Colm, did you see udp problem now instead? I'm a little confused. Udp is sure supported but may not be enabled by default, which should be okay, imo. Thanks.
Sent from iPhone > 在 2017年5月6日,上午12:02,Colm O hEigeartaigh <cohei...@apache.org> 写道: > > That's probably it. Why does the default transport not support UDP in Kerby? > > Colm. > >> On Fri, May 5, 2017 at 4:54 PM, Li, Jiajia <jiajia...@intel.com> wrote: >> >> Are you sure add kdc_allow_udp = false in kdc.conf? >> >> Thanks >> Jiajia >> >> -----Original Message----- >> From: Colm O hEigeartaigh [mailto:cohei...@apache.org] >> Sent: Friday, May 5, 2017 11:41 PM >> To: Li, Jiajia <jiajia...@intel.com> >> Cc: kerby@directory.apache.org; Zheng, Kai <kai.zh...@intel.com>; mailto: >> m.c.delig...@xs4all.nl <m.c.delig...@xs4all.nl> >> Subject: Re: MIT Kerberos compatibility >> >> Sorry, it was my error, UDP was actually enabled there. But why am I still >> seeing that error message? >> >> Colm. >> >>> On Fri, May 5, 2017 at 4:39 PM, Li, Jiajia <jiajia...@intel.com> wrote: >>> >>> Hi Colm, >>> I also test the Kerby KDC with kerby kint and MIT kinit, and only >>> listen the tcp port(disable udp), both got ticket successfully. But I >>> don't get the error message. Both krb.conf and kdc.conf should set udp >>> to be false, udp is enabled in default. >>> >>> Thanks >>> Jiajia >>> >>> -----Original Message----- >>> From: Colm O hEigeartaigh [mailto:cohei...@apache.org] >>> Sent: Friday, May 5, 2017 11:34 PM >>> To: kerby@directory.apache.org >>> Cc: Zheng, Kai <kai.zh...@intel.com>; mailto:m.c.delig...@xs4all.nl < >>> m.c.delig...@xs4all.nl> >>> Subject: Re: MIT Kerberos compatibility >>> >>> Hi Jiajia, >>> >>> If UDP is disabled and we don't use Netty, I can get a token >>> successfully via kinit. However I then see an error message in the Kerby >> console: >>> >>> Exception in thread "Thread-1" java.lang.RuntimeException: Error >>> occured while checking udp connections >>> at >>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run( >>> KdcNetwork.java:105) >>> at >>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork. >>> access$000(KdcNetwork.java:39) >>> at >>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork$1. >>> run(KdcNetwork.java:75) >>> at java.lang.Thread.run(Thread.java:748) >>> Caused by: java.nio.channels.ClosedChannelException >>> at >>> sun.nio.ch.DatagramChannelImpl.ensureOpen(DatagramChannelImpl.java:320) >>> at sun.nio.ch.DatagramChannelImpl.receive( >>> DatagramChannelImpl.java:331) >>> at >>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork. >>> checkUdpMessage(KdcNetwork.java:132) >>> at >>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run( >>> KdcNetwork.java:101) >>> >>> I'm not sure why we are seeing UDP errors when it's disabled? >>> >>> Colm. >>> >>>> On Fri, May 5, 2017 at 3:57 PM, Li, Jiajia <jiajia...@intel.com> wrote: >>>> >>>> Hi Colm, >>>> The shell client can't connect to kdc if the UDP is disabled. >>>> We don't use Netty in default. >>>> What's your test-cases? The same as the Marc's? >>>> >>>> Thanks >>>> Jiajia >>>> >>>> -----Original Message----- >>>> From: Colm O hEigeartaigh [mailto:cohei...@apache.org] >>>> Sent: Friday, May 5, 2017 10:09 PM >>>> To: kerby@directory.apache.org >>>> Cc: Zheng, Kai <kai.zh...@intel.com>; mailto:m.c.delig...@xs4all.nl >>>> < m.c.delig...@xs4all.nl> >>>> Subject: Re: MIT Kerberos compatibility >>>> >>>> Hi Jiajia, >>>> >>>> What are the issues if UDP is disabled and we don't use Netty? I >>>> tried doing this with my own test-cases and it didn't work, so it >>>> would be good to get this fixed soon. >>>> >>>> Colm. >>>> >>>> On Fri, May 5, 2017 at 2:46 PM, Li, Jiajia <jiajia...@intel.com> >> wrote: >>>> >>>>> Hi Marc, >>>>>>>> - your KRB5 tracing looks quite different. What OS and >>>>>>>> mit-kerberos >>>>> version did you use? >>>>> I use mac os and the python version is 2.7.10 >>>>> >>>>>>>> - your KRB5 tracing shows UDP comms between kerberos client and >>>>>>>> KDC, >>>>> despite the allowUDP = false setting >>>>>>>> in my test. I did this setting because I get different >>>>>>>> problems >>>>> without it, see the additional logs below. So, >>>>>>>> we must also be aware of networking problems at my side. >>>>> I enable the UDP and use netty network, there are some issues if >>>>> UDP disabled, you can create a JIRA for this and we can fix this >>>>> issue in the next release version. >>>>> >>>>> The changes in my side as following: >>>>> >>>>> protected boolean allowUdp() { >>>>> return true; >>>>> } >>>>> @Override >>>>> protected void prepareKdc() throws KrbException { >>>>> getKdcServer().setInnerKdcImpl( >>>>> new NettyKdcServerImpl(getKdcServer().getKdcSetting())); >>>>> super.prepareKdc(); >>>>> } >>>>> >>>>> Here is log of MitIssueTest: >>>>> [INFO] Running org.apache.kerby.kerberos.kerb.server.MitIssueTest >>>>> [nioEventLoopGroup-2-1] INFO >>>>> io.netty.handler.logging.LoggingHandler >>>>> - >>>>> [id: 0x2634fe6b] REGISTERED >>>>> [nioEventLoopGroup-2-1] INFO >>>>> io.netty.handler.logging.LoggingHandler >>>>> - >>>>> [id: 0x2634fe6b] BIND(0.0.0.0/0.0.0.0:53957) >>>>> [nioEventLoopGroup-2-1] INFO >>>>> io.netty.handler.logging.LoggingHandler - >>>>> [id: 0x2634fe6b, /0:0:0:0:0:0:0:0:53957] ACTIVE [main] INFO >>>>> org.apache.kerby.kerberos.kdc.impl.NettyKdcServerImpl - Netty kdc >>>>> server started. >>>>> [nioEventLoopGroup-2-1] INFO >>>>> io.netty.handler.logging.LoggingHandler >>>>> - >>>>> [id: 0x2634fe6b, /0:0:0:0:0:0:0:0:53957] RECEIVED: [id: >>>>> 0xdac7228b, / >>>>> 127.0.0.1:53961 => /127.0.0.1:53957] >>>>> [defaultEventExecutorGroup-4-1] INFO >>>>> org.apache.kerby.kerberos.kerb.server.request.AsRequest >>>>> - AS_REQ ISSUE: authtime 1493991123792,dran...@test.com for >>>>> krbtgt/ test....@test.com [main] INFO >>>>> org.apache.kerby.kerberos.kerb.client.impl.DefaultInternalKrbClien >>>>> t >>>>> - Send to kdc success. >>>>> [main] INFO org.apache.kerby.kerberos.kerb.client.KrbClientBase - >>>>> Storing the tgt to the credential cache file. >>>>> [nioEventLoopGroup-5-1] INFO >>>>> org.apache.kerby.kerberos.kerb.server.request.KdcRequest >>>>> - The preauth data is empty. >>>>> [nioEventLoopGroup-5-1] INFO >>>>> org.apache.kerby.kerberos.kerb.server.KdcHandler >>>>> - KRB error occurred while processing request:Additional >>>>> pre-authentication required [nioEventLoopGroup-5-1] INFO >>>>> org.apache.kerby.kerberos.kerb.server.request.AsRequest >>>>> - AS_REQ ISSUE: authtime >>>>> 1493991123859,test-service/localh...@test.com >>>>> for krbtgt/test....@test.com >>>>> [nioEventLoopGroup-5-1] INFO >>>>> org.apache.kerby.kerberos.kerb.server.request.TgsRequest >>>>> - TGS_REQ ISSUE: authtime 1493991142850,drankye for test-service/ >>>>> localh...@test.com >>>>> >>>>> Thanks >>>>> Jiajia >>>>> >>>>> -----Original Message----- >>>>> From: Zheng, Kai >>>>> Sent: Friday, May 5, 2017 7:46 PM >>>>> To: kerby@directory.apache.org; Li, Jiajia <jiajia...@intel.com> >>>>> Subject: RE: MIT Kerberos compatibility >>>>> >>>>> Hi Marc, >>>>> >>>>> Looks like this is quite environment related, could you fire an >>>>> issue for this? I would suggest we target it to 1.1.0, which can >>>>> be done in >>>> June. >>>>> >>>>> Regards, >>>>> Kai >>>>> >>>>> -----Original Message----- >>>>> From: Marc de Lignie [mailto:m.c.delig...@xs4all.nl] >>>>> Sent: Friday, May 05, 2017 4:44 PM >>>>> To: Li, Jiajia <jiajia...@intel.com> >>>>> Cc: kerby@directory.apache.org >>>>> Subject: Re: MIT Kerberos compatibility >>>>> >>>>> Hi Jiajia, >>>>> >>>>> Great to read that you made progress on this issue and to see a >>>>> working config at your side. Below, I list my progress below (with >>>>> trunk merged into my MitIssue branch), but I am afraid we are not >>>>> done >>>> yet. >>>>> >>>>> Things that stand out: >>>>> >>>>> - the kdc decoding error is solved, relative to the logs without >>>>> your patch >>>>> >>>>> - your KRB5 tracing looks quite different. What OS and >>>>> mit-kerberos version did you use? >>>>> >>>>> - your KRB5 tracing shows UDP comms between kerberos client and >>>>> KDC, despite the allowUDP = false setting in my test. I did this >>>>> setting because I get different problems without it, see the >>>>> additional logs below. So, we must also be aware of networking >> problems at my side. >>>>> >>>>> - the "Response was not from master KDC" msg is not relevant; it >>>>> disappears if you manually add master_kdc to the realms section of >>>>> the krb5.conf >>>>> >>>>> I have no idea how to proceed from here, so that is why I just >>>>> document the status at my side and ask about your - apparently >>>>> working - >>>> config. >>>>> >>>>> Cheers, Marc >>>>> >>>>> >>>>> KDC logging with allowUDP = false: >>>>> >>>>> [INFO] Running org.apache.kerby.kerberos.kerb.server.MitIssueTest >>>>> [pool-1-thread-1] INFO >>>>> org.apache.kerby.kerberos.kerb.server.request.AsRequest - AS_REQ >>> ISSUE: >>>>> authtime 1493970789075,dran...@test.com for >>>>> krbtgt/test....@test.com [main] INFO >>>>> org.apache.kerby.kerberos.kerb.client.impl.DefaultInternalKrbClien >>>>> t >>>>> - Send to kdc success. >>>>> [main] INFO org.apache.kerby.kerberos.kerb.client.KrbClientBase - >>>>> Storing the tgt to the credential cache file. >>>>> [pool-1-thread-1] INFO >>>>> org.apache.kerby.kerberos.kerb.server.request.KdcRequest - The >>>>> preauth data is empty. >>>>> [pool-1-thread-1] INFO >>>>> org.apache.kerby.kerberos.kerb.server.KdcHandler >>>>> - KRB error occurred while processing request:Additional >>>>> pre-authentication required [pool-1-thread-1] INFO >>>>> org.apache.kerby.kerberos.kerb.server.request.AsRequest - AS_REQ >>> ISSUE: >>>>> authtime 1493970789108,test-service/localh...@test.com for krbtgt/ >>>>> test....