RE: MIT Kerberos compatibility

Li, Jiajia Fri, 05 May 2017 08:54:51 -0700

Are you sure add kdc_allow_udp = false in kdc.conf?

Thanks
Jiajia


-----Original Message-----
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Friday, May 5, 2017 11:41 PM
To: Li, Jiajia <jiajia...@intel.com>
Cc: kerby@directory.apache.org; Zheng, Kai <kai.zh...@intel.com>; 
mailto:m.c.delig...@xs4all.nl <m.c.delig...@xs4all.nl>
Subject: Re: MIT Kerberos compatibility

Sorry, it was my error, UDP was actually enabled there. But why am I still 
seeing that error message?

Colm.

On Fri, May 5, 2017 at 4:39 PM, Li, Jiajia <jiajia...@intel.com> wrote:

> Hi Colm,
> I also test the Kerby KDC with kerby kint and MIT kinit, and only 
> listen the tcp port(disable udp), both got ticket successfully. But I 
> don't get the error message. Both krb.conf and kdc.conf should set udp 
> to be false, udp is enabled in default.
>
> Thanks
> Jiajia
>
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> Sent: Friday, May 5, 2017 11:34 PM
> To: kerby@directory.apache.org
> Cc: Zheng, Kai <kai.zh...@intel.com>; mailto:m.c.delig...@xs4all.nl < 
> m.c.delig...@xs4all.nl>
> Subject: Re: MIT Kerberos compatibility
>
> Hi Jiajia,
>
> If UDP is disabled and we don't use Netty, I can get a token 
> successfully via kinit. However I then see an error message in the Kerby 
> console:
>
> Exception in thread "Thread-1" java.lang.RuntimeException: Error 
> occured while checking udp connections
>     at
> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(
> KdcNetwork.java:105)
>     at
> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.
> access$000(KdcNetwork.java:39)
>     at
> org.apache.kerby.kerberos.kerb.transport.KdcNetwork$1.
> run(KdcNetwork.java:75)
>     at java.lang.Thread.run(Thread.java:748)
> Caused by: java.nio.channels.ClosedChannelException
>     at
> sun.nio.ch.DatagramChannelImpl.ensureOpen(DatagramChannelImpl.java:320)
>     at sun.nio.ch.DatagramChannelImpl.receive(
> DatagramChannelImpl.java:331)
>     at
> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.
> checkUdpMessage(KdcNetwork.java:132)
>     at
> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(
> KdcNetwork.java:101)
>
> I'm not sure why we are seeing UDP errors when it's disabled?
>
> Colm.
>
> On Fri, May 5, 2017 at 3:57 PM, Li, Jiajia <jiajia...@intel.com> wrote:
>
> > Hi Colm,
> > The shell client can't connect to kdc if the UDP is disabled.
> > We don't use Netty in default.
> > What's your test-cases? The same as the Marc's?
> >
> > Thanks
> > Jiajia
> >
> > -----Original Message-----
> > From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> > Sent: Friday, May 5, 2017 10:09 PM
> > To: kerby@directory.apache.org
> > Cc: Zheng, Kai <kai.zh...@intel.com>; mailto:m.c.delig...@xs4all.nl 
> > < m.c.delig...@xs4all.nl>
> > Subject: Re: MIT Kerberos compatibility
> >
> > Hi Jiajia,
> >
> > What are the issues if UDP is disabled and we don't use Netty? I 
> > tried doing this with my own test-cases and it didn't work, so it 
> > would be good to get this fixed soon.
> >
> > Colm.
> >
> > On Fri, May 5, 2017 at 2:46 PM, Li, Jiajia <jiajia...@intel.com> wrote:
> >
> > > Hi Marc,
> > > >>> - your KRB5 tracing looks quite different. What OS and 
> > > >>> mit-kerberos
> > > version did you use?
> > > I use mac os and the python version is 2.7.10
> > >
> > > >>>- your KRB5 tracing shows UDP comms between kerberos client and 
> > > >>>KDC,
> > > despite the allowUDP = false setting
> > > >>> in my test. I did this setting because I get different 
> > > >>> problems
> > > without it, see the additional logs below. So,
> > > >>>we must also be aware of networking problems at my side.
> > > I enable the UDP and use netty network, there are some issues if 
> > > UDP disabled, you can create a JIRA for this and we can fix this 
> > > issue in the next release version.
> > >
> > > The changes in my side as following:
> > >
> > > protected boolean allowUdp() {
> > >     return true;
> > > }
> > > @Override
> > > protected void prepareKdc() throws KrbException {
> > >     getKdcServer().setInnerKdcImpl(
> > >             new NettyKdcServerImpl(getKdcServer().getKdcSetting()));
> > >     super.prepareKdc();
> > > }
> > >
> > > Here is log of MitIssueTest:
> > > [INFO] Running org.apache.kerby.kerberos.kerb.server.MitIssueTest
> > > [nioEventLoopGroup-2-1] INFO 
> > > io.netty.handler.logging.LoggingHandler
> > > -
> > > [id: 0x2634fe6b] REGISTERED
> > > [nioEventLoopGroup-2-1] INFO 
> > > io.netty.handler.logging.LoggingHandler
> > > -
> > > [id: 0x2634fe6b] BIND(0.0.0.0/0.0.0.0:53957) 
> > > [nioEventLoopGroup-2-1] INFO 
> > > io.netty.handler.logging.LoggingHandler -
> > > [id: 0x2634fe6b, /0:0:0:0:0:0:0:0:53957] ACTIVE [main] INFO 
> > > org.apache.kerby.kerberos.kdc.impl.NettyKdcServerImpl - Netty kdc 
> > > server started.
