Hi Jiajia,Great to read that you made progress on this issue and to see a working config at your side. Below, I list my progress below (with trunk merged into my MitIssue branch), but I am afraid we are not done yet.
Things that stand out: - the kdc decoding error is solved, relative to the logs without your patch- your KRB5 tracing looks quite different. What OS and mit-kerberos version did you use?
- your KRB5 tracing shows UDP comms between kerberos client and KDC, despite the allowUDP = false setting in my test. I did this setting because I get different problems without it, see the additional logs below. So, we must also be aware of networking problems at my side.
- the "Response was not from master KDC" msg is not relevant; it disappears if you manually add master_kdc to the realms section of the krb5.conf
I have no idea how to proceed from here, so that is why I just document the status at my side and ask about your - apparently working - config.
Cheers, Marc KDC logging with allowUDP = false: [INFO] Running org.apache.kerby.kerberos.kerb.server.MitIssueTest[pool-1-thread-1] INFO org.apache.kerby.kerberos.kerb.server.request.AsRequest - AS_REQ ISSUE: authtime 1493970789075,[email protected] for krbtgt/[email protected] [main] INFO org.apache.kerby.kerberos.kerb.client.impl.DefaultInternalKrbClient - Send to kdc success. [main] INFO org.apache.kerby.kerberos.kerb.client.KrbClientBase - Storing the tgt to the credential cache file. [pool-1-thread-1] INFO org.apache.kerby.kerberos.kerb.server.request.KdcRequest - The preauth data is empty. [pool-1-thread-1] INFO org.apache.kerby.kerberos.kerb.server.KdcHandler - KRB error occurred while processing request:Additional pre-authentication required [pool-1-thread-1] INFO org.apache.kerby.kerberos.kerb.server.request.AsRequest - AS_REQ ISSUE: authtime 1493970789108,test-service/[email protected] for krbtgt/[email protected] [pool-1-thread-1] INFO org.apache.kerby.kerberos.kerb.server.request.KdcRequest - Found fast padata and starting to process it. [pool-1-thread-1] INFO org.apache.kerby.kerberos.kerb.server.request.KdcRequest - Found fast padata and starting to process it.
Python script KRB5 tracing (MIT Kerberos 1.13.2 of Ubuntu Xenial) with allowUDP = false:
$ . kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/MitIssueTest.sh [25281] 1493970797.298753: Retrieving [email protected] from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found [25281] 1493970797.298952: Retrieving [email protected] from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found [25281] 1493970797.299106: Retrieving [email protected] from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found [25281] 1493970797.299213: Retrieving [email protected] from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found [25281] 1493970797.299323: Retrieving [email protected] from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found [25281] 1493970797.299436: Retrieving [email protected] from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found [25281] 1493970797.299545: Retrieving [email protected] from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found [25281] 1493970797.299654: Retrieving [email protected] from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found
kerberos.authGSSClientInit successful[25281] 1493970797.299922: Getting credentials [email protected] -> test-service/localhost@ using ccache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc [25281] 1493970797.299945: Retrieving [email protected] -> test-service/localhost@ from FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc with result: -1765328243/Matching credential not found [25281] 1493970797.299959: Retrying [email protected] -> test-service/[email protected] with result: -1765328243/Matching credential not found [25281] 1493970797.299962: Server has referral realm; starting with test-service/[email protected] [25281] 1493970797.299975: Retrieving [email protected] -> krbtgt/[email protected] from FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc with result: 0/Success [25281] 1493970797.299979: Starting with TGT for client realm: [email protected] -> krbtgt/[email protected] [25281] 1493970797.299981: Requesting tickets for test-service/[email protected], referrals on
