That was it! I pulled out the line "renew_lifetime = 7d" and it worked! Thank you so much.
On Thu, Apr 1, 2021 at 7:40 AM Bryan Bende <[email protected]> wrote: > The important part is: > > Caused by: sun.security.krb5.internal.KrbApErrException: Message stream > modified (41) > > The code that produces this exception looks like this: > > // Reply to a renewable request should be renewable, but if request does > // not contain renewable, KDC is free to issue a renewable ticket (for > // example, if ticket_lifetime is too big). > if (req.reqBody.kdcOptions.get(KDCOptions.RENEWABLE) && > !rep.encKDCRepPart.flags.get(KDCOptions.RENEWABLE)) { > throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED); > } > > From googling, a possible solution here: > https://bugs.centos.org/view.php?id=17000 > > On Wed, Mar 31, 2021 at 6:57 PM Derek Richardson <[email protected]> wrote: > > > > It doesn't look like anything to me, but here's the stacktrace for when > > logback.xml has all of the user_file stuff in debug mode: > > > > 2021-03-31 22:54:13,670 INFO [NiFi Web Server-22] > > o.a.n.w.a.c.IllegalArgumentExceptionMapper > > java.lang.IllegalArgumentException: The supplied username and password > are > > not valid.. Returning Bad Request response. > > 2021-03-31 22:54:13,672 DEBUG [NiFi Web Server-22] > > o.a.n.w.a.c.IllegalArgumentExceptionMapper > > java.lang.IllegalArgumentException: The supplied username and password > are > > not valid. > > at > > > org.apache.nifi.web.api.AccessResource.createAccessToken(AccessResource.java:734) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:498) > > at > > > org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:76) > > at > > > org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:148) > > at > > > org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:191) > > at > > > org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:200) > > at > > > org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:103) > > at > > > org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:493) > > at > > > org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:415) > > at > > > org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:104) > > at > org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:277) > > at org.glassfish.jersey.internal.Errors$1.call(Errors.java:272) > > at org.glassfish.jersey.internal.Errors$1.call(Errors.java:268) > > at org.glassfish.jersey.internal.Errors.process(Errors.java:316) > > at org.glassfish.jersey.internal.Errors.process(Errors.java:298) > > at org.glassfish.jersey.internal.Errors.process(Errors.java:268) > > at > > > org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:289) > > at > org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:256) > > at > > > org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:703) > > at > > > org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:416) > > at > org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:370) > > at > > > org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:389) > > at > > > org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:342) > > at > > > org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:229) > > at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:865) > > at > > > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1655) > > at > org.apache.nifi.web.filter.RequestLogger.doFilter(RequestLogger.java:66) > > at > > > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) > > at > > > org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:208) > > at > > > org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177) > > at > > > org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347) > > at > > > org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263) > > at > > > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) > > at org.apache.nifi.web.filter.TimerFilter.doFilter(TimerFilter.java:51) > > at > > > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) > > at > > > org.apache.nifi.web.filter.ExceptionFilter.doFilter(ExceptionFilter.java:46) > > at > > > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1634) > > at > > > org.apache.nifi.web.security.ContentSecurityPolicyFilter.doFilter(ContentSecurityPolicyFilter.java:47) > > at > > > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) > > at > org.apache.nifi.web.server.JettyServer$2.doFilter(JettyServer.java:1048) > > at > > > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) > > at > > > org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533) > > at > > > org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146) > > at > > > org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548) > > at > > > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) > > at > > > org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257) > > at > > > org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595) > > at > > > org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255) > > at > > > org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1317) > > at > > > org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203) > > at > org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473) > > at > > > org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564) > > at > > > org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201) > > at > > > org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1219) > > at > > > org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144) > > at > > > org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126) > > at > > > org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:724) > > at > org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:61) > > at > > > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) > > at org.eclipse.jetty.server.Server.handle(Server.java:531) > > at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:352) > > at > > > org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260) > > at > > org.eclipse.jetty.io > .AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:281) > > at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102) > > at > org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:291) > > at > > > org.eclipse.jetty.io.ssl.SslConnection$3.succeeded(SslConnection.java:151) > > at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102) > > at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118) > > at > > > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333) > > at > > > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310) > > at > > > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168) > > at > > > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126) > > at > > > org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366) > > at > > > org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:762) > > at > > > org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:680) > > at java.lang.Thread.run(Thread.java:748) > > Caused by: > > > org.apache.nifi.authentication.exception.InvalidLoginCredentialsException: > > Kerberos authentication failed > > at > > > org.apache.nifi.kerberos.KerberosProvider.authenticate(KerberosProvider.java:93) > > at > > > org.apache.nifi.web.security.spring.LoginIdentityProviderFactoryBean$1.authenticate(LoginIdentityProviderFactoryBean.java:314) > > at > > > org.apache.nifi.web.api.AccessResource.createAccessToken(AccessResource.java:728) > > ... 78 common frames omitted > > Caused by: > > org.springframework.security.authentication.BadCredentialsException: > > Kerberos authentication failed > > at > > > org.springframework.security.kerberos.authentication.sun.SunJaasKerberosClient.login(SunJaasKerberosClient.java:66) > > at > > > org.springframework.security.kerberos.authentication.KerberosAuthenticationProvider.authenticate(KerberosAuthenticationProvider.java:40) > > at > > > org.apache.nifi.kerberos.KerberosProvider.authenticate(KerberosProvider.java:87) > > ... 80 common frames omitted > > Caused by: javax.security.auth.login.LoginException: Message stream > > modified (41) > > at > > > com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:808) > > at > > > com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:618) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:498) > > at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) > > at > javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) > > at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) > > at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) > > at java.security.AccessController.doPrivileged(Native Method) > > at > javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) > > at javax.security.auth.login.LoginContext.login(LoginContext.java:587) > > at > > > org.springframework.security.kerberos.authentication.sun.SunJaasKerberosClient.login(SunJaasKerberosClient.java:59) > > ... 82 common frames omitted > > Caused by: sun.security.krb5.internal.KrbApErrException: Message stream > > modified (41) > > at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:101) > > at sun.security.krb5.KrbAsRep.decrypt(KrbAsRep.java:159) > > at sun.security.krb5.KrbAsRep.decryptUsingPassword(KrbAsRep.java:139) > > at sun.security.krb5.KrbAsReqBuilder.resolve(KrbAsReqBuilder.java:310) > > at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:447) > > at > > > com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:770) > > ... 