> > > [nioEventLoopGroup-2-1] INFO 
> > > io.netty.handler.logging.LoggingHandler
> > > -
> > > [id: 0x2634fe6b, /0:0:0:0:0:0:0:0:53957] RECEIVED: [id: 
> > > 0xdac7228b, /
> > > 127.0.0.1:53961 => /127.0.0.1:53957] 
> > > [defaultEventExecutorGroup-4-1] INFO 
> > > org.apache.kerby.kerberos.kerb.server.request.AsRequest
> > > - AS_REQ ISSUE: authtime 1493991123792,dran...@test.com for 
> > > krbtgt/ test....@test.com [main] INFO 
> > > org.apache.kerby.kerberos.kerb.client.impl.DefaultInternalKrbClien
> > > t
> > > - Send to kdc success.
> > > [main] INFO org.apache.kerby.kerberos.kerb.client.KrbClientBase - 
> > > Storing the tgt to the credential cache file.
> > > [nioEventLoopGroup-5-1] INFO
> > > org.apache.kerby.kerberos.kerb.server.request.KdcRequest
> > > - The preauth data is empty.
> > > [nioEventLoopGroup-5-1] INFO
> > > org.apache.kerby.kerberos.kerb.server.KdcHandler
> > > - KRB error occurred while processing request:Additional 
> > > pre-authentication required [nioEventLoopGroup-5-1] INFO 
> > > org.apache.kerby.kerberos.kerb.server.request.AsRequest
> > > - AS_REQ ISSUE: authtime
> > > 1493991123859,test-service/localh...@test.com
> > > for krbtgt/test....@test.com
> > > [nioEventLoopGroup-5-1] INFO
> > > org.apache.kerby.kerberos.kerb.server.request.TgsRequest
> > > - TGS_REQ ISSUE: authtime 1493991142850,drankye for test-service/ 
> > > localh...@test.com
> > >
> > > Thanks
> > > Jiajia
> > >
> > > -----Original Message-----
> > > From: Zheng, Kai
> > > Sent: Friday, May 5, 2017 7:46 PM
> > > To: kerby@directory.apache.org; Li, Jiajia <jiajia...@intel.com>
> > > Subject: RE: MIT Kerberos compatibility
> > >
> > > Hi Marc,
> > >
> > > Looks like this is quite environment related, could you fire an 
> > > issue for this? I would suggest we target it to 1.1.0, which can 
> > > be done in
> > June.
> > >
> > > Regards,
> > > Kai
> > >
> > > -----Original Message-----
> > > From: Marc de Lignie [mailto:m.c.delig...@xs4all.nl]
> > > Sent: Friday, May 05, 2017 4:44 PM
> > > To: Li, Jiajia <jiajia...@intel.com>
> > > Cc: kerby@directory.apache.org
> > > Subject: Re: MIT Kerberos compatibility
> > >
> > > Hi Jiajia,
> > >
> > > Great to read that you made progress on this issue and to see a 
> > > working config at your side. Below, I list my progress below (with 
> > > trunk merged into my MitIssue branch), but I am afraid we are not 
> > > done
> > yet.
> > >
> > > Things that stand out:
> > >
> > > - the kdc decoding error is solved, relative to the logs without 
> > > your patch
> > >
> > > - your KRB5 tracing looks quite different. What OS and 
> > > mit-kerberos version did you use?
> > >
> > > - your KRB5 tracing shows UDP comms between kerberos client and 
> > > KDC, despite the allowUDP = false setting in my test. I did this 
> > > setting because I get different problems without it, see the 
> > > additional logs below. So, we must also be aware of networking problems 
> > > at my side.
> > >
> > > - the "Response was not from master KDC" msg is not relevant; it 
> > > disappears if you manually add master_kdc to the realms section of 
> > > the krb5.conf
> > >
> > > I have no idea how to proceed from here, so that is why I just 
> > > document the status at my side and ask about your - apparently 
> > > working -
> > config.
> > >
> > > Cheers,   Marc
> > >
> > >
> > > KDC logging with allowUDP = false:
> > >
> > > [INFO] Running org.apache.kerby.kerberos.kerb.server.MitIssueTest
> > > [pool-1-thread-1] INFO
> > > org.apache.kerby.kerberos.kerb.server.request.AsRequest - AS_REQ
> ISSUE:
> > > authtime 1493970789075,dran...@test.com for 
> > > krbtgt/test....@test.com [main] INFO 
> > > org.apache.kerby.kerberos.kerb.client.impl.DefaultInternalKrbClien
> > > t
> > > - Send to kdc success.
> > > [main] INFO org.apache.kerby.kerberos.kerb.client.KrbClientBase - 
> > > Storing the tgt to the credential cache file.
> > > [pool-1-thread-1] INFO
> > > org.apache.kerby.kerberos.kerb.server.request.KdcRequest - The 
> > > preauth data is empty.
> > > [pool-1-thread-1] INFO
> > > org.apache.kerby.kerberos.kerb.server.KdcHandler
> > > - KRB error occurred while processing request:Additional 
> > > pre-authentication required [pool-1-thread-1] INFO 
> > > org.apache.kerby.kerberos.kerb.server.request.AsRequest - AS_REQ
> ISSUE:
> > > authtime 1493970789108,test-service/localh...@test.com for krbtgt/ 
> > > test....@test.com [pool-1-thread-1] INFO 
> > > org.apache.kerby.kerberos.kerb.server.request.KdcRequest
> > > - Found fast padata and starting to process it.