[25281] 1493970797.299994: Generated subkey for TGS request: aes128-cts/1B9B[25281] 1493970797.300009: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts [25281] 1493970797.300054: Encoding request body and padata into FAST request
[25281] 1493970797.300080: Sending request (823 bytes) to TEST.COM [25281] 1493970797.300091: Resolving hostname localhost[25281] 1493970797.300136: Initiating TCP connection to stream 127.0.0.1:34319
[25281] 1493970797.300191: Sending TCP request to stream 127.0.0.1:34319[25281] 1493970797.303610: Received answer (125 bytes) from stream 127.0.0.1:34319 [25281] 1493970797.303618: Terminating TCP connection to stream 127.0.0.1:34319
[25281] 1493970797.553126: Response was not from master KDC[25281] 1493970797.553198: TGS request result: -1765323383/Unknown code krcM 137 [25281] 1493970797.553234: Requesting tickets for test-service/[email protected], referrals off
[25281] 1493970797.553273: Generated subkey for TGS request: aes128-cts/94C6[25281] 1493970797.553323: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts [25281] 1493970797.553436: Encoding request body and padata into FAST request
[25281] 1493970797.553532: Sending request (823 bytes) to TEST.COM [25281] 1493970797.553567: Resolving hostname localhost[25281] 1493970797.553745: Initiating TCP connection to stream 127.0.0.1:34319
[25281] 1493970797.553889: Sending TCP request to stream 127.0.0.1:34319[25281] 1493970797.558297: Received answer (125 bytes) from stream 127.0.0.1:34319 [25281] 1493970797.558318: Terminating TCP connection to stream 127.0.0.1:34319
[25281] 1493970797.561189: Response was not from master KDC[25281] 1493970797.561258: TGS request result: -1765323383/Unknown code krcM 137 ('First kerberos.authGSSClientStep not successful', GSSError(('Unspecified GSS failure. Minor code may provide more information', 851968), ('Unknown code krcM 137', -1765323383)))
KDC logging with allowUDP = true: [INFO] Running org.apache.kerby.kerberos.kerb.server.MitIssueTest[pool-1-thread-1] INFO org.apache.kerby.kerberos.kerb.server.request.AsRequest - AS_REQ ISSUE: authtime 1493972505784,[email protected] for krbtgt/[email protected] [main] INFO org.apache.kerby.kerberos.kerb.client.impl.DefaultInternalKrbClient - Send to kdc success. [main] INFO org.apache.kerby.kerberos.kerb.client.KrbClientBase - Storing the tgt to the credential cache file. [pool-1-thread-1] INFO org.apache.kerby.kerberos.kerb.server.request.KdcRequest - The preauth data is empty. [pool-1-thread-1] INFO org.apache.kerby.kerberos.kerb.server.KdcHandler - KRB error occurred while processing request:Additional pre-authentication required [pool-1-thread-2] INFO org.apache.kerby.kerberos.kerb.server.request.AsRequest - AS_REQ ISSUE: authtime 1493972505948,test-service/[email protected] for krbtgt/[email protected] Exception in thread "Thread-0" java.lang.RuntimeException: Error occured while checking udp connections at org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(KdcNetwork.java:105) at org.apache.kerby.kerberos.kerb.transport.KdcNetwork.access$000(KdcNetwork.java:39) at org.apache.kerby.kerberos.kerb.transport.KdcNetwork$1.run(KdcNetwork.java:75)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.nio.channels.ClosedChannelException
at
sun.nio.ch.DatagramChannelImpl.ensureOpen(DatagramChannelImpl.java:320)
at sun.nio.ch.DatagramChannelImpl.receive(DatagramChannelImpl.java:331)
at
org.apache.kerby.kerberos.kerb.transport.KdcNetwork.checkUdpMessage(KdcNetwork.java:132)
at
org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(KdcNetwork.java:101)
... 3 more
krb5.conf:
[libdefaults]
kdc_realm = TEST.COM
default_realm = TEST.COM
udp_preference_limit = 4096
kdc_tcp_port = 37080
kdc_udp_port = 36525
[realms]
TEST.COM = {
kdc = localhost:36525
}
And port 36525 does not show up in `netstat -l` (while 37080 does)
Op 04-05-17 om 14:55 schreef Li, Jiajia:
