a change into the plugin module linkage fixing this issue for me and made a pull request for the commit, see pull request #12.
This can possibly be removed as the comment claims it was added to address an issue with VMs in Ubuntu 14:
Makes tests artificially long.
@trel Kerberos authentication plugin supports irods 4.1.10 and there is a big difference between the two versions of irods ( 4.2.0 and 4.1.10 )
We had a similar problem with one of the microservices in the irods repo: irods/irods#5198
Hi,
I 've installed the auth_plugin_kerberos packaged in rpm.
I've followed the documentation, and on the server modified /etc/krb5.conf
with :
[ realms]
EXAMPLE.FR = {
kdc = server.example.fr
admin_server = server.example.fr
}
[domain_realm]
.example.fr = EXAMPLE.FR
example.fr = EXAMPLE.FR
The kdc server is an AD I do not admin, but a simple user "irods"is defined.
On the client, I cannot authenticate I get :
[user@client ] ils
[-] /tmp/tmpix2hj6/krb/libkrb.cpp:1226:irods::error krb_auth_client_response(irods::plugin_context &, rcComm_t *) : status [SYS_SOCK_READ_ERR] errno [Connection reset by peer] -- message [Call to rcAuthResponseFailed.]
failed with error -116104 SYS_SOCK_READ_ERR Connection reset by peer
What does it mean ? Is there some information missing in the doc regarding the necessary configuration, or something else ?
Thanks for any help.
Cheers
Sophie
There are several places in the plugin where we are printing to stderr
using fprintf
:
irods_auth_plugin_kerberos/krb/libkrb.cpp
Line 485 in 26b2afa
This is okay for the client side, but we don't want to do this in the server. Please investigate whether these calls occur in server-side code.
Hi folks,
Our build system is reliant on tags for the version to build the right thing, and while the 4-1 branch has been updated for 1.6, the tag hasn't been created yet - can that be done as soon as possible please?
cheers
John
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.