> > > [pool-1-thread-1] INFO
> > > org.apache.kerby.kerberos.kerb.server.request.KdcRequest - Found 
> > > fast padata and starting to process it.
> > >
> > > Python script KRB5 tracing (MIT Kerberos 1.13.2 of Ubuntu Xenial) 
> > > with allowUDP = false:
> > >
> > > $ .
> > > kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/
> > > kerberos/kerb/server/MitIssueTest.sh
> > > [25281] 1493970797.298753: Retrieving dran...@test.com from 
> > > FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result:
> > > 2/Key table file '/etc/krb5/user/1000/client.keytab' not found 
> > > [25281]
> > > 1493970797.298952: Retrieving dran...@test.com from 
> > > FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result:
> > > 2/Key table file '/etc/krb5/user/1000/client.keytab' not found 
> > > [25281]
> > > 1493970797.299106: Retrieving dran...@test.com from 
> > > FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result:
> > > 2/Key table file '/etc/krb5/user/1000/client.keytab' not found 
> > > [25281]
> > > 1493970797.299213: Retrieving dran...@test.com from 
> > > FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result:
> > > 2/Key table file '/etc/krb5/user/1000/client.keytab' not found 
> > > [25281]
> > > 1493970797.299323: Retrieving dran...@test.com from 
> > > FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result:
> > > 2/Key table file '/etc/krb5/user/1000/client.keytab' not found 
> > > [25281]
> > > 1493970797.299436: Retrieving dran...@test.com from 
> > > FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result:
> > > 2/Key table file '/etc/krb5/user/1000/client.keytab' not found 
> > > [25281]
> > > 1493970797.299545: Retrieving dran...@test.com from 
> > > FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result:
> > > 2/Key table file '/etc/krb5/user/1000/client.keytab' not found 
> > > [25281]
> > > 1493970797.299654: Retrieving dran...@test.com from 
> > > FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result:
> > > 2/Key table file '/etc/krb5/user/1000/client.keytab' not found 
> > > kerberos.authGSSClientInit successful [25281] 1493970797.299922:
> > > Getting credentials dran...@test.com -> test-service/localhost@ 
> > > using ccache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> > > [25281] 1493970797.299945: Retrieving dran...@test.com -> 
> > > test-service/localhost@ from 
> > > FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> > > with result:
> > > -1765328243/Matching credential not found [25281] 1493970797.299959:
> > > Retrying dran...@test.com -> test-service/localh...@test.com with
> > result:
> > > -1765328243/Matching credential not found [25281] 1493970797.299962:
> > > Server has referral realm; starting with 
> > > test-service/localh...@test.com [25281]
> > > 1493970797.299975: Retrieving dran...@test.com -> 
> > > krbtgt/test....@test.com from 
> > > FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> > with result:
> > > 0/Success [25281] 1493970797.299979: Starting with TGT for client
> realm:
> > > dran...@test.com -> krbtgt/test....@test.com [25281]
> 1493970797.299981:
> > > Requesting tickets for test-service/localh...@test.com, referrals 
> > > on [25281] 1493970797.299994: Generated subkey for TGS request:
> > > aes128-cts/1B9B [25281] 1493970797.300009: etypes requested in TGS
> > request:
> > > aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, 
> > > camellia256-cts [25281] 1493970797.300054: Encoding request body 
> > > and padata into FAST request [25281] 1493970797.300080: Sending 
> > > request
> > > (823 bytes) to TEST.COM [25281] 1493970797.300091: Resolving 
> > > hostname localhost [25281]
> > > 1493970797.300136: Initiating TCP connection to stream
> > > 127.0.0.1:34319
> > > [25281] 1493970797.300191: Sending TCP request to stream
> > > 127.0.0.1:34319 [25281] 1493970797.303610: Received answer (125
> > > bytes) from stream
> > > 127.0.0.1:34319
> > > [25281] 1493970797.303618: Terminating TCP connection to stream
> > > 127.0.0.1:34319
> > > [25281] 1493970797.553126: Response was not from master KDC 
> > > [25281]
> > > 1493970797.553198: TGS request result: -1765323383/Unknown code 
> > > krcM
> > > 137 [25281] 1493970797.553234: Requesting tickets for 
> > > test-service/ localh...@test.com, referrals off [25281] 1493970797.553273:
> > > Generated subkey for TGS request: aes128-cts/94C6 [25281]
> 1493970797.553323:
> > > etypes requested in TGS request: aes256-cts, aes128-cts, 
> > > des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts [25281]
> > > 1493970797.553436: Encoding request body and padata into FAST 
> > > request
> > [25281] 1493970797.553532:
> > > Sending request (823 bytes) to TEST.COM [25281] 1493970797.553567:
> > > Resolving hostname localhost [25281] 1493970797.553745: Initiating 
> > > TCP connection to stream
> > > 127.0.0.1:34319
> > > [25281] 1493970797.553889: Sending TCP request to stream
> > > 127.0.0.1:34319 [25281] 1493970797.558297: Received answer (125
> > > bytes) from stream
> > > 127.0.0.1:34319
> > > [25281] 1493970797.558318: Terminating TCP connection to stream
> > > 127.0.0.1:34319
> > > [25281] 1493970797.561189: Response was not from master KDC 
> > > [25281]
> > > 1493970797.561258: TGS request result: -1765323383/Unknown code 
> > > krcM
> > > 137 ('First kerberos.authGSSClientStep not successful', 
> > > GSSError(('Unspecified GSS failure.  Minor code may provide more 
> > > information', 851968), ('Unknown code krcM 137', -1765323383)))
> > >
> > >
> > > KDC logging with allowUDP = true:
> > >
> > > [INFO] Running org.apache.kerby.kerberos.kerb.server.MitIssueTest
> > > [pool-1-thread-1] INFO
> > > org.apache.kerby.kerberos.kerb.server.request.AsRequest - AS_REQ
> ISSUE:
> > > authtime 1493972505784,dran...@test.com for 
> > > krbtgt/test....@test.com [main] INFO 
> > > org.apache.kerby.kerberos.kerb.client.impl.DefaultInternalKrbClien
> > > t
> > > - Send to kdc success.