Hi Marc, I try to run your test(through applying your patch in the trunk) , I think it's success now. Could you take some time to check about it? Here is the log: directory-kerby git:(trunk) ✗ . kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/MitIssueTest.sh kerberos.authGSSClientInit successful 2017-05-04T20:44:06 set-error: -1765328234: entypes not supported 2017-05-04T20:44:06 set-error: -1765328243: Did not find credential for krb5_ccache_conf_data/realm-config@X-CACHECONF: in cache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc 2017-05-04T20:44:06 set-error: -1765328243: Did not find credential for test-service/[email protected] in cache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc 2017-05-04T20:44:06 set-error: -1765328243: Did not find credential for krb5_ccache_conf_data/negative-cache/test-service\134/localhost\[email protected]@X-CACHECONF: in cache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc 2017-05-04T20:44:06 set-error: -1765328243: Did not find credential for krb5_ccache_conf_data/lkdc-hostname@X-CACHECONF: in cache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc 2017-05-04T20:44:06 set-error: -1765328243: Did not find credential for krb5_ccache_conf_data/sitename@X-CACHECONF: in cache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc 2017-05-04T20:44:06 set-error: -1765328243: Did not find credential for test-service/[email protected] in cache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc 2017-05-04T20:44:06 set-error: -1765328234: Encryption type des-cbc-md5-deprecated not supported 2017-05-04T20:44:06 set-error: -1765328234: Encryption type des-cbc-md4-deprecated not supported 2017-05-04T20:44:06 set-error: -1765328234: Encryption type des-cbc-crc-deprecated not supported 2017-05-04T20:44:06 Trying to find service kdc for realm TEST.COM flags 0 2017-05-04T20:44:06 configuration file for realm TEST.COM found 2017-05-04T20:44:06 submissing new requests to new host 2017-05-04T20:44:06 host_create: setting hostname localhost 2017-05-04T20:44:06 connecting to host: udp ::1:52534 (localhost) tid: 00000001 2017-05-04T20:44:06 host_create: setting hostname localhost 2017-05-04T20:44:06 Queuing host in future (in 3s), its the 2 address on the same name: udp 127.0.0.1:52534 (localhost) tid: 00000002 2017-05-04T20:44:06 writing packet: udp ::1:52534 (localhost) tid: 00000001 2017-05-04T20:44:06 reading packet: udp ::1:52534 (localhost) tid: 00000001 2017-05-04T20:44:06 host completed: udp ::1:52534 (localhost) tid: 00000001 2017-05-04T20:44:06 krb5_sendto_context TEST.COM done: 0 hosts 1 packets 1 wc: 0.048927 nr: 0.000932 kh: 0.000814 tid: 00000002 2017-05-04T20:44:06 tkt: extract key 17/763641F3 2017-05-04T20:44:06 set-error: -1765328353: Decrypt integrity check failed for checksum type hmac-sha1-96-aes128, key type aes128-cts-hmac-sha1-96 2017-05-04T20:44:06 tkt: extract key 17/3084A95C 2017-05-04T20:44:06 krb5_get_credentials_with_flags: TEST.COM wc: 0.050317 2017-05-04T20:44:06 set-error: -1765328243: Did not find credential for krb5_ccache_conf_data/realm-config@X-CACHECONF: in cache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc 2017-05-04T20:44:06 set-error: -1765328243: Did not find credential for krb5_ccache_conf_data/time-offset/test-service\134/localhost\[email protected]@X-CACHECONF: in cache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc 2017-05-04T20:44:06 Setting up PFS for auth context 2017-05-04T20:44:06 set-error: -1765328234: Encryption type des-cbc-md5-deprecated not supported 2017-05-04T20:44:06 set-error: -1765328234: Encryption type des-cbc-md4-deprecated not supported 2017-05-04T20:44:06 set-error: -1765328234: Encryption type des-cbc-crc-deprecated not supported First kerberos.authGSSClientStep successful Thanks Jiajia -----Original Message----- From: Zheng, Kai [mailto:[email protected]] Sent: Wednesday, May 3, 2017 7:29 PM To: [email protected] Subject: RE: MIT Kerberos compatibility Hi Marc, In case you're not aware of this, please check out the latest fix made by Jiajia. We thought your case may be different, but would be good to have a check before we can repeat/fix your