95 common frames omitted > > > > On Wed, Mar 31, 2021 at 4:44 PM Derek Richardson <[email protected]> > wrote: > > > > > Correct. > > > > > > # kinit [email protected] > > > Password for [email protected]: > > > > > > # klist > > > Ticket cache: FILE:/tmp/krb5cc_0 > > > Default principal: [email protected] > > > > > > Valid starting Expires Service principal > > > 03/31/2021 22:42:10 04/01/2021 22:42:10 krbtgt/[email protected] > > > > > > On Wed, Mar 31, 2021, 1:13 PM Bryan Bende <[email protected]> wrote: > > > > > >> So from a terminal on the nifi server, you can run "kinit > > >> [email protected]" and enter the password and it works, and this same > > >> principal and password entered into NiFi's login screen does not work? > > >> > > >> On Wed, Mar 31, 2021 at 2:19 PM Derek Richardson <[email protected]> > > >> wrote: > > >> > > > >> > I'm working on transitioning a nifi instance we deploy with > Kerberos and > > >> > I'm having some trouble authenticating. Everything looks correct, > but > > >> when > > >> > I try to log in with any of my created users, I get an error > message: > > >> > > > >> > The supplied username and password are not valid. > > >> > > > >> > Everything on nifi without https was working, and everything I've > > >> created > > >> > on the Kerberos side looks and works as expected, I just haven't > been > > >> able > > >> > to get a user to log in to the Nifi UI. > > >> > > > >> > Here are some of my config files, is there anything I'm missing or > have > > >> > incorrect? > > >> > > > >> > --------------------------- > > >> > > > >> > Authorizers.xml: > > >> > <?xml version="1.0" encoding="UTF-8" standalone="yes"?> > > >> > <authorizers> > > >> > <userGroupProvider> > > >> > <identifier>file-user-group-provider</identifier> > > >> > > > >> <class>org.apache.nifi.authorization.FileUserGroupProvider</class> > > >> > <property name="Users File">./conf/users.xml</property> > > >> > <property name="Legacy Authorized Users File"></property> > > >> > > > >> > <property name="Initial User Identity 1"></property> > > >> > </userGroupProvider> > > >> > > > >> > <accessPolicyProvider> > > >> > <identifier>file-access-policy-provider</identifier> > > >> > > > >> > > <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> > > >> > <property name="User Group > > >> > Provider">file-user-group-provider</property> > > >> > <property name="Authorizations > > >> > File">./conf/authorizations.xml</property> > > >> > <property name="Initial Admin Identity">[email protected] > > >> </property> > > >> > <property name="Legacy Authorized Users File"></property> > > >> > <property name="Node Identity 1"></property> > > >> > <property name="Node Group"></property> > > >> > </accessPolicyProvider> > > >> > > > >> > <authorizer> > > >> > <identifier>managed-authorizer</identifier> > > >> > > > >> > > <class>org.apache.nifi.authorization.StandardManagedAuthorizer</class> > > >> > <property name="Access Policy > > >> > Provider">file-access-policy-provider</property> > > >> > </authorizer> > > >> > > > >> > <authorizer> > > >> > <identifier>file-provider</identifier> > > >> > <class>org.apache.nifi.authorization.FileAuthorizer</class> > > >> > <property name="Authorizations > > >> > File">./conf/authorizations.xml</property> > > >> > <property name="Users File">./conf/users.xml</property> > > >> > <property name="Initial Admin Identity">[email protected] > > >> </property> > > >> > <property name="Legacy Authorized Users File"></property> > > >> > > > >> > <property name="Node Identity 1"></property> > > >> > </authorizer> > > >> > </authorizers> > > >> > > > >> > ------------------------------------- > > >> > > > >> > Relevant nifi.properties: > > >> > nifi.security.user.authorizer=file-provider > > >> > nifi.security.user.login.identity.provider=kerberos-provider > > >> > # kerberos # > > >> > nifi.kerberos.krb5.file= /etc/krb5.conf > > >> > [email protected] > > >> > nifi.kerberos.service.keytab.location=/etc/kadm5.keytab > > >> > > > >> > ------------------------------------- > > >> > > > >> > Login-identity-provider.xml > > >> > <loginIdentityProviders> > > >> > <provider> > > >> > <identifier>kerberos-provider</identifier> > > >> > <class>org.apache.nifi.kerberos.KerberosProvider</class> > > >> > <property name="Default Realm">MY.REALM</property> > > >> > <property name="Authentication Expiration">12 > hours</property> > > >> > </provider> > > >> > </loginIdentityProviders> > > >> > > > >> > --------------------------------------- > > >> > > > >> > /etc/krb5.conf: > > >> > [logging] > > >> > default = FILE:/var/log/krb5libs.log > > >> > kdc = FILE:/var/log/krb5kdc.log > > >> > admin_server = FILE:/var/log/kadmind.log > > >> > > > >> > [libdefaults] > > >> > ticket_lifetime = 24h > > >> > renew_lifetime = 7d > > >> > forwardable = true > > >> > default_realm = MY.REALM > > >> > > > >> > [realms] > > >> > RO.INTERNAL = { > > >> > kdc = nifi-djr5.ro.internal:88 > > >> > admin_server = nifi-djr5.my.realm:749 > > >> > default_domain = my.realm > > >> > } > > >> > > > >> > [domain_realm] > > >> > .my.realm = MY.REALM > > >> > my.realm = MY.REALM > > >> > > > >> > [kdc] > > >> > profile = /var/kerberos/krb5kdc/kdc.conf > > >> > > > >> > ------------------------------------------- > > >> > > > >> > Any help would be greatly appreciated! > > >> > > > >