@test.com [pool-1-thread-1] INFO >>>>> org.apache.kerby.kerberos.kerb.server.request.KdcRequest >>>>> - Found fast padata and starting to process it. >>>>> [pool-1-thread-1] INFO >>>>> org.apache.kerby.kerberos.kerb.server.request.KdcRequest - Found >>>>> fast padata and starting to process it. >>>>> >>>>> Python script KRB5 tracing (MIT Kerberos 1.13.2 of Ubuntu Xenial) >>>>> with allowUDP = false: >>>>> >>>>> $ . >>>>> kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/ >>>>> kerberos/kerb/server/MitIssueTest.sh >>>>> [25281] 1493970797.298753: Retrieving dran...@test.com from >>>>> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with >> result: >>>>> 2/Key table file '/etc/krb5/user/1000/client.keytab' not found >>>>> [25281] >>>>> 1493970797.298952: Retrieving dran...@test.com from >>>>> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with >> result: >>>>> 2/Key table file '/etc/krb5/user/1000/client.keytab' not found >>>>> [25281] >>>>> 1493970797.299106: Retrieving dran...@test.com from >>>>> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with >> result: >>>>> 2/Key table file '/etc/krb5/user/1000/client.keytab' not found >>>>> [25281] >>>>> 1493970797.299213: Retrieving dran...@test.com from >>>>> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with >> result: >>>>> 2/Key table file '/etc/krb5/user/1000/client.keytab' not found >>>>> [25281] >>>>> 1493970797.299323: Retrieving dran...@test.com from >>>>> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with >> result: >>>>> 2/Key table file '/etc/krb5/user/1000/client.keytab' not found >>>>> [25281] >>>>> 1493970797.299436: Retrieving dran...@test.com from >>>>> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with >> result: >>>>> 2/Key table file '/etc/krb5/user/1000/client.keytab' not found >>>>> [25281] >>>>> 1493970797.299545: Retrieving dran...@test.com from >>>>> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with >> result: >>>>> 2/Key table file '/etc/krb5/user/1000/client.keytab' not found >>>>> [25281] >>>>> 1493970797.299654: Retrieving dran...@test.com from >>>>> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with >> result: >>>>> 2/Key table file '/etc/krb5/user/1000/client.keytab' not found >>>>> kerberos.authGSSClientInit successful [25281] 1493970797.299922: >>>>> Getting credentials dran...@test.com -> test-service/localhost@ >>>>> using ccache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc >>>>> [25281] 1493970797.299945: Retrieving dran...@test.com -> >>>>> test-service/localhost@ from >>>>> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc >>>>> with result: >>>>> -1765328243/Matching credential not found [25281] 1493970797.299959: >>>>> Retrying dran...@test.com -> test-service/localh...@test.com with >>>> result: >>>>> -1765328243/Matching credential not found [25281] 1493970797.299962: >>>>> Server has referral realm; starting with >>>>> test-service/localh...@test.com [25281] >>>>> 1493970797.299975: Retrieving dran...@test.com -> >>>>> krbtgt/test....@test.com from >>>>> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc >>>> with result: >>>>> 0/Success [25281] 1493970797.299979: Starting with TGT for client >>> realm: >>>>> dran...@test.com -> krbtgt/test....@test.com [25281] >>> 1493970797.299981: >>>>> Requesting tickets for test-service/localh...@test.com, referrals >>>>> on [25281] 1493970797.299994: Generated subkey for TGS request: >>>>> aes128-cts/1B9B [25281] 1493970797.300009: etypes requested in TGS >>>> request: >>>>> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, >>>>> camellia256-cts [25281] 1493970797.300054: Encoding request body >>>>> and padata into FAST request [25281] 1493970797.300080: Sending >>>>> request >>>>> (823 bytes) to TEST.COM [25281] 1493970797.300091: Resolving >>>>> hostname localhost [25281] >>>>> 1493970797.300136: Initiating TCP connection to stream >>>>> 127.0.0.1:34319 >>>>> [25281] 1493970797.300191: Sending TCP request to stream >>>>> 127.0.0.1:34319 [25281] 1493970797.303610: Received answer (125 >>>>> bytes) from stream >>>>> 127.0.0.1:34319 >>>>> [25281] 1493970797.303618: Terminating TCP connection to stream >>>>> 127.0.0.1:34319 >>>>> [25281] 1493970797.553126: Response was not from master KDC >>>>> [25281] >>>>> 1493970797.553198: TGS request result: -1765323383/Unknown code >>>>> krcM >>>>> 137 [25281] 1493970797.553234: Requesting tickets for >>>>> test-service/ localh...