|
|
@@ -15,6 +15,7 @@ answers for frequently asked questions.
|
|
|
* <<trb-security-maccurl>>
|
|
|
* <<trb-security-sslhandshake>>
|
|
|
* <<trb-security-ssl>>
|
|
|
+* <<trb-security-kerberos>>
|
|
|
* <<trb-security-internalserver>>
|
|
|
* <<trb-security-setup>>
|
|
|
|
|
|
@@ -319,6 +320,77 @@ In this case, you must install the
|
|
|
<<ciphers, JCE Unlimited Strength Jurisdiction Policy Files>>.
|
|
|
--
|
|
|
|
|
|
+[[trb-security-kerberos]]
|
|
|
+=== Common Kerberos exceptions
|
|
|
+
|
|
|
+*Symptoms:*
|
|
|
+
|
|
|
+* User authentication fails due to either GSS negotiation failure
|
|
|
+or a service login failure (either on the server or in the {es} http client).
|
|
|
+Some of the common exceptions are listed below with some tips to help resolve
|
|
|
+them.
|
|
|
+
|
|
|
+*Resolution:*
|
|
|
+
|
|
|
+`Failure unspecified at GSS-API level (Mechanism level: Checksum failed)`::
|
|
|
++
|
|
|
+--
|
|
|
+
|
|
|
+When you see this error message on the HTTP client side, then it may be
|
|
|
+related to an incorrect password.
|
|
|
+
|
|
|
+When you see this error message in the {es} server logs, then it may be
|
|
|
+related to the {es} service keytab. The keytab file is present but it failed
|
|
|
+to log in as the user. Please check the keytab expiry. Also check whether the
|
|
|
+keytab contain up-to-date credentials; if not, replace them.
|
|
|
+
|
|
|
+You can use tools like `klist` or `ktab` to list principals inside
|
|
|
+the keytab and validate them. You can use `kinit` to see if you can acquire
|
|
|
+initial tickets using the keytab. Please check the tools and their documentation
|
|
|
+in your Kerberos environment.
|
|
|
+
|
|
|
+Kerberos depends on proper hostname resolution, so please check your DNS infrastructure.
|
|
|
+Incorrect DNS setup, DNS SRV records or configuration for KDC servers in `krb5.conf`
|
|
|
+can cause problems with hostname resolution.
|
|
|
+
|
|
|
+--
|
|
|
+
|
|
|
+`Failure unspecified at GSS-API level (Mechanism level: Request is a replay (34))`::
|
|
|
+
|
|
|
+`Failure unspecified at GSS-API level (Mechanism level: Clock skew too great (37))`::
|
|
|
++
|
|
|
+--
|
|
|
+
|
|
|
+To prevent replay attacks, Kerberos V5 sets a maximum tolerance for computer
|
|
|
+clock synchronization and it is typically 5 minutes. Please check whether
|
|
|
+the time on the machines within the domain is in sync.
|
|
|
+
|
|
|
+--
|
|
|
+
|
|
|
+As Kerberos logs are often cryptic in nature and many things can go wrong
|
|
|
+as it depends on external services like DNS and NTP. You might
|
|
|
+have to enable additional debug logs to determine the root cause of the issue.
|
|
|
+
|
|
|
+{es} uses a JAAS (Java Authentication and Authorization Service) Kerberos login
|
|
|
+module to provide Kerberos support. To enable debug logs on {es} for the login
|
|
|
+module use following Kerberos realm setting:
|
|
|
+[source,yaml]
|
|
|
+----------------
|
|
|
+xpack.security.authc.realms.<realm-name>.krb.debug: true
|
|
|
+----------------
|
|
|
+
|
|
|
+For detailed information, see {ref}/security-settings.html#ref-kerberos-settings[Kerberos realm settings].
|
|
|
+
|
|
|
+Sometimes you may need to go deeper to understand the problem during SPNEGO
|
|
|
+GSS context negotiation or look at the Kerberos message exchange. To enable
|
|
|
+Kerberos/SPNEGO debug logging on JVM, add following JVM system properties:
|
|
|
+
|
|
|
+`-Dsun.security.krb5.debug=true`
|
|
|
+
|
|
|
+`-Dsun.security.spnego.debug=true`
|
|
|
+
|
|
|
+For more information about JVM system properties, see {ref}/jvm-options.html[configuring JVM options].
|
|
|
+
|
|
|
[[trb-security-internalserver]]
|
|
|
=== Internal Server Error in Kibana
|
|
|
|
Yogesh Gaikwad