> > > [main] INFO org.apache.kerby.kerberos.kerb.client.KrbClientBase - 
> > > Storing the tgt to the credential cache file.
> > > [pool-1-thread-1] INFO
> > > org.apache.kerby.kerberos.kerb.server.request.KdcRequest - The 
> > > preauth data is empty.
> > > [pool-1-thread-1] INFO
> > > org.apache.kerby.kerberos.kerb.server.KdcHandler
> > > - KRB error occurred while processing request:Additional 
> > > pre-authentication required [pool-1-thread-2] INFO 
> > > org.apache.kerby.kerberos.kerb.server.request.AsRequest - AS_REQ
> ISSUE:
> > > authtime 1493972505948,test-service/localh...@test.com for krbtgt/ 
> > > test....@test.com Exception in thread "Thread-0"
> > > java.lang.RuntimeException: Error occured while checking udp
> connections
> > >      at
> > > org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(
> > > KdcNetwork.java:105)
> > >      at
> > > org.apache.kerby.kerberos.kerb.transport.KdcNetwork.
> > > access$000(KdcNetwork.java:39)
> > >      at
> > > org.apache.kerby.kerberos.kerb.transport.KdcNetwork$1.
> > > run(KdcNetwork.java:75)
> > >      at java.lang.Thread.run(Thread.java:748)
> > > Caused by: java.nio.channels.ClosedChannelException
> > >      at
> > > sun.nio.ch.DatagramChannelImpl.ensureOpen(
> DatagramChannelImpl.java:320)
> > >      at sun.nio.ch.DatagramChannelImpl.receive(
> > > DatagramChannelImpl.java:331)
> > >      at
> > > org.apache.kerby.kerberos.kerb.transport.KdcNetwork.
> > > checkUdpMessage(KdcNetwork.java:132)
> > >      at
> > > org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(
> > > KdcNetwork.java:101)
> > >      ... 3 more
> > >
> > >
> > > krb5.conf:
> > >
> > > [libdefaults]
> > >      kdc_realm = TEST.COM
> > >      default_realm = TEST.COM
> > >      udp_preference_limit = 4096
> > >      kdc_tcp_port = 37080
> > >      kdc_udp_port = 36525
> > >
> > > [realms]
> > >      TEST.COM = {
> > >          kdc = localhost:36525
> > >      }
> > >
> > > And port 36525 does not show up in `netstat -l` (while 37080 does)
> > >
> > >
> > > Op 04-05-17 om 14:55 schreef Li, Jiajia:
> > > > Hi Marc,
> > > > I try to run your test(through applying your patch in the trunk) 
> > > > , I
> > > think it's success now.  Could you take some time to check about it?
> > > > Here is the log:
> > > >
> > > > directory-kerby git:(trunk) ✗ .
> > > > kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos
> > > > /k
> > > > er
> > > > b/
> > > > server/MitIssueTest.sh
> > > > kerberos.authGSSClientInit successful
> > > > 2017-05-04T20:44:06 set-error: -1765328234: entypes not 
> > > > supported
> > > > 2017-05-04T20:44:06 set-error: -1765328243: Did not find 
> > > > credential for krb5_ccache_conf_data/realm-config@X-CACHECONF: 
> > > > in cache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> > > > 2017-05-04T20:44:06 set-error: -1765328243: Did not find 
> > > > credential for test-service/localh...@test.com in cache 
> > > > FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> > > > 2017-05-04T20:44:06 set-error: -1765328243: Did not find 
> > > > credential for
> > > > krb5_ccache_conf_data/negative-cache/test-service\134/localhost\
> > > > 13
> > > > 4@
> > > > TE
> > > > ST.COM@X-CACHECONF: in cache
> > > > FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> > > > 2017-05-04T20:44:06 set-error: -1765328243: Did not find 
> > > > credential for krb5_ccache_conf_data/lkdc-hostname@X-CACHECONF: 
> > > > in cache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> > > > 2017-05-04T20:44:06 set-error: -1765328243: Did not find 
> > > > credential for krb5_ccache_conf_data/sitename@X-CACHECONF: in 
> > > > cache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> > > > 2017-05-04T20:44:06 set-error: -1765328243: Did not find 
> > > > credential for test-service/localh...@test.com in cache 
> > > > FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> > > > 2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
> > > > des-cbc-md5-deprecated not supported
> > > > 2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
> > > > des-cbc-md4-deprecated not supported
> > > > 2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
> > > > des-cbc-crc-deprecated not supported
> > > > 2017-05-04T20:44:06 Trying to find service kdc for realm 
> > > > TEST.COM flags 0
> > > > 2017-05-04T20:44:06 configuration file for realm TEST.COM found
> > > > 2017-05-04T20:44:06 submissing new requests to new host
> > > > 2017-05-04T20:44:06 host_create: setting hostname localhost
> > > > 2017-05-04T20:44:06 connecting to host: udp ::1:52534 
> > > > (localhost)
> tid:
> > > > 00000001
> > > > 2017-05-04T20:44:06 host_create: setting hostname localhost
> > > > 2017-05-04T20:44:06 Queuing host in future (in 3s), its the 2 
> > > > address on the same name: udp 127.0.0.1:52534 (localhost) tid:
> > > > 00000002
> > > > 2017-05-04T20:44:06 writing packet: udp ::1:52534 (localhost) tid:
> > > > 00000001
> > > > 2017-05-04T20:44:06 reading packet: udp ::1:52534 (localhost) tid:
> > > > 00000001
> > > > 2017-05-04T20:44:06 host completed: udp ::1:52534 (localhost) tid:
> > > > 00000001
> > > > 2017-05-04T20:44:06 krb5_sendto_context TEST.COM done: 0 hosts 1 
> > > > packets 1 wc: 0.048927 nr: 0.000932 kh: 0.000814 tid: 00000002
> > > > 2017-05-04T20:44:06 tkt: extract key 17/763641F3
> > > > 2017-05-04T20:44:06 set-error: -1765328353: Decrypt integrity 
> > > > check failed for checksum type hmac-sha1-96-aes128, key type
> > > > aes128-cts-hmac-sha1-96
> > > > 2017-05-04T20:44:06 tkt: extract key 17/3084A95C
> > > > 2017-05-04T20:44:06 krb5_get_credentials_with_flags: TEST.COM wc:
> > > > 0.050317
> > > > 2017-05-04T20:44:06 set-error: -1765328243: Did not find 
> > > > credential for krb5_ccache_conf_data/realm-config@X-CACHECONF: 
> > > > in cache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> > > > 2017-05-04T20:44:06 set-error: -1765328243: Did not find 
> > > > credential for 
> > > > krb5_ccache_conf_data/time-offset/test-service\134/
> localhost\134@TEST.
