[Kerberos Client] Can not generate a service ticket

[Marc Boorshtein]

All,

I've setup a development environment for working with the kerberos
client library and am running into a problem generating a service
ticket.  The below code "works" in that I get a TGT and it fails if I
put in the wrong password but I don't seem to get the correct tickets
and when I try to generate a service ticket I get an exception.  Below
is my code and the exception.  I've also attached packet captures from
both a successful kinit and the failed kerberos client login.

Code:

Properties props = new Properties();
                props.setProperty("log4j.rootLogger", "DEBUG,A1");
                props.setProperty("log4j.appender.A1", 
"org.apache.log4j.ConsoleAppender");
                
props.setProperty("log4j.appender.A1.layout","org.apache.log4j.PatternLayout");
                
props.setProperty("log4j.appender.A1.layout.ConversionPattern","%-4r
[%t] %-5p %c %x - %m%n");
                
                PropertyConfigurator.configure(props);
                System.out.println("creating principal");
                KerberosPrincipal clientPrincipal = new KerberosPrincipal(
"testus...@w2k3r2.test.com");
                System.out.println("creating con");
                KdcConnection con = new 
KdcConnection("adfs-dc.w2k3r2.test.com");
                System.out.println("creating tgt");
                KerberosTicket tgt = con.getTicketGrantingTicket( 
clientPrincipal,
new String("$tart123") );
                System.out.println("generating service ticket");
                KerberosPrincipal sp = new
KerberosPrincipal("http/kerb-ws.w2k3r2.test....@w2k3r2.test.com");
                KerberosTicket sgt = con.getServiceTicket(tgt, sp);
                System.out.println("service ticket granted");
                tgt.destroy();
                con.disconnect();

Output:

reating principal
creating con
creating tgt
0    [NioProcessor-1] DEBUG
org.apache.directory.client.kerberos.protocol.KerberosClientHandler  -
adfs-dc.w2k3r2.test.com/192.168.174.133:88 CREATED:  datagram
418  [NioProcessor-1] DEBUG
org.apache.mina.filter.codec.ProtocolCodecFilter  - Processing a
MESSAGE_RECEIVED for session 1
431  [NioProcessor-1] DEBUG
org.apache.directory.client.kerberos.protocol.KerberosClientHandler  -
adfs-dc.w2k3r2.test.com/192.168.174.133:88 RCVD:
org.apache.directory.server.kerberos.shared.messages.kdcre...@1960f05
445  [main] DEBUG
org.apache.directory.client.kerberos.GetTicketGrantingTicket  -
Received ticket for 'testus...@w2k3r2.test.com' to access
'krbtgt/w2k3r2.test....@w2k3r2.test.com'.
generating service ticket
457  [NioProcessor-3] DEBUG
org.apache.directory.client.kerberos.protocol.KerberosClientHandler  -
adfs-dc.w2k3r2.test.com/192.168.174.133:88 CREATED:  datagram
467  [main] ERROR
org.apache.directory.client.kerberos.protocol.KerberosClientHandler  -
adfs-dc.w2k3r2.test.com/192.168.174.133:88 EXCEPTION
org.apache.mina.filter.codec.ProtocolEncoderException:
java.nio.BufferOverflowException
        at 
org.apache.mina.filter.codec.ProtocolCodecFilter.filterWrite(ProtocolCodecFilter.java:313)
        at 
org.apache.mina.core.filterchain.DefaultIoFilterChain.callPreviousFilterWrite(DefaultIoFilterChain.java:505)
        at 
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1400(DefaultIoFilterChain.java:47)
        at 
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.filterWrite(DefaultIoFilterChain.java:813)
        at 
org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.filterWrite(DefaultIoFilterChain.java:739)
        at 
org.apache.mina.core.filterchain.DefaultIoFilterChain.callPreviousFilterWrite(DefaultIoFilterChain.java:505)
        at 
org.apache.mina.core.filterchain.DefaultIoFilterChain.fireFilterWrite(DefaultIoFilterChain.java:497)
        at 
org.apache.mina.core.session.AbstractIoSession.write(AbstractIoSession.java:427)
        at 
org.apache.mina.core.session.AbstractIoSession.write(AbstractIoSession.java:368)
        at 
org.apache.directory.client.kerberos.GetServiceTicket.execute(GetServiceTicket.java:144)
        at 
org.apache.directory.client.kerberos.KdcConnection.getServiceTicket(KdcConnection.java:150)
        at 
org.apache.directory.client.kerberos.KdcConnection.getServiceTicket(KdcConnection.java:133)
        at TestKerb.main(TestKerb.java:27)
Caused by: java.nio.BufferOverflowException
        at java.nio.Buffer.nextPutIndex(Buffer.java:495)
        at java.nio.HeapByteBuffer.put(HeapByteBuffer.java:145)
        at 
org.apache.directory.shared.asn1.der.ASN1OutputStream$1.write(ASN1OutputStream.java:52)
        at java.io.FilterOutputStream.write(FilterOutputStream.java:60)
        at java.io.FilterOutputStream.write(FilterOutputStream.java:108)
        at java.io.FilterOutputStream.write(FilterOutputStream.java:80)
        at 
org.apache.directory.shared.asn1.der.ASN1OutputStream.writeEncoded(ASN1OutputStream.java:94)
        at 
org.apache.directory.shared.asn1.der.DERApplicationSpecific.encode(DERApplicationSpecific.java:86)
        at 
org.apache.directory.shared.asn1.der.ASN1OutputStream.writeObject(ASN1OutputStream.java:106)
        at 
org.apache.directory.server.kerberos.shared.io.encoder.KdcRequestEncoder.encode(KdcRequestEncoder.java:61)
        at 
org.apache.directory.client.kerberos.protocol.KerberosClientUdpEncoder.encode(KerberosClientUdpEncoder.java:46)
        at 
org.apache.mina.filter.codec.ProtocolCodecFilter.filterWrite(ProtocolCodecFilter.java:298)
        ... 12 more
469  [main] ERROR
org.apache.directory.client.kerberos.GetServiceTicket  - KDC returned
error; ticket will be null.
service ticket granted

Thanks

Marc

apacheds-kerb-client
Description: Binary data

kinit
Description: Binary data

krb5.conf
Description: Binary data