@test.com, referrals off [25281] >> 1493970797.553273: >>>>> Generated subkey for TGS request: aes128-cts/94C6 [25281] >>> 1493970797.553323: >>>>> etypes requested in TGS request: aes256-cts, aes128-cts, >>>>> des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts [25281] >>>>> 1493970797.553436: Encoding request body and padata into FAST >>>>> request >>>> [25281] 1493970797.553532: >>>>> Sending request (823 bytes) to TEST.COM [25281] 1493970797.553567: >>>>> Resolving hostname localhost [25281] 1493970797.553745: Initiating >>>>> TCP connection to stream >>>>> 127.0.0.1:34319 >>>>> [25281] 1493970797.553889: Sending TCP request to stream >>>>> 127.0.0.1:34319 [25281] 1493970797.558297: Received answer (125 >>>>> bytes) from stream >>>>> 127.0.0.1:34319 >>>>> [25281] 1493970797.558318: Terminating TCP connection to stream >>>>> 127.0.0.1:34319 >>>>> [25281] 1493970797.561189: Response was not from master KDC >>>>> [25281] >>>>> 1493970797.561258: TGS request result: -1765323383/Unknown code >>>>> krcM >>>>> 137 ('First kerberos.authGSSClientStep not successful', >>>>> GSSError(('Unspecified GSS failure. Minor code may provide more >>>>> information', 851968), ('Unknown code krcM 137', -1765323383))) >>>>> >>>>> >>>>> KDC logging with allowUDP = true: >>>>> >>>>> [INFO] Running org.apache.kerby.kerberos.kerb.server.MitIssueTest >>>>> [pool-1-thread-1] INFO >>>>> org.apache.kerby.kerberos.kerb.server.request.AsRequest - AS_REQ >>> ISSUE: >>>>> authtime 1493972505784,dran...@test.com for >>>>> krbtgt/test....@test.com [main] INFO >>>>> org.apache.kerby.kerberos.kerb.client.impl.DefaultInternalKrbClien >>>>> t >>>>> - Send to kdc success. >>>>> [main] INFO org.apache.kerby.kerberos.kerb.client.KrbClientBase - >>>>> Storing the tgt to the credential cache file. >>>>> [pool-1-thread-1] INFO >>>>> org.apache.kerby.kerberos.kerb.server.request.KdcRequest - The >>>>> preauth data is empty. >>>>> [pool-1-thread-1] INFO >>>>> org.apache.kerby.kerberos.kerb.server.KdcHandler >>>>> - KRB error occurred while processing request:Additional >>>>> pre-authentication required [pool-1-thread-2] INFO >>>>> org.apache.kerby.kerberos.kerb.server.request.AsRequest - AS_REQ >>> ISSUE: >>>>> authtime 1493972505948,test-service/localh...@test.com for krbtgt/ >>>>> test....@test.com Exception in thread "Thread-0" >>>>> java.lang.RuntimeException: Error occured while checking udp >>> connections >>>>> at >>>>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run( >>>>> KdcNetwork.java:105) >>>>> at >>>>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork. >>>>> access$000(KdcNetwork.java:39) >>>>> at >>>>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork$1. >>>>> run(KdcNetwork.java:75) >>>>> at java.lang.Thread.run(Thread.java:748) >>>>> Caused by: java.nio.channels.ClosedChannelException >>>>> at >>>>> sun.nio.ch.DatagramChannelImpl.ensureOpen( >>> DatagramChannelImpl.java:320) >>>>> at sun.nio.ch.DatagramChannelImpl.receive( >>>>> DatagramChannelImpl.java:331) >>>>> at >>>>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork. >>>>> checkUdpMessage(KdcNetwork.java:132) >>>>> at >>>>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run( >>>>> KdcNetwork.java:101) >>>>> ... 3 more >>>>> >>>>> >>>>> krb5.conf: >>>>> >>>>> [libdefaults] >>>>> kdc_realm = TEST.COM >>>>> default_realm = TEST.COM >>>>> udp_preference_limit = 4096 >>>>> kdc_tcp_port = 37080 >>>>> kdc_udp_port = 36525 >>>>> >>>>> [realms] >>>>> TEST.COM = { >>>>> kdc = localhost:36525 >>>>> } >>>>> >>>>> And port 36525 does not show up in `netstat -l` (while 37080 does) >>>>> >>>>> >>>>> Op 04-05-17 om 14:55 schreef Li, Jiajia: >>>>>> Hi Marc, >>>>>> I try to run your test(through applying your patch in the trunk) >>>>>> , I >>>>> think it's success now. Could you take some time to check about it? >>>>>> Here is the log: >>>>>> >>>>>> directory-kerby git:(trunk) ? . >>>>>> kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos >>>>>> /k >>>>>> er >>>>>> b/ >>>>>> server/MitIssueTest.sh >>>>>> kerberos.authGSSClientInit successful >>>>>> 2017-05-04T20:44:06 set-error: -1765328234: entypes not >>>>>> supported >>>>>> 2017-05-04T20:44:06 set-error: -1765328243: Did not find >>>>>> credential for krb5_ccache_conf_data/realm-config@X-CACHECONF: >>>>>> in cache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc >>>>>> 2017-05-04T20:44:06 set-error: -1765328243: Did not find >>>>>> credential for test-service/localh...@test.com in cache >>>>>> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc >>>>>> 2017-05-04T20:44:06 set-error: -1765328243: Did not find >>>>>> credential for >>>>>> krb5_ccache_conf_data/negative-cache/test-service\134/localhost\ >>>>>> 13 >>>>>> 4@ >>>>>> TE >>>>>> ST.COM@X-CACHECONF: in cache >>>>>> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc >>>>>> 2017-05-04T20:44:06 set-error: -1765328243: Did not find >>>>>> credential for krb5_ccache_conf_data/lkdc-hostname@X-CACHECONF: >>>>>> in cache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc >>>>>> 2017-05-04T20:44:06 set-error: -1765328243: Did not find >>>>>> credential for krb5_ccache_conf_data/sitename@X-CACHECONF: in >>>>>> cache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc >>>>>> 2017-05-04T20:44:06 set-error: -1765328243: Did not find >>>>>> credential for test-service/localh...