case. Thanks. https://issues.apache.org/jira/browse/DIRKRB-625 Regards, Kai -----Original Message----- From: Marc de Lignie [mailto:[email protected]] Sent: Sunday, April 30, 2017 7:45 PM To: [email protected] Subject: Re: MIT Kerberos compatibility Hi Kai, The terminal output below is for the latest MIT Kerberos 1.15.1 (locally built on Ubuntu Xenial). Before that, I also tested with the default Xenial MIT Kerberos packages (1.13.2), with the same result. I did not try earlier MIT Kerberos versions. Marc Op 29-04-17 om 21:42 schreef Marc de Lignie:Hi Kai, Thanks for the response. I prepared a minimal config that reproduces my problem. You can fetch the branch/commit from: https://github.com/vtslab/directory-kerby/commits/MitIssue This is relative to RC2, but I also tried this on trunk for my actual project. This config produces the debug and error messages below. 1. For the terminal with the bash + python script $ klist Ticket cache: FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc Default principal: [email protected] Valid starting Expires Service principal 29-04-17 21:07:39 30-04-17 05:07:39 krbtgt/[email protected] renew until 29-04-17 21:07:39 $ . kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/ server/MitIssueTest.sh [15538] 1493491231.917606: Retrieving [email protected] from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found [15538] 1493491231.917827: Retrieving [email protected] from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found kerberos.authGSSClientInit successful [15538] 1493491231.918185: Getting credentials [email protected] -> test-service/localhost@ using ccache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc [15538] 1493491231.918210: Retrieving [email protected] -> test-service/localhost@ from FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc with result: -1765328243/Matching credential not found (filename: kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc) [15538] 1493491231.918226: Retrying [email protected] -> test-service/[email protected] with result: -1765328243/Matching credential not found (filename: kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc) [15538] 1493491231.918229: Server has referral realm; starting with test-service/[email protected] [15538] 1493491231.918278: Retrieving [email protected] -> krbtgt/[email protected] from FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc with result: 0/Success [15538] 1493491231.918281: Starting with TGT for client realm: [email protected] -> krbtgt/[email protected] [15538] 1493491231.918301: Requesting tickets for test-service/[email protected], referrals on [15538] 1493491231.918326: Generated subkey for TGS request: aes128-cts/FA30 [15538] 1493491231.918359: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts [15538] 1493491231.918484: Encoding request body and padata into FAST request [15538] 1493491231.918541: Sending request (836 bytes) to TEST.COM [15538] 1493491231.918597: Resolving hostname localhost [15538] 1493491231.918703: Initiating TCP connection to stream 127.0.0.1:44292 [15538] 1493491231.918777: Sending TCP request to stream 127.0.0.1:44292 [15538] 1493491231.922803: TCP error receiving from stream 127.0.0.1:44292: 104/Connection reset by peer [15538] 1493491231.922812: Terminating TCP connection to stream 127.0.0.1:44292 [15538] 1493491231.922858: Sending initial UDP request to dgram 127.0.0.1:44292 ('First kerberos.authGSSClientStep not successful', GSSError(('Unspecified GSS failure. Minor code may provide more information', 851968), ("Cannot contact any KDC for realm 'TEST.COM'", -1765328228))) 2. For the terminal that runs mvn clean test -Dtest=MitIssueTest Running org.apache.kerby.kerberos.kerb.server.MitIssueTest 2017-04-29 21:07:39,182 DEBUG [main] backend.AbstractIdentityBackend: initialize called 2017-04-29 21:07:39,195 DEBUG [main] backend.AbstractIdentityBackend: getIdentity called, principalName = krbtgt/[email protected] 2017-04-29 21:07:39,195 DEBUG [main] backend.AbstractIdentityBackend: getIdentity failed, principalName = krbtgt/[email protected] 2017-04-29 21:07:39,212 