> > > > COM@X-CACHECONF: in cache
> > > > FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> > > > 2017-05-04T20:44:06 Setting up PFS for auth context
> > > > 2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
> > > > des-cbc-md5-deprecated not supported
> > > > 2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
> > > > des-cbc-md4-deprecated not supported
> > > > 2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
> > > > des-cbc-crc-deprecated not supported First 
> > > > kerberos.authGSSClientStep successful
> > > >
> > > > Thanks
> > > > Jiajia
> > > >
> > > > -----Original Message-----
> > > > From: Zheng, Kai [mailto:kai.zh...@intel.com]
> > > > Sent: Wednesday, May 3, 2017 7:29 PM
> > > > To: kerby@directory.apache.org
> > > > Subject: RE: MIT Kerberos compatibility
> > > >
> > > > Hi Marc,
> > > >
> > > > In case you're not aware of this, please check out the latest 
> > > > fix made
> > > by Jiajia. We thought your case may be different, but would be 
> > > good to have a check before we can repeat/fix your case. Thanks.
> > > > https://issues.apache.org/jira/browse/DIRKRB-625
> > > >
> > > > Regards,
> > > > Kai
> > > >
> > > > -----Original Message-----
> > > > From: Marc de Lignie [mailto:m.c.delig...@xs4all.nl]
> > > > Sent: Sunday, April 30, 2017 7:45 PM
> > > > To: kerby@directory.apache.org
> > > > Subject: Re: MIT Kerberos compatibility
> > > >
> > > > Hi Kai,
> > > >
> > > > The terminal output below is for the latest MIT Kerberos 1.15.1 
> > > > (locally
> > > built on Ubuntu Xenial). Before that, I also tested with the 
> > > default Xenial MIT Kerberos packages (1.13.2), with the same 
> > > result. I did not try earlier MIT Kerberos versions.
> > > >
> > > > Marc
> > > >
> > > > Op 29-04-17 om 21:42 schreef Marc de Lignie:
> > > >> Hi Kai,
> > > >>
> > > >> Thanks for the response. I prepared a minimal config that 
> > > >> reproduces my problem.
> > > >>
> > > >> You can fetch the branch/commit from:
> > > >> https://github.com/vtslab/directory-kerby/commits/MitIssue
> > > >>
> > > >> This is relative to RC2, but I also tried this on trunk for my 
> > > >> actual project.
> > > >>
> > > >> This config produces the debug and error messages below.
> > > >>
> > > >> 1. For the terminal with the bash + python script $ klist 
> > > >> Ticket
> > > >> cache: FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> > > >> Default principal: dran...@test.com
> > > >>
> > > >> Valid starting     Expires            Service principal
> > > >> 29-04-17 21:07:39  30-04-17 05:07:39  krbtgt/test....@test.com
> > > >>      renew until 29-04-17 21:07:39
> > > >>
> > > >> $ .