@test.com in cache >>>>>> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc >>>>>> 2017-05-04T20:44:06 set-error: -1765328234: Encryption type >>>>>> des-cbc-md5-deprecated not supported >>>>>> 2017-05-04T20:44:06 set-error: -1765328234: Encryption type >>>>>> des-cbc-md4-deprecated not supported >>>>>> 2017-05-04T20:44:06 set-error: -1765328234: Encryption type >>>>>> des-cbc-crc-deprecated not supported >>>>>> 2017-05-04T20:44:06 Trying to find service kdc for realm >>>>>> TEST.COM flags 0 >>>>>> 2017-05-04T20:44:06 configuration file for realm TEST.COM found >>>>>> 2017-05-04T20:44:06 submissing new requests to new host >>>>>> 2017-05-04T20:44:06 host_create: setting hostname localhost >>>>>> 2017-05-04T20:44:06 connecting to host: udp ::1:52534 >>>>>> (localhost) >>> tid: >>>>>> 00000001 >>>>>> 2017-05-04T20:44:06 host_create: setting hostname localhost >>>>>> 2017-05-04T20:44:06 Queuing host in future (in 3s), its the 2 >>>>>> address on the same name: udp 127.0.0.1:52534 (localhost) tid: >>>>>> 00000002 >>>>>> 2017-05-04T20:44:06 writing packet: udp ::1:52534 (localhost) tid: >>>>>> 00000001 >>>>>> 2017-05-04T20:44:06 reading packet: udp ::1:52534 (localhost) tid: >>>>>> 00000001 >>>>>> 2017-05-04T20:44:06 host completed: udp ::1:52534 (localhost) tid: >>>>>> 00000001 >>>>>> 2017-05-04T20:44:06 krb5_sendto_context TEST.COM done: 0 hosts 1 >>>>>> packets 1 wc: 0.048927 nr: 0.000932 kh: 0.000814 tid: 00000002 >>>>>> 2017-05-04T20:44:06 tkt: extract key 17/763641F3 >>>>>> 2017-05-04T20:44:06 set-error: -1765328353: Decrypt integrity >>>>>> check failed for checksum type hmac-sha1-96-aes128, key type >>>>>> aes128-cts-hmac-sha1-96 >>>>>> 2017-05-04T20:44:06 tkt: extract key 17/3084A95C >>>>>> 2017-05-04T20:44:06 krb5_get_credentials_with_flags: TEST.COM wc: >>>>>> 0.050317 >>>>>> 2017-05-04T20:44:06 set-error: -1765328243: Did not find >>>>>> credential for krb5_ccache_conf_data/realm-config@X-CACHECONF: >>>>>> in cache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc >>>>>> 2017-05-04T20:44:06 set-error: -1765328243: Did not find >>>>>> credential for >>>>>> krb5_ccache_conf_data/time-offset/test-service\134/ >>> localhost\134@TEST. >>>>>> COM@X-CACHECONF: in cache >>>>>> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc >>>>>> 2017-05-04T20:44:06 Setting up PFS for auth context >>>>>> 2017-05-04T20:44:06 set-error: -1765328234: Encryption type >>>>>> des-cbc-md5-deprecated not supported >>>>>> 2017-05-04T20:44:06 set-error: -1765328234: Encryption type >>>>>> des-cbc-md4-deprecated not supported >>>>>> 2017-05-04T20:44:06 set-error: -1765328234: Encryption type >>>>>> des-cbc-crc-deprecated not supported First >>>>>> kerberos.authGSSClientStep successful >>>>>> >>>>>> Thanks >>>>>> Jiajia >>>>>> >>>>>> -----Original Message----- >>>>>> From: Zheng, Kai [mailto:kai.zh...@intel.com] >>>>>> Sent: Wednesday, May 3, 2017 7:29 PM >>>>>> To: kerby@directory.apache.org >>>>>> Subject: RE: MIT Kerberos compatibility >>>>>> >>>>>> Hi Marc, >>>>>> >>>>>> In case you're not aware of this, please check out the latest >>>>>> fix made >>>>> by Jiajia. We thought your case may be different, but would be >>>>> good to have a check before we can repeat/fix your case. Thanks. >>>>>> https://issues.apache.org/jira/browse/DIRKRB-625 >>>>>> >>>>>> Regards, >>>>>> Kai >>>>>> >>>>>> -----Original Message----- >>>>>> From: Marc de Lignie [mailto:m.c.delig...@xs4all.nl] >>>>>> Sent: Sunday, April 30, 2017 7:45 PM >>>>>> To: kerby@directory.apache.org >>>>>> Subject: Re: MIT Kerberos compatibility >>>>>> >>>>>> Hi Kai, >>>>>> >>>>>> The terminal output below is for the latest MIT Kerberos 1.15.1 >>>>>> (locally >>>>> built on Ubuntu Xenial). Before that, I also tested with the >>>>> default Xenial MIT Kerberos packages (1.13.2), with the same >>>>> result. I did not try earlier MIT Kerberos versions. >>>>>> >>>>>> Marc >>>>>> >>>>>> Op 29-04-17 om 21:42 schreef Marc de Lignie: >>>>>>> Hi Kai, >>>>>>> >>>>>>> Thanks for the response. I prepared a minimal config that >>>>>>> reproduces my problem. >>>>>>> >>>>>>> You can fetch the branch/commit from: >>>>>>> https://github.com/vtslab/directory-kerby/commits/MitIssue >>>>>>> >>>>>>> This is relative to RC2, but I also tried this on trunk for my >>>>>>> actual project. >>>>>>> >>>>>>> This config produces the debug and error messages below. >>>>>>> >>>>>>> 1. For the terminal with the bash + python script $ klist >>>>>>> Ticket >>>>>>> cache: FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc >>>>>>> Default principal: dran...@test.com >>>>>>> >>>>>>> Valid starting Expires Service principal >>>>>>> 29-04-17 21:07:39 30-04-17 05:07:39 krbtgt/test....@test.com >>>>>>> renew until 29-04-17 21:07:39 >>>>>>> >>>>>>> $ . >>>>>>> kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerbero >>>>>>> s/ ke rb / server/MitIssueTest.sh [15538] 1493491231.917606: >>>>>>> Retrieving dran...@test.com from >>>>>>> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with >>>>>>> result: >>>>>>> 2/Key table file '/etc/krb5/user/1000/client.keytab' not found >>>>>>> [15538] >>>>>>> 1493491231.917827: Retrieving dran...