From your logs looks like you’re not using Kerby client API to contact with Kerby KDC. So I guess your client didn’t send preauth data, but Kerby KDC required it by default, then it refused. Please note it’s still on-going to implement kdc server correctly handling krb errors and the 4 passes. When done, your client will be responded with error message in such case, instead of nothing got until timeout. If it’s desired, I will raise the priority of the task in my side.
Regards, Kai From: Colm O hEigeartaigh [mailto:[email protected]] Sent: Tuesday, April 21, 2015 6:29 PM To: Apache Directory Developers List Subject: Re: Kerby GSS tests? Hi Kai, Thanks for your response. I have a test-case of sorts that shows the interop failure (although I can't reproduce the issue I reported yesterday about the preauthentication data). https://github.com/coheigea/testcases/tree/master/apache/cxf/cxf-kerberos-kerby Run it with "mvn clean install". You may need the install the parent module as well before running this, which is one level up. The test sets up a Kerby server, and I have a @Ignore'd test using Kerby client API to successfully communicate with it. Then I have a Apache CXF-based test which uses the Kerberos functionality here (based on GSS) to get a service ticket. If I put printStackTrace in the DefaultKdcHandler the output looks like: Loaded from Java config >>> KdcAccessibility: reset >>> KdcAccessibility: reset Using builtin default etypes for default_tkt_enctypes default etypes for default_tkt_enctypes: 18 17 16 23 1 3. >>> KrbAsReq creating message >>> KrbKdcReq send: kdc=127.0.0.1 TCP:9002, timeout=30000, number of retries >>> =3, #bytes=169 >>> KDCCommunication: kdc=127.0.0.1 TCP:9002, timeout=30000,Attempt =1, >>> #bytes=169 java.net.SocketTimeoutException: Read timed out at java.net.SocketInputStream.socketRead0(Native Method) at java.net.SocketInputStream.read(SocketInputStream.java:152) at java.net.SocketInputStream.read(SocketInputStream.java:122) at java.net.SocketInputStream.read(SocketInputStream.java:210) at java.io.DataInputStream.readInt(DataInputStream.java:387) at org.apache.kerby.kerberos.kerb.transport.KrbTcpTransport.receiveMessage(KrbTcpTransport.java:54) at org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.run(DefaultKdcHandler.java:46) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) >>>DEBUG: TCPClient could not read length field >>> KrbKdcReq send: #bytes read=0 Any ideas? Colm. On Tue, Apr 21, 2015 at 12:09 AM, Zheng, Kai <[email protected]<mailto:[email protected]>> wrote: Hi Colm, We haven’t any test for GSS client against Kerby yet, though we do have tests in protocol level for ApReq (in kerb-core-test module). We might look at existing ApacheDS Kerberos codes to see if any such end to end tests to port. You’re right, current UDP support for KdcNetwork and NettyKdcNetwork are to be done yet. I originally got them done some days ago, but recently I was extremely busy with other projects, so kinds of delayed. Sure JIRAs would be good to record them. For the issue you ran into, do you have test codes to repeat it, so we may have the chance to look at it? Thanks. Regards, Kai From: Colm O hEigeartaigh [mailto:[email protected]<mailto:[email protected]>] Sent: Monday, April 20, 2015 10:40 PM To: Apache Directory Developers List Subject: Kerby GSS tests? Hi all, Are there any tests in the source (or has anyone successfully tested) a Java GSS client -> Apache Kerby? The first issue I ran into was that neither the KdcNetwork nor the NettyKdcNetwork work with UDP. Is there a JIRA for this (or any plans to fix it)? I could work around the above by setting "udp_preference_limit = 1". However, I then run into an issue where it fails due to no pre-authentication data in the request. Are we sure that this parsing is working correctly? Colm. -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