DEBUG [main] backend.AbstractIdentityBackend: addIdentity successful, principalName = krbtgt/[email protected] 2017-04-29 21:07:39,212 DEBUG [main] backend.AbstractIdentityBackend: getIdentity called, principalName = kadmin/[email protected] 2017-04-29 21:07:39,212 DEBUG [main] backend.AbstractIdentityBackend: getIdentity failed, principalName = kadmin/[email protected] 2017-04-29 21:07:39,213 DEBUG [main] backend.AbstractIdentityBackend: addIdentity successful, principalName = kadmin/[email protected] 2017-04-29 21:07:39,216 DEBUG [main] backend.AbstractIdentityBackend: start called 2017-04-29 21:07:39,232 DEBUG [main] backend.AbstractIdentityBackend: addIdentity successful, principalName = test-service/[email protected] 2017-04-29 21:07:39,425 DEBUG [main] backend.AbstractIdentityBackend: addIdentity successful, principalName = [email protected] 2017-04-29 21:07:39,465 DEBUG [pool-1-thread-1] backend.AbstractIdentityBackend: getIdentity called, principalName = krbtgt/[email protected] 2017-04-29 21:07:39,465 DEBUG [pool-1-thread-1] backend.AbstractIdentityBackend: getIdentity successful, principalName = krbtgt/[email protected] 2017-04-29 21:07:39,465 INFO [pool-1-thread-1] request.KdcRequest: Client entry is empty. 2017-04-29 21:07:39,465 DEBUG [pool-1-thread-1] backend.AbstractIdentityBackend: getIdentity called, principalName = [email protected] 2017-04-29 21:07:39,465 DEBUG [pool-1-thread-1] backend.AbstractIdentityBackend: getIdentity successful, principalName = [email protected] 2017-04-29 21:07:39,465 DEBUG [pool-1-thread-1] backend.AbstractIdentityBackend: getIdentity called, principalName = krbtgt/[email protected] 2017-04-29 21:07:39,465 DEBUG [pool-1-thread-1] backend.AbstractIdentityBackend: getIdentity successful, principalName = krbtgt/[email protected] 2017-04-29 21:07:39,476 DEBUG [pool-1-thread-1] impl.DefaultKdcHandler: Transport or decoding error occurred, disconnecting abnormally java.io.EOFException at java.io.DataInputStream.readInt(DataInputStream.java:392) at org.apache.kerby.kerberos.kerb.transport.KrbTcpTransport.receiveMessage(KrbTcpTransport.java:54) at org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.run(DefaultKdcHandler.java:46) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:748) 2017-04-29 21:07:39,477 INFO [main] client.KrbClientBase: Storing the tgt to the credential cache file. 2017-04-29 21:07:39,491 DEBUG [main] backend.AbstractIdentityBackend: getIdentity called, principalName = test-service/[email protected] 2017-04-29 21:07:39,491 DEBUG [main] backend.AbstractIdentityBackend: getIdentity successful, principalName = test-service/[email protected] 2017-04-29 21:07:39,498 DEBUG [pool-1-thread-1] backend.AbstractIdentityBackend: getIdentity called, principalName = krbtgt/[email protected] 2017-04-29 21:07:39,498 DEBUG [pool-1-thread-1] backend.AbstractIdentityBackend: getIdentity successful, principalName = krbtgt/[email protected] 2017-04-29 21:07:39,498 INFO [pool-1-thread-1] request.KdcRequest: Client entry is empty. 2017-04-29 21:07:39,499 DEBUG [pool-1-thread-1] backend.AbstractIdentityBackend: getIdentity called, principalName = test-service/[email protected] 2017-04-29 21:07:39,499 DEBUG [pool-1-thread-1] backend.AbstractIdentityBackend: getIdentity successful, principalName = test-service/[email protected] 2017-04-29 21:07:39,499 DEBUG [pool-1-thread-1] backend.AbstractIdentityBackend: getIdentity called, principalName = krbtgt/[email protected] 2017-04-29 21:07:39,499 DEBUG [pool-1-thread-1] backend.AbstractIdentityBackend: getIdentity successful, principalName = krbtgt/[email protected] 2017-04-29 21:07:39,499 INFO [pool-1-thread-1] request.KdcRequest: The preauth data is empty. 