@test.com from >>>>>>> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with >>>> result: >>>>>>> 2/Key table file '/etc/krb5/user/1000/client.keytab' not found >>>>>>> kerberos.authGSSClientInit successful [15538] 1493491231.918185: >>>>>>> Getting credentials dran...@test.com -> test-service/localhost@ >>>>>>> using ccache >>>>>>> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc >>>>>>> [15538] 1493491231.918210: Retrieving dran...@test.com -> >>>>>>> test-service/localhost@ from >>>>>>> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc with result: >>>>>>> -1765328243/Matching credential not found (filename: >>>>>>> kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc) >>>>>>> [15538] 1493491231.918226: Retrying dran...@test.com -> >>>>>>> test-service/localh...@test.com with result: >>>>>>> -1765328243/Matching credential not found (filename: >>>>>>> kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc) >>>>>>> [15538] 1493491231.918229: Server has referral realm; starting >>>>>>> with test-service/localh...@test.com [15538] 1493491231.918278: >>>>>>> Retrieving dran...@test.com -> krbtgt/test....@test.com from >>>>>>> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc with result: >>>>>>> 0/Success >>>>>>> [15538] 1493491231.918281: Starting with TGT for client realm: >>>>>>> dran...@test.com -> krbtgt/test....@test.com [15538] >>>>>>> 1493491231.918301: Requesting tickets for >>>>>>> test-service/localh...@test.com, referrals on [15538] >>>>>>> 1493491231.918326: Generated subkey for TGS request: >>>>>>> aes128-cts/FA30 >>>>>>> [15538] 1493491231.918359: etypes requested in TGS request: >>>>>>> aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, >>>>>>> des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts >>>>>>> [15538] >>> 1493491231.918484: >>>>>>> Encoding request body and padata into FAST request [15538] >>>>>>> 1493491231.918541: Sending request (836 bytes) to TEST.COM >>>>>>> [15538] >>>>>>> 1493491231.918597: Resolving hostname localhost [15538] >>>>>>> 1493491231.918703: Initiating TCP connection to stream >>>>>>> 127.0.0.1:44292 >>>>>>> [15538] 1493491231.918777: Sending TCP request to stream >>>>>>> 127.0.0.1:44292 [15538] 1493491231.922803: TCP error receiving >>>>>>> from stream >>>>>>> 127.0.0.1:44292: 104/Connection reset by peer [15538] >>>>>>> 1493491231.922812: Terminating TCP connection to stream >>>>>>> 127.0.0.1:44292 >>>>>>> [15538] 1493491231.922858: Sending initial UDP request to dgram >>>>>>> 127.0.0.1:44292 >>>>>>> ('First kerberos.authGSSClientStep not successful', >>>>>>> GSSError(('Unspecified GSS failure. Minor code may provide >>>>>>> more information', 851968), ("Cannot contact any KDC for realm >>>>>>> 'TEST.COM'", >>>>>>> -1765328228))) >>>>>>> >>>>>>> 2. For the terminal that runs mvn clean test >>>>>>> -Dtest=MitIssueTest Running >>>>>>> org.apache.kerby.kerberos.kerb.server.MitIssueTest >>>>>>> 2017-04-29 21:07:39,182 DEBUG [main] backend. >>> AbstractIdentityBackend: >>>>>>> initialize called >>>>>>> 2017-04-29 21:07:39,195 DEBUG [main] backend. >>> AbstractIdentityBackend: >>>>>>> getIdentity called, principalName = krbtgt/test....@test.com >>>>>>> 2017-04-29 21:07:39,195 DEBUG [main] backend. >>> AbstractIdentityBackend: >>>>>>> getIdentity failed, principalName = krbtgt/test....@test.com >>>>>>> 2017-04-29 21:07:39,212 DEBUG [main] backend. >>> AbstractIdentityBackend: >>>>>>> addIdentity successful, principalName = >>>>>>> krbtgt/test....@test.com >>>>>>> 2017-04-29 21:07:39,212 DEBUG [main] backend. >>> AbstractIdentityBackend: >>>>>>> getIdentity called, principalName = kadmin/test....@test.com >>>>>>> 2017-04-29 21:07:39,212 DEBUG [main] backend. >>> AbstractIdentityBackend: >>>>>>> getIdentity failed, principalName = kadmin/test....@test.com >>>>>>> 2017-04-29 21:07:39,213 DEBUG [main] backend. >>> AbstractIdentityBackend: >>>>>>> addIdentity successful, principalName = >>>>>>> kadmin/test....@test.com >>>>>>> 2017-04-29 21:07:39,216 DEBUG [main] backend. >>> AbstractIdentityBackend: >>>>>>> start called >>>>>>> 2017-04-29 21:07:39,232 DEBUG [main] backend. >>> AbstractIdentityBackend: >>>>>>> addIdentity successful, principalName = >>>>>>> test-service/localh...@test.com >>>>>>> 2017-04-29 21:07:39,425 DEBUG [main] backend. >>> AbstractIdentityBackend: >>>>>>> addIdentity successful, principalName = dran...@test.com >>>>>>> 2017-04-29 21:07:39,465 DEBUG [pool-1-thread-1] >>>>>>> backend.AbstractIdentityBackend: getIdentity called, >>>>>>> principalName = krbtgt/test....@test.com >>>>>>> 2017-04-29 21:07:39,465 DEBUG [pool-1-thread-1] >>>>>>> backend.AbstractIdentityBackend: getIdentity successful, >>>>>>> principalName = krbtgt/test....