https://issues.apache.org/bugzilla/show_bug.cgi?id=56523
--- Comment #2 from Arunav Sanyal <arunav.sanya...@gmail.com> ---
Thanks Mark
Here is an example stack trace from our installation of tomcat along with a few
of our webapps defined.
Node is starting in kerberos mode.
2014-Jan-30 13:26:24.074 Starting Tomcat on HTTP port [64960].
[2014-Jan-30 13:26:24.241] Domain service init method is called.
[2014-Jan-30 13:26:44.916] Enabling master Core services.
[2014-Jan-30 13:26:44.925] Domain Configuration service init method is called.
[2014-Jan-30 13:26:47.015] Log service init method is called.
[2014-Jan-30 13:26:47.081] User Management service init method is called.
[2014-Jan-30 13:26:48.500] Edr service init method is called.
[2014-Jan-30 13:26:49.760] Called the alert domain function init method.
[2014-Jan-30 13:26:49.888] Licensing service init method is called.
[2014-Jan-30 13:26:50.014] Monitoring service init method is called.
[2014-Jan-30 13:26:50.105] Plugin Registry service init method is called.
[2014-Jan-30 13:26:50.121] Master Core services enabled.
[2014-Jan-30 13:26:50.728] LogServiceAgent init method is called.
Jan 31, 2014 4:16:59 PM org.apache.catalina.authenticator.SpnegoAuthenticator
authenticate
SEVERE: Unable to login as the service principal
javax.security.auth.login.LoginException: Clock skew too great (37)
at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:763)
at
com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584)
at sun.reflect.GeneratedMethodAccessor224.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
at javax.security.auth.login.LoginContext.login(LoginContext.java:594)
at
org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:214)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:574)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:744)
Caused by: KrbException: Clock skew too great (37)
at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:95)
at sun.security.krb5.KrbAsRep.decrypt(KrbAsRep.java:159)
at sun.security.krb5.KrbAsRep.decryptUsingKeyTab(KrbAsRep.java:121)
at sun.security.krb5.KrbAsReqBuilder.resolve(KrbAsReqBuilder.java:288)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:364)
at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:735)
... 23 more
Jan 31, 2014 4:16:59 PM org.apache.catalina.authenticator.SpnegoAuthenticator
authenticate
SEVERE: Unable to login as the service principal
javax.security.auth.login.LoginException: Clock skew too great (37)
at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:763)
at
com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584)
at sun.reflect.GeneratedMethodAccessor224.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
at javax.security.auth.login.LoginContext.login(LoginContext.java:594)
at
org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:214)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:574)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:744)
Caused by: KrbException: Clock skew too great (37)
at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:95)
at sun.security.krb5.KrbAsRep.decrypt(KrbAsRep.java:159)
at sun.security.krb5.KrbAsRep.decryptUsingKeyTab(KrbAsRep.java:121)
at sun.security.krb5.KrbAsReqBuilder.resolve(KrbAsReqBuilder.java:288)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:364)
at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:735)
... 23 more
Yes you are right. It should be logged at debug only when its an instance of
GSSException. However in practice I have seen any other underlying reason for
PrivilegedActionException because the Actions can only throw GSSExceptions.
Should I still go ahead and ascertain the cause and log only when underlying
cause is GSSException.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