> > > >> kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerbero
> > > >> s/ ke rb / server/MitIssueTest.sh [15538] 1493491231.917606:
> > > >> Retrieving dran...@test.com from 
> > > >> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with
> > > >> result:
> > > >> 2/Key table file '/etc/krb5/user/1000/client.keytab' not found 
> > > >> [15538]
> > > >> 1493491231.917827: Retrieving dran...@test.com from 
> > > >> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with
> > result:
> > > >> 2/Key table file '/etc/krb5/user/1000/client.keytab' not found 
> > > >> kerberos.authGSSClientInit successful [15538] 1493491231.918185:
> > > >> Getting credentials dran...@test.com -> test-service/localhost@ 
> > > >> using ccache 
> > > >> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> > > >> [15538] 1493491231.918210: Retrieving dran...@test.com -> 
> > > >> test-service/localhost@ from 
> > > >> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc with result:
> > > >> -1765328243/Matching credential not found (filename:
> > > >> kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc)
> > > >> [15538] 1493491231.918226: Retrying dran...@test.com -> 
> > > >> test-service/localh...@test.com with result: 
> > > >> -1765328243/Matching credential not found (filename:
> > > >> kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc)
> > > >> [15538] 1493491231.918229: Server has referral realm; starting 
> > > >> with test-service/localh...@test.com [15538] 1493491231.918278:
> > > >> Retrieving dran...@test.com -> krbtgt/test....@test.com from 
> > > >> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc with result:
> > > >> 0/Success
> > > >> [15538] 1493491231.918281: Starting with TGT for client realm:
> > > >> dran...@test.com -> krbtgt/test....@test.com [15538]
> > > >> 1493491231.918301: Requesting tickets for 
> > > >> test-service/localh...@test.com, referrals on [15538]
> > > >> 1493491231.918326: Generated subkey for TGS request:
> > > >> aes128-cts/FA30
> > > >> [15538] 1493491231.918359: etypes requested in TGS request:
> > > >> aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, 
> > > >> des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts 
> > > >> [15538]
> 1493491231.918484:
> > > >> Encoding request body and padata into FAST request [15538]
> > > >> 1493491231.918541: Sending request (836 bytes) to TEST.COM 
> > > >> [15538]
> > > >> 1493491231.918597: Resolving hostname localhost [15538]
> > > >> 1493491231.918703: Initiating TCP connection to stream
> > > >> 127.0.0.1:44292
> > > >> [15538] 1493491231.918777: Sending TCP request to stream
> > > >> 127.0.0.1:44292 [15538] 1493491231.922803: TCP error receiving 
> > > >> from stream
> > > >> 127.0.0.1:44292: 104/Connection reset by peer [15538]
> > > >> 1493491231.922812: Terminating TCP connection to stream
> > > >> 127.0.0.1:44292
> > > >> [15538] 1493491231.922858: Sending initial UDP request to dgram
> > > >> 127.0.0.1:44292
> > > >> ('First kerberos.authGSSClientStep not successful', 
> > > >> GSSError(('Unspecified GSS failure.  Minor code may provide 
> > > >> more information', 851968), ("Cannot contact any KDC for realm 
> > > >> 'TEST.COM'",
> > > >> -1765328228)))
> > > >>
> > > >> 2. For the terminal that runs mvn clean test 
> > > >> -Dtest=MitIssueTest Running 
> > > >> org.apache.kerby.kerberos.kerb.server.MitIssueTest
> > > >> 2017-04-29 21:07:39,182 DEBUG [main] backend.
> AbstractIdentityBackend:
> > > >> initialize called
> > > >> 2017-04-29 21:07:39,195 DEBUG [main] backend.
> AbstractIdentityBackend:
> > > >> getIdentity called, principalName = krbtgt/test....@test.com
> > > >> 2017-04-29 21:07:39,195 DEBUG [main] backend.
> AbstractIdentityBackend:
> > > >> getIdentity failed, principalName = krbtgt/test....@test.com
> > > >> 2017-04-29 21:07:39,212 DEBUG [main] backend.
> AbstractIdentityBackend:
> > > >> addIdentity successful, principalName = 
> > > >> krbtgt/test....@test.com
> > > >> 2017-04-29 21:07:39,212 DEBUG [main] backend.
> AbstractIdentityBackend:
> > > >> getIdentity called, principalName = kadmin/test....@test.com
> > > >> 2017-04-29 21:07:39,212 DEBUG [main] backend.
> AbstractIdentityBackend:
> > > >> getIdentity failed, principalName = kadmin/test....@test.com
> > > >> 2017-04-29 21:07:39,213 DEBUG [main] backend.
> AbstractIdentityBackend:
> > > >> addIdentity successful, principalName = 
> > > >> kadmin/test....@test.com
> > > >> 2017-04-29 21:07:39,216 DEBUG [main] backend.
> AbstractIdentityBackend:
> > > >> start called
> > > >> 2017-04-29 21:07:39,232 DEBUG [main] backend.
> AbstractIdentityBackend:
> > > >> addIdentity successful, principalName = 
> > > >> test-service/localh...@test.com
> > > >> 2017-04-29 21:07:39,425 DEBUG [main] backend.
> AbstractIdentityBackend:
> > > >> addIdentity successful, principalName = dran...@test.com
> > > >> 2017-04-29 21:07:39,465 DEBUG [pool-1-thread-1]
> > > >> backend.AbstractIdentityBackend: getIdentity called, 
> > > >> principalName = krbtgt/test....@test.com
> > > >> 2017-04-29 21:07:39,465 DEBUG [pool-1-thread-1]
> > > >> backend.AbstractIdentityBackend: getIdentity successful, 
> > > >> principalName = krbtgt/test....@test.com
> > > >> 2017-04-29 21:07:39,465 INFO  [pool-1-thread-1] request.KdcRequest:
> > > >> Client entry is empty.
> > > >> 2017-04-29 21:07:39,465 DEBUG [pool-1-thread-1]
> > > >> backend.AbstractIdentityBackend: getIdentity called, 
> > > >> principalName = dran...@test.com
> > > >> 2017-04-29 21:07:39,465 DEBUG [pool-1-thread-1]
> > > >> backend.AbstractIdentityBackend: getIdentity successful, 
> > > >> principalName = dran...@test.com
> > > >> 2017-04-29 21:07:39,465 DEBUG [pool-1-thread-1]
> > > >> backend.AbstractIdentityBackend: getIdentity called, 
> > > >> principalName = krbtgt/test....@test.com
> > > >> 2017-04-29 21:07:39,465 DEBUG [pool-1-thread-1]
> > > >> backend.AbstractIdentityBackend: getIdentity successful, 
> > > >> principalName = krbtgt/test....@test.com
> > > >> 2017-04-29 21:07:39,476 DEBUG [pool-1-thread-1]
> > > >> impl.DefaultKdcHandler: Transport or decoding error occurred, 
> > > >> disconnecting abnormally java.io.EOFException
> > > >>      at java.io.DataInputStream.readInt(DataInputStream.java:392)
> > > >>      at
> > > >> org.apache.kerby.kerberos.kerb.transport.KrbTcpTransport.