@test.com >>>>>>> 2017-04-29 21:07:39,465 INFO [pool-1-thread-1] >> request.KdcRequest: >>>>>>> Client entry is empty. >>>>>>> 2017-04-29 21:07:39,465 DEBUG [pool-1-thread-1] >>>>>>> backend.AbstractIdentityBackend: getIdentity called, >>>>>>> principalName = dran...@test.com >>>>>>> 2017-04-29 21:07:39,465 DEBUG [pool-1-thread-1] >>>>>>> backend.AbstractIdentityBackend: getIdentity successful, >>>>>>> principalName = dran...@test.com >>>>>>> 2017-04-29 21:07:39,465 DEBUG [pool-1-thread-1] >>>>>>> backend.AbstractIdentityBackend: getIdentity called, >>>>>>> principalName = krbtgt/test....@test.com >>>>>>> 2017-04-29 21:07:39,465 DEBUG [pool-1-thread-1] >>>>>>> backend.AbstractIdentityBackend: getIdentity successful, >>>>>>> principalName = krbtgt/test....@test.com >>>>>>> 2017-04-29 21:07:39,476 DEBUG [pool-1-thread-1] >>>>>>> impl.DefaultKdcHandler: Transport or decoding error occurred, >>>>>>> disconnecting abnormally java.io.EOFException >>>>>>> at java.io.DataInputStream.readInt(DataInputStream.java:392) >>>>>>> at >>>>>>> org.apache.kerby.kerberos.kerb.transport.KrbTcpTransport. >>>>> receiveMessage(KrbTcpTransport.java:54) >>>>>>> at >>>>>>> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.ru >>>>>>> n( >>>>> DefaultKdcHandler.java:46) >>>>>>> at >>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker( >>>>> ThreadPoolExecutor.java:1142) >>>>>>> at >>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run( >>>>> ThreadPoolExecutor.java:617) >>>>>>> at java.lang.Thread.run(Thread.java:748) >>>>>>> 2017-04-29 21:07:39,477 INFO [main] client.KrbClientBase: >>>>>>> Storing the tgt to the credential cache file. >>>>>>> 2017-04-29 21:07:39,491 DEBUG [main] backend. >>> AbstractIdentityBackend: >>>>>>> getIdentity called, principalName = >>>>>>> test-service/localh...@test.com >>>>>>> 2017-04-29 21:07:39,491 DEBUG [main] backend. >>> AbstractIdentityBackend: >>>>>>> getIdentity successful, principalName = >>>>>>> test-service/localh...@test.com >>>>>>> 2017-04-29 21:07:39,498 DEBUG [pool-1-thread-1] >>>>>>> backend.AbstractIdentityBackend: getIdentity called, >>>>>>> principalName = krbtgt/test....@test.com >>>>>>> 2017-04-29 21:07:39,498 DEBUG [pool-1-thread-1] >>>>>>> backend.AbstractIdentityBackend: getIdentity successful, >>>>>>> principalName = krbtgt/test....@test.com >>>>>>> 2017-04-29 21:07:39,498 INFO [pool-1-thread-1] >> request.KdcRequest: >>>>>>> Client entry is empty. >>>>>>> 2017-04-29 21:07:39,499 DEBUG [pool-1-thread-1] >>>>>>> backend.AbstractIdentityBackend: getIdentity called, >>>>>>> principalName = test-service/localh...@test.com >>>>>>> 2017-04-29 21:07:39,499 DEBUG [pool-1-thread-1] >>>>>>> backend.AbstractIdentityBackend: getIdentity successful, >>>>>>> principalName = test-service/localh...@test.com >>>>>>> 2017-04-29 21:07:39,499 DEBUG [pool-1-thread-1] >>>>>>> backend.AbstractIdentityBackend: getIdentity called, >>>>>>> principalName = krbtgt/test....@test.com >>>>>>> 2017-04-29 21:07:39,499 DEBUG [pool-1-thread-1] >>>>>>> backend.AbstractIdentityBackend: getIdentity successful, >>>>>>> principalName = krbtgt/test....@test.com >>>>>>> 2017-04-29 21:07:39,499 INFO [pool-1-thread-1] >> request.KdcRequest: >>>>>>> The preauth data is empty. >>>>>>> 2017-04-29 21:07:39,501 INFO [pool-1-thread-1] server.KdcHandler: >>>>>>> KRB error occurred while processing request:Additional >>>>>>> pre-authentication required >>>>>>> 2017-04-29 21:07:39,502 DEBUG [pool-1-thread-1] >>>>>>> impl.DefaultKdcHandler: Transport or decoding error occurred, >>>>>>> disconnecting abnormally java.io.EOFException >>>>>>> at java.io.DataInputStream.readInt(DataInputStream.java:392) >>>>>>> at >>>>>>> org.apache.kerby.kerberos.kerb.transport.KrbTcpTransport. >>>>> receiveMessage(KrbTcpTransport.java:54) >>>>>>> at >>>>>>> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.ru >>>>>>> n( >>>>> DefaultKdcHandler.java:46) >>>>>>> at >>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker( >>>>> ThreadPoolExecutor.java:1142) >>>>>>> at >>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run( >>>>> ThreadPoolExecutor.java:617) >>>>>>> at java.lang.Thread.run(Thread.java:748) >>>>>>> 2017-04-29 21:07:39,505 DEBUG [pool-1-thread-1] >>>>>>> backend.AbstractIdentityBackend: getIdentity called, >>>>>>> principalName = krbtgt/test....@test.com >>>>>>> 2017-04-29 21:07:39,505 DEBUG [pool-1-thread-1] >>>>>>> backend.AbstractIdentityBackend: getIdentity successful, >>>>>>> principalName = krbtgt/test....@test.com >>>>>>> 2017-04-29 21:07:39,505 INFO [pool-1-thread-1] >> request.KdcRequest: >>>>>>> Client entry is empty. >>>>>>> 2017-04-29 21:07:39,506 DEBUG [pool-1-thread-1] >>>>>>> backend.AbstractIdentityBackend: getIdentity called, >>>>>>> principalName = test-service/localh...@test.com >>>>>>> 2017-04-29 21:07:39,506 DEBUG [pool-1-thread-1] >>>>>>> backend.AbstractIdentityBackend: getIdentity successful, >>>>>>> principalName = test-service/localh...