2017-04-29 21:07:39,501 INFO [pool-1-thread-1] server.KdcHandler: KRB error occurred while processing request:Additional pre-authentication required 2017-04-29 21:07:39,502 DEBUG [pool-1-thread-1] impl.DefaultKdcHandler: Transport or decoding error occurred, disconnecting abnormally java.io.EOFException at java.io.DataInputStream.readInt(DataInputStream.java:392) at org.apache.kerby.kerberos.kerb.transport.KrbTcpTransport.receiveMessage(KrbTcpTransport.java:54) at org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.run(DefaultKdcHandler.java:46) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:748) 2017-04-29 21:07:39,505 DEBUG [pool-1-thread-1] backend.AbstractIdentityBackend: getIdentity called, principalName = krbtgt/[email protected] 2017-04-29 21:07:39,505 DEBUG [pool-1-thread-1] backend.AbstractIdentityBackend: getIdentity successful, principalName = krbtgt/[email protected] 2017-04-29 21:07:39,505 INFO [pool-1-thread-1] request.KdcRequest: Client entry is empty. 2017-04-29 21:07:39,506 DEBUG [pool-1-thread-1] backend.AbstractIdentityBackend: getIdentity called, principalName = test-service/[email protected] 2017-04-29 21:07:39,506 DEBUG [pool-1-thread-1] backend.AbstractIdentityBackend: getIdentity successful, principalName = test-service/[email protected] 2017-04-29 21:07:39,506 DEBUG [pool-1-thread-1] backend.AbstractIdentityBackend: getIdentity called, principalName = krbtgt/[email protected] 2017-04-29 21:07:39,506 DEBUG [pool-1-thread-1] backend.AbstractIdentityBackend: getIdentity successful, principalName = krbtgt/[email protected] 2017-04-29 21:07:39,510 DEBUG [pool-1-thread-1] impl.DefaultKdcHandler: Transport or decoding error occurred, disconnecting abnormally java.io.EOFException at java.io.DataInputStream.readInt(DataInputStream.java:392) at org.apache.kerby.kerberos.kerb.transport.KrbTcpTransport.receiveMessage(KrbTcpTransport.java:54) at org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.run(DefaultKdcHandler.java:46) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:748) 2017-04-29 21:07:55,602 DEBUG [pool-1-thread-1] backend.AbstractIdentityBackend: getIdentity called, principalName = krbtgt/[email protected] 2017-04-29 21:07:55,602 DEBUG [pool-1-thread-1] backend.AbstractIdentityBackend: getIdentity successful, principalName = krbtgt/[email protected] 2017-04-29 21:07:55,602 INFO [pool-1-thread-1] request.KdcRequest: Found fast padata and start to process it. 2017-04-29 21:07:55,603 ERROR [pool-1-thread-1] impl.DefaultKdcHandler: Error occured while processing request: org.apache.kerby.kerberos.kerb.KrbException: Decoding failed at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:85) at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:70) at org.apache.kerby.kerberos.kerb.server.request.KdcRequest.kdcFindFast(KdcRequest.java:208) at org.apache.kerby.kerberos.kerb.server.request.KdcRequest.process(KdcRequest.java:168) at org.apache.kerby.kerberos.kerb.server.KdcHandler.handleMessage(KdcHandler.java:115) at org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.handleMessage(DefaultKdcHandler.java:67) at org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.run(DefaultKdcHandler.java:52) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:748) Caused by: java.io.IOException: Unexpected item context [0] [tag=0xA0, off=0, len=3+207], expecting 0x30 at org.apache.kerby.asn1.type.Asn1Encodeable.decode(Asn1Encodeable.java:210) at org.apache.kerby.asn1.type.Asn1Encodeable.decode(Asn1Encodeable.java:197) at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:83) ... 9 more 2017-04-29 21:07:55,604 DEBUG [pool-1-thread-1] impl.DefaultKdcHandler: Transport or decoding error occurred, disconnecting abnormally java.net.SocketException: Socket closed at java.net.SocketInputStream.socketRead0(Native Method) at java.net.SocketInputStream.socketRead(SocketInputStream.java:116) at java.net.SocketInputStream.read(SocketInputStream.java:171) at java.net.SocketInputStream.read(SocketInputStream.java:141) at java.net.SocketInputStream.read(SocketInputStream.java:224) at java.io.DataInputStream.readInt(DataInputStream.java:387) at org.apache.kerby.kerberos.kerb.transport.KrbTcpTransport.receiveMessage(KrbTcpTransport.java:54) at org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.run(DefaultKdcHandler.java:46) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:748) In a FreeIPA environment these python lines "just" work. Any suggestions are welcome! Marc-- Marc de Lignie
-- Marc de Lignie
