Keycloak deactivate Kerberos auth without been auth - keycloak

I'm trying to use Keycloak in order to success a login configuration with Kerberos. (Which is a big failure)
I've made a mistake which is Kerberos : Required.
In other word I opened Authentication > Select Browser > Requirement : Required on Kerberos
So I can't connect anymore, I got a "Invalid username or password" when logging on "http://localhost:8080/auth"
Has someone had an issue to resolve this without deleting and reconfiguring the server?

Found something which help me a lot. I solved my problem so, i will explain how
I've used in my bin directory : kcadmin.bat (or .sh)
Opened in a CMD
Login with kcadmin
kcadm.bat config credentials --server http://localhost:8080/auth --realm master --user admin
Next, i get the ID i need to update the flow (master) :
kcadmin.bat get authentication/flows/{FLOW}/executions
Next, i put in a JSON file {"id":"ID_of_my_flow", "requirement":"ALTERNATIVE"}
Save my file and finaly just wrote
kcadmin.bat update authentication/flows/master/executions -r REALM -f myfile.json
Thanks.

Related

How can I check Kerberos Authentication as part of liveness probe?

I need to restart my open shift PODs whenever I see Kerberos authentication failure exception. To get that done, I need to check the Kerberos authentication as part of liveness check. Can you someone please let me know how do I check Kerberos authentication without proceeding a message to kafka broker? Thanks.
A simple klist command can be used to list the Kerberos principal and tickets held in a credentials cache or the keys held in a keytab.
I also read another method here: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-52-01/configuring/policy-server-configuration/authentication-schemes/configure-kerberos-authentication/troubleshoot-kerberos-authentication-setup.html
Windows:
Verify whether the keytab file is valid. Run the following command:
kinit -k -t keytab_file_location
respective_spn
This command returns no error when the keytab file is valid.
UNIX:
Run the following command:
kinit -k -t keytab_file
service_principal_name
If you get no errors, keytab files are fine, and the krb.conf file has valid values.
Hope this helps or at least gives you some ideas on how to test without producing a message to the topic!

Unable to create repository on IBM Cloud

I'm able to login successfully with : ibmcloud cr login
but when i try to create a repository in the registry, i have the following error :
docker push registry.eu-gb.bluemix.net/fdutreg/ksrepo
The push refers to repository [registry.eu-gb.bluemix.net/fdutreg/ksrepo]
428c97da766c: Preparing
unauthorized: The login credentials are not valid, or your IBM Cloud account is not active.
Any idea ?
Replace registry.eu-gb.bluemix.net by registry.eu-de.bluemix.net and now this is ok.
2 years later but probably someone could be experimenting the same issue. The thing is that you are not authenticate to the registry. You can authenticate with an API key using:
docker login -u iamapikey -p apikey registry_url
For the apikey field you can create an apikey in Manage > IAM > APIkeys > Create an IBM Cloud API key in ibm.cloud.com
It is important to know that Using --password via the CLI is insecure. Use --password-stdin. You can find alternatives in https://cloud.ibm.com/docs/Registry?topic=Registry-registry_access
Log your local Docker daemon into the IBM Cloud Container Registry.run the following command:
ibmcloud cr login

I can’t login to the server as the user I’ve created

I got “Permission denied (publickey)" using:
ssh $USERNAME#my-ip
Things I’ve done:
Using Public/Private Key authentication, I can login to the server as root.
I created a user in the sudo group
I confirmed that my created user has sudo priveleges as I viewed auth.log successfully (sudo cat /var/log/auth.log)
I thought it was possibly because my server was unable to identify which key to use, as I have created multiple keys, so I specified which key to use:
ssh -i /path/to/key/id_rsa $USERNAME#my-ip
I got "Permission denied (publickey)" again.
I figured it out! Turns out I was missing an 's' in 'ssh' at the beginning of my authorized_keys file in my user. :) I also matched the permissions between the root and user authorized_keys files, though not sure if this helped truly.

Cannot login to keycloak admin console when running in domain cluster mode

Following the documentation guide, I have booted up a master and slave and I can see it connected via the logs:
Boot up master
$ domain.sh --host-config=host-master.xml
Boot up slave
$ domain.sh --host-config=host-slave.xml
I've also followed the steps to set up the admin user via the add-user.sh. Further research indicated that I should use the add-user-keycloak.sh script to add an initial admin user:
./add-user-keycloak.sh -u john
Press ctrl-d (Unix) or ctrl-z (Windows) to exit
Password:
Added 'john' to '../standalone/configuration/keycloak-add-user.json', restart server to load user
Reran the master and slave, but cannot login to admin console.
However, what's interesting is when I tried to boot up in standalone mode I was able to the admin console as john:
./standalone.sh
Is this a bug or am I missing something (most likely) that's not in the documentation?
Thanks in advance...
Figured it out, hope this helps somebody.
Before you start in domain cluster mode:
./domain --host-config=host-master.xml
./domain --host-config=host-slave.xml
you must first create the admin so you can log in to admin console using the --sc tag, otherwise add-user-keycloak.sh only adds the admin user for the standalone mode. To do that:
./add-user-keycloak.sh --sc ../domain/servers/server-one/configuration -u john -p password
if configuration folder does not exist, then create the directory.
The ./add-user-keycloak.sh script seems to be a little outdated. Currently (as of Keycloak 12.0.2 version) it creates keycloak-add-user.json file in ./domain/configuration/ directory - That is wrong!
The file should be in ./domain/servers/server-one/configuration.
Now you just have to move the file to that directory, restart the server and it should work properly.
I found this solution on this 2-year old email thread:
https://lists.jboss.org/pipermail/keycloak-user/2018-January/012642.html

Why password becomes incorrect after generating keytab in Kerberos?

In my Kerberos system:
run kinit test and input passwd, succeed.
generate keytab by kadmin.local -q "xst -k test.keytab test".
run kinit test and input passwd, failed:
kinit: Password incorrect while getting initial credentials
run kinit -k -t test.keytab test, succeed.
Is this normal ? If not, what are possible reasons?
Thanks.
I found that the attribute krbLastPwdChange(a timestamp value) in kerberos's database changed after I run:
kadmin.local -q "xst -k test.keytab test"
While add the option -norandkey will just create the keytab without changing password:
kadmin.local -q "xst -norandkey -k test.keytab test"
I can not find the detail document about kadmin xst.
This is by design. You cannot have both a password and a keytab in Kerberos. The reason is if both were enabled, if someone was able to pull a keytab on your behalf or was in possession of a copy of your keytab, then they could masquerade as you and you would never know it. They would be able to generate a TGT via kinit.
By pulling a keytab, the password is invalidated, so if you then tried to log in with a password, you would get an error. And even if you didn't know exactly what was going on, if you reset your password, it would invalidate the keytab.
For one simple reason:
kinit tells you that the client has not been found in the database, right? By default, when kinit is invoked with a keytab it uses the default server pricipal to obtain TGT. In your case host/<hostname>#REALM but your keytab contains a key for principal test#REALM.
I had this issue too until I have asked the MIT Kereros mailing list.