@test.com >>>>>>> 2017-04-29 21:07:39,506 DEBUG [pool-1-thread-1] >>>>>>> backend.AbstractIdentityBackend: getIdentity called, >>>>>>> principalName = krbtgt/test....@test.com >>>>>>> 2017-04-29 21:07:39,506 DEBUG [pool-1-thread-1] >>>>>>> backend.AbstractIdentityBackend: getIdentity successful, >>>>>>> principalName = krbtgt/test....@test.com >>>>>>> 2017-04-29 21:07:39,510 DEBUG [pool-1-thread-1] >>>>>>> impl.DefaultKdcHandler: Transport or decoding error occurred, >>>>>>> disconnecting abnormally java.io.EOFException >>>>>>> at java.io.DataInputStream.readInt(DataInputStream.java:392) >>>>>>> at >>>>>>> org.apache.kerby.kerberos.kerb.transport.KrbTcpTransport. >>>>> receiveMessage(KrbTcpTransport.java:54) >>>>>>> at >>>>>>> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.ru >>>>>>> n( >>>>> DefaultKdcHandler.java:46) >>>>>>> at >>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker( >>>>> ThreadPoolExecutor.java:1142) >>>>>>> at >>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run( >>>>> ThreadPoolExecutor.java:617) >>>>>>> at java.lang.Thread.run(Thread.java:748) >>>>>>> 2017-04-29 21:07:55,602 DEBUG [pool-1-thread-1] >>>>>>> backend.AbstractIdentityBackend: getIdentity called, >>>>>>> principalName = krbtgt/test....@test.com >>>>>>> 2017-04-29 21:07:55,602 DEBUG [pool-1-thread-1] >>>>>>> backend.AbstractIdentityBackend: getIdentity successful, >>>>>>> principalName = krbtgt/test....@test.com >>>>>>> 2017-04-29 21:07:55,602 INFO [pool-1-thread-1] >> request.KdcRequest: >>>>>>> Found fast padata and start to process it. >>>>>>> 2017-04-29 21:07:55,603 ERROR [pool-1-thread-1] >>>>>>> impl.DefaultKdcHandler: Error occured while processing request: >>>>>>> org.apache.kerby.kerberos.kerb.KrbException: Decoding failed >>>>>>> at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec. >>>>> java:85) >>>>>>> at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec. >>>>> java:70) >>>>>>> at >>>>>>> org.apache.kerby.kerberos.kerb.server.request.KdcRequest.kdcFin >>>>>>> dF >>>>>>> as >>>>>>> t( >>>>> KdcRequest.java:208) >>>>>>> at >>>>>>> org.apache.kerby.kerberos.kerb.server.request. >>>>> KdcRequest.process(KdcRequest.java:168) >>>>>>> at >>>>>>> org.apache.kerby.kerberos.kerb.server.KdcHandler. >>>>> handleMessage(KdcHandler.java:115) >>>>>>> at >>>>>>> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler. >>>>> handleMessage(DefaultKdcHandler.java:67) >>>>>>> at >>>>>>> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.ru >>>>>>> n( >>>>> DefaultKdcHandler.java:52) >>>>>>> at >>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker( >>>>> ThreadPoolExecutor.java:1142) >>>>>>> at >>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run( >>>>> ThreadPoolExecutor.java:617) >>>>>>> at java.lang.Thread.run(Thread.java:748) >>>>>>> Caused by: java.io.IOException: Unexpected item context [0] >>>>>>> [tag=0xA0, off=0, len=3+207], expecting 0x30 >>>>>>> at >>>>>>> org.apache.kerby.asn1.type.Asn1Encodeable.decode( >>>>> Asn1Encodeable.java:210) >>>>>>> at >>>>>>> org.apache.kerby.asn1.type.Asn1Encodeable.decode( >>>>> Asn1Encodeable.java:197) >>>>>>> at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec. >>>>> java:83) >>>>>>> ... 9 more >>>>>>> 2017-04-29 21:07:55,604 DEBUG [pool-1-thread-1] >>>>>>> impl.DefaultKdcHandler: Transport or decoding error occurred, >>>>>>> disconnecting abnormally >>>>>>> java.net.SocketException: Socket closed >>>>>>> at java.net.SocketInputStream.socketRead0(Native Method) >>>>>>> at java.net.SocketInputStream.socketRead(SocketInputStream. >>>>> java:116) >>>>>>> at java.net.SocketInputStream.read(SocketInputStream.java: >> 171) >>>>>>> at java.net.SocketInputStream.read(SocketInputStream.java: >> 141) >>>>>>> at java.net.SocketInputStream.read(SocketInputStream.java: >> 224) >>>>>>> at java.io.DataInputStream.readInt(DataInputStream.java:387) >>>>>>> at >>>>>>> org.apache.kerby.kerberos.kerb.transport.KrbTcpTransport. >>>>> receiveMessage(KrbTcpTransport.java:54) >>>>>>> at >>>>>>> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.ru >>>>>>> n( >>>>> DefaultKdcHandler.java:46) >>>>>>> at >>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker( >>>>> ThreadPoolExecutor.java:1142) >>>>>>> at >>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run( >>>>> ThreadPoolExecutor.java:617) >>>>>>> at java.lang.Thread.run(Thread.java:748) >>>>>>> >>>>>>> In a FreeIPA environment these python lines "just" work. >>>>>>> >>>>>>> Any suggestions are welcome! >>>>>>> >>>>>>> Marc >>>>>>> >>>>>>> >>>>>> -- >>>>>> Marc de Lignie >>>>>> >>>>> >>>>> -- >>>>> Marc de Lignie >>>>> >>>>> >>>> >>>> >>>> -- >>>> Colm O hEigeartaigh >>>> >>>> Talend Community Coder >>>> http://coders.talend.com >>>> >>> >>> >>> >>> -- >>> Colm O hEigeartaigh >>> >>> Talend Community Coder >>> http://coders.talend.com >>> >> >> >> >> -- >> Colm O hEigeartaigh >> >> Talend Community Coder >> http://coders.talend.com >> > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com