> > > receiveMessage(KrbTcpTransport.java:54)
> > > >>      at
> > > >> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.ru
> > > >> n(
> > > DefaultKdcHandler.java:46)
> > > >>      at
> > > >> java.util.concurrent.ThreadPoolExecutor.runWorker(
> > > ThreadPoolExecutor.java:1142)
> > > >>      at
> > > >> java.util.concurrent.ThreadPoolExecutor$Worker.run(
> > > ThreadPoolExecutor.java:617)
> > > >>      at java.lang.Thread.run(Thread.java:748)
> > > >> 2017-04-29 21:07:39,477 INFO  [main] client.KrbClientBase:
> > > >> Storing the tgt to the credential cache file.
> > > >> 2017-04-29 21:07:39,491 DEBUG [main] backend.
> AbstractIdentityBackend:
> > > >> getIdentity called, principalName = 
> > > >> test-service/localh...@test.com
> > > >> 2017-04-29 21:07:39,491 DEBUG [main] backend.
> AbstractIdentityBackend:
> > > >> getIdentity successful, principalName = 
> > > >> test-service/localh...@test.com
> > > >> 2017-04-29 21:07:39,498 DEBUG [pool-1-thread-1]
> > > >> backend.AbstractIdentityBackend: getIdentity called, 
> > > >> principalName = krbtgt/test....@test.com
> > > >> 2017-04-29 21:07:39,498 DEBUG [pool-1-thread-1]
> > > >> backend.AbstractIdentityBackend: getIdentity successful, 
> > > >> principalName = krbtgt/test....@test.com
> > > >> 2017-04-29 21:07:39,498 INFO  [pool-1-thread-1] request.KdcRequest:
> > > >> Client entry is empty.
> > > >> 2017-04-29 21:07:39,499 DEBUG [pool-1-thread-1]
> > > >> backend.AbstractIdentityBackend: getIdentity called, 
> > > >> principalName = test-service/localh...@test.com
> > > >> 2017-04-29 21:07:39,499 DEBUG [pool-1-thread-1]
> > > >> backend.AbstractIdentityBackend: getIdentity successful, 
> > > >> principalName = test-service/localh...@test.com
> > > >> 2017-04-29 21:07:39,499 DEBUG [pool-1-thread-1]
> > > >> backend.AbstractIdentityBackend: getIdentity called, 
> > > >> principalName = krbtgt/test....@test.com
> > > >> 2017-04-29 21:07:39,499 DEBUG [pool-1-thread-1]
> > > >> backend.AbstractIdentityBackend: getIdentity successful, 
> > > >> principalName = krbtgt/test....@test.com
> > > >> 2017-04-29 21:07:39,499 INFO  [pool-1-thread-1] request.KdcRequest:
> > > >> The preauth data is empty.
> > > >> 2017-04-29 21:07:39,501 INFO  [pool-1-thread-1] server.KdcHandler:
> > > >> KRB error occurred while processing request:Additional 
> > > >> pre-authentication required
> > > >> 2017-04-29 21:07:39,502 DEBUG [pool-1-thread-1]
> > > >> impl.DefaultKdcHandler: Transport or decoding error occurred, 
> > > >> disconnecting abnormally java.io.EOFException
> > > >>      at java.io.DataInputStream.readInt(DataInputStream.java:392)
> > > >>      at
> > > >> org.apache.kerby.kerberos.kerb.transport.KrbTcpTransport.
> > > receiveMessage(KrbTcpTransport.java:54)
> > > >>      at
> > > >> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.ru
> > > >> n(
> > > DefaultKdcHandler.java:46)
> > > >>      at
> > > >> java.util.concurrent.ThreadPoolExecutor.runWorker(
> > > ThreadPoolExecutor.java:1142)
> > > >>      at
> > > >> java.util.concurrent.ThreadPoolExecutor$Worker.run(
> > > ThreadPoolExecutor.java:617)
> > > >>      at java.lang.Thread.run(Thread.java:748)
> > > >> 2017-04-29 21:07:39,505 DEBUG [pool-1-thread-1]
> > > >> backend.AbstractIdentityBackend: getIdentity called, 
> > > >> principalName = krbtgt/test....@test.com
> > > >> 2017-04-29 21:07:39,505 DEBUG [pool-1-thread-1]
> > > >> backend.AbstractIdentityBackend: getIdentity successful, 
> > > >> principalName = krbtgt/test....@test.com
> > > >> 2017-04-29 21:07:39,505 INFO  [pool-1-thread-1] request.KdcRequest:
> > > >> Client entry is empty.
> > > >> 2017-04-29 21:07:39,506 DEBUG [pool-1-thread-1]
> > > >> backend.AbstractIdentityBackend: getIdentity called, 
> > > >> principalName = test-service/localh...@test.com
> > > >> 2017-04-29 21:07:39,506 DEBUG [pool-1-thread-1]
> > > >> backend.AbstractIdentityBackend: getIdentity successful, 
> > > >> principalName = test-service/localh...@test.com
> > > >> 2017-04-29 21:07:39,506 DEBUG [pool-1-thread-1]
> > > >> backend.AbstractIdentityBackend: getIdentity called, 
> > > >> principalName = krbtgt/test....@test.com
> > > >> 2017-04-29 21:07:39,506 DEBUG [pool-1-thread-1]
> > > >> backend.AbstractIdentityBackend: getIdentity successful, 
> > > >> principalName = krbtgt/test....@test.com
> > > >> 2017-04-29 21:07:39,510 DEBUG [pool-1-thread-1]
> > > >> impl.DefaultKdcHandler: Transport or decoding error occurred, 
> > > >> disconnecting abnormally java.io.EOFException
> > > >>      at java.io.DataInputStream.readInt(DataInputStream.java:392)
> > > >>      at
> > > >> org.apache.kerby.kerberos.kerb.transport.KrbTcpTransport.
