[
https://issues.apache.org/jira/browse/DIRKRB-631?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16052826#comment-16052826
]
Marc de Lignie commented on DIRKRB-631:
---------------------------------------
Hi Jiajia,
I tested your patch for this issue on my system with succes, see below. Great
work.
+ 1 For closing this issue.
Cheers, Marc
marc@AntecMarc:~/Projects/directory-kerby$ .
kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/MitIssueTest.sh
[7271] 1497704603.215880: Retrieving [email protected] from
FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key
table file '/etc/krb5/user/1000/client.keytab' not found
[7271] 1497704603.216057: Retrieving [email protected] from
FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key
table file '/etc/krb5/user/1000/client.keytab' not found
kerberos.authGSSClientInit successful
[7271] 1497704603.216410: Getting credentials [email protected] ->
test-service/localhost@ using ccache
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
[7271] 1497704603.216435: Retrieving [email protected] ->
test-service/localhost@ from
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc with result:
-1765328243/Matching credential not found (filename:
kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc)
[7271] 1497704603.216451: Retrying [email protected] ->
test-service/[email protected] with result: -1765328243/Matching credential
not found (filename: kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc)
[7271] 1497704603.216454: Server has referral realm; starting with
test-service/[email protected]
[7271] 1497704603.216503: Retrieving [email protected] ->
krbtgt/[email protected] from
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc with result: 0/Success
[7271] 1497704603.216525: Starting with TGT for client realm: [email protected]
-> krbtgt/[email protected]
[7271] 1497704603.216527: Requesting tickets for
test-service/[email protected], referrals on
[7271] 1497704603.216553: Generated subkey for TGS request: aes128-cts/B84F
[7271] 1497704603.216588: etypes requested in TGS request: aes256-cts,
aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts,
camellia256-cts
[7271] 1497704603.216689: Encoding request body and padata into FAST request
[7271] 1497704603.216730: Sending request (836 bytes) to TEST.COM
[7271] 1497704603.216753: Resolving hostname localhost
[7271] 1497704603.216808: Initiating TCP connection to stream 127.0.0.1:32893
[7271] 1497704603.216910: Sending TCP request to stream 127.0.0.1:32893
[7271] 1497704603.233757: Received answer (550 bytes) from stream
127.0.0.1:32893
[7271] 1497704603.233766: Terminating TCP connection to stream 127.0.0.1:32893
[7271] 1497704603.499207: Response was not from master KDC
[7271] 1497704603.499262: Decoding FAST response
[7271] 1497704603.499339: TGS reply didn't decode with subkey; trying session
key (
[7271] 1497704603.499359: Decoding FAST response
[7271] 1497704603.499438: TGS reply is for [email protected] ->
test-service/[email protected] with session key aes128-cts/F165
[7271] 1497704603.499469: TGS request result: 0/Success
[7271] 1497704603.499476: Received creds for desired service
test-service/[email protected]
[7271] 1497704603.499491: Storing [email protected] -> test-service/localhost@
in FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
[7271] 1497704603.499609: Also storing [email protected] ->
test-service/[email protected] based on ticket
[7271] 1497704603.499628: Removing [email protected] ->
test-service/[email protected] from
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
[7271] 1497704603.499766: Creating authenticator for [email protected] ->
test-service/localhost@, seqnum 1022979379, subkey aes128-cts/6609, session key
aes128-cts/F165
[7271] 1497704603.499795: Negotiating for enctypes in authenticator:
aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac,
camellia128-cts, camellia256-cts
First kerberos.authGSSClientStep successful
marc@AntecMarc:~/Projects/directory-kerby$ klist
Ticket cache: FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
Default principal: [email protected]
Valid starting Expires Service principal
17-06-17 15:03:00 17-06-17 23:03:00 krbtgt/[email protected]
renew until 19-06-17 15:03:00
17-06-17 15:03:23 17-06-17 23:03:00 test-service/localhost@
renew until 17-06-17 23:03:00
17-06-17 15:03:23 17-06-17 23:03:00 test-service/[email protected]
renew until 17-06-17 23:03:00
marc@AntecMarc:~/Projects/directory-kerby$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.2 LTS
Release: 16.04
Codename: xenial
marc@AntecMarc:~/Projects/directory-kerby$ klist -V
Kerberos 5 version 1.15.1
> Not compatible with MIT Kerberos 1.11+
> --------------------------------------
>
> Key: DIRKRB-631
> URL: https://issues.apache.org/jira/browse/DIRKRB-631
> Project: Directory Kerberos
> Issue Type: Bug
> Affects Versions: 1.0.0-RC2, 1.0.0
> Environment: Debian, Fedora
> Reporter: Marc de Lignie
> Fix For: 1.0.1
>
>
> The Kerby kdc does not accept preauthication form a MIT Kerberos client
> starting from version 1.11. V1.11 hallmarks the implementation of the FAST
> OTP standard in MIT Kerberos, apparently with changes not understood by Kerby.
> More details on stacktraces are available from:
> http://mail-archives.apache.org/mod_mbox/directory-kerby/201705.mbox/browser
> A failing test is available from:
> https://github.com/vtslab/directory-kerby/tree/MitIssue
> Without an update on Mit Kerberos compatibility Directory Kerby is not usable
> for testing kerberos functionality in Apache TInkerpop's gremlin-python
> module (the more so because the Mit Kerberos 1.10 source distribution does
> not compile anymore with the gcc-5.x from recent LTS Linux distributions).
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
