[jira] [Commented] (DIRSERVER-2156) ApacheDS issues TGT kerberos ticket with address on IBM java

Thu, 30 Jun 2016 02:25:09 -0700 

    [ 
https://issues.apache.org/jira/browse/DIRSERVER-2156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15356807#comment-15356807
 ] 

Martin Choma commented on DIRSERVER-2156:
-----------------------------------------

Setting {code}authContext.setClientAddress(null);{code} didnt helped me. I see 
same problem.

I wonder, isnt client address properly set in ticket in 
AuthenticationService.generateTicket?

{code}encTicketPart.setClientAddresses( request.getKdcReqBody().getAddresses() 
);{code}

Note, packet number 7 in IBMJavaIdentityPropagation.pcapng. It is that 
delegated tgt ticket (forwarded) and this TGS-REQ contains addresses in kdc req 
body.
Isn't problem, that for some reason ibm java set this addresses in kdc req body 
in case of delegated tgt ticket? And then this addresses are propagated into 
tgt ticket. And then address check fails.

What do you think about adding "dont check addresses" feature into ApacheDS?


> ApacheDS issues TGT kerberos ticket with address on IBM java
> ------------------------------------------------------------
>
>                 Key: DIRSERVER-2156
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-2156
>             Project: Directory ApacheDS
>          Issue Type: Bug
>    Affects Versions: 2.0.0-M20
>            Reporter: Martin Choma
>         Attachments: IBMJavaIdentityPropagation.log, 
> IBMJavaIdentityPropagation.pcapng, OracleJavaIdentityPropagation.log, 
> OracleJavaIdentityPropagation.pcapng
>
>
> ApacheDS issues TGT kerberos ticket with address on IBM java , even if
> noaddresses = true is explicitelly set in krb5.conf.
> Address in ticket causing problem, because ApacheDS check address in ticket 
> with address of connection. And that leads to error "error 38 Incorrect net 
> address"
> I dont see this issue on IBM java and Active Directory, for instance, so I
> think it is not problem of client code.
> Also note that running ApacheDS with openJDK and oracle java I also don't
> see this.
> Only problematic combination is is ApacheDS vs. IBM java 8
> Tested use case is identity propagation / delegation.
> In attachment you can find relevant log with 
> org.apache.directory.server.KERBEROS_LOG set to DEBUG for oracle and ibm 
> java. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to