> > > receiveMessage(KrbTcpTransport.java:54)
> > > >>      at
> > > >> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.ru
> > > >> n(
> > > DefaultKdcHandler.java:46)
> > > >>      at
> > > >> java.util.concurrent.ThreadPoolExecutor.runWorker(
> > > ThreadPoolExecutor.java:1142)
> > > >>      at
> > > >> java.util.concurrent.ThreadPoolExecutor$Worker.run(
> > > ThreadPoolExecutor.java:617)
> > > >>      at java.lang.Thread.run(Thread.java:748)
> > > >> 2017-04-29 21:07:55,602 DEBUG [pool-1-thread-1]
> > > >> backend.AbstractIdentityBackend: getIdentity called, 
> > > >> principalName = krbtgt/test....@test.com
> > > >> 2017-04-29 21:07:55,602 DEBUG [pool-1-thread-1]
> > > >> backend.AbstractIdentityBackend: getIdentity successful, 
> > > >> principalName = krbtgt/test....@test.com
> > > >> 2017-04-29 21:07:55,602 INFO  [pool-1-thread-1] request.KdcRequest:
> > > >> Found fast padata and start to process it.
> > > >> 2017-04-29 21:07:55,603 ERROR [pool-1-thread-1]
> > > >> impl.DefaultKdcHandler: Error occured while processing request:
> > > >> org.apache.kerby.kerberos.kerb.KrbException: Decoding failed
> > > >>      at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.
> > > java:85)
> > > >>      at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.
> > > java:70)
> > > >>      at
> > > >> org.apache.kerby.kerberos.kerb.server.request.KdcRequest.kdcFin
> > > >> dF
> > > >> as
> > > >> t(
> > > KdcRequest.java:208)
> > > >>      at
> > > >> org.apache.kerby.kerberos.kerb.server.request.
> > > KdcRequest.process(KdcRequest.java:168)
> > > >>      at
> > > >> org.apache.kerby.kerberos.kerb.server.KdcHandler.
> > > handleMessage(KdcHandler.java:115)
> > > >>      at
> > > >> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.
> > > handleMessage(DefaultKdcHandler.java:67)
> > > >>      at
> > > >> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.ru
> > > >> n(
> > > DefaultKdcHandler.java:52)
> > > >>      at
> > > >> java.util.concurrent.ThreadPoolExecutor.runWorker(
> > > ThreadPoolExecutor.java:1142)
> > > >>      at
> > > >> java.util.concurrent.ThreadPoolExecutor$Worker.run(
> > > ThreadPoolExecutor.java:617)
> > > >>      at java.lang.Thread.run(Thread.java:748)
> > > >> Caused by: java.io.IOException: Unexpected item context [0] 
> > > >> [tag=0xA0, off=0, len=3+207], expecting 0x30
> > > >>      at
> > > >> org.apache.kerby.asn1.type.Asn1Encodeable.decode(
> > > Asn1Encodeable.java:210)
> > > >>      at
> > > >> org.apache.kerby.asn1.type.Asn1Encodeable.decode(
> > > Asn1Encodeable.java:197)
> > > >>      at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.
> > > java:83)
> > > >>      ... 9 more
> > > >> 2017-04-29 21:07:55,604 DEBUG [pool-1-thread-1]
> > > >> impl.DefaultKdcHandler: Transport or decoding error occurred, 
> > > >> disconnecting abnormally
> > > >> java.net.SocketException: Socket closed
> > > >>      at java.net.SocketInputStream.socketRead0(Native Method)
> > > >>      at java.net.SocketInputStream.socketRead(SocketInputStream.
> > > java:116)
> > > >>      at java.net.SocketInputStream.read(SocketInputStream.java:171)
> > > >>      at java.net.SocketInputStream.read(SocketInputStream.java:141)
> > > >>      at java.net.SocketInputStream.read(SocketInputStream.java:224)
> > > >>      at java.io.DataInputStream.readInt(DataInputStream.java:387)
> > > >>      at
> > > >> org.apache.kerby.kerberos.kerb.transport.KrbTcpTransport.
> > > receiveMessage(KrbTcpTransport.java:54)
> > > >>      at
> > > >> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.ru
> > > >> n(
> > > DefaultKdcHandler.java:46)
> > > >>      at
> > > >> java.util.concurrent.ThreadPoolExecutor.runWorker(
> > > ThreadPoolExecutor.java:1142)
> > > >>      at
> > > >> java.util.concurrent.ThreadPoolExecutor$Worker.run(
> > > ThreadPoolExecutor.java:617)
> > > >>      at java.lang.Thread.run(Thread.java:748)
> > > >>
> > > >> In a FreeIPA environment these python lines "just" work.
> > > >>
> > > >> Any suggestions are welcome!
> > > >>
> > > >> Marc
> > > >>
> > > >>
> > > > --
> > > > Marc de Lignie
> > > >
> > >
> > > --
> > > Marc de Lignie
> > >
> > >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

RE: MIT Kerberos compatibility

Reply via email to