I haven't repeated the issue but revisited the codes again and made improvements. Would you check it out? Thanks!
Sent from iPhone > 在 2017年5月6日,上午6:28,Zheng, Kai <kai.zh...@intel.com> 写道: > > Thanks colm for the clarification and it sounds an issue we need to address. > I will investigate it soon. > > Sent from iPhone > >> 在 2017年5月6日,上午2:14,Colm O hEigeartaigh <cohei...@apache.org> 写道: >> >> Hi Kai, >> >> If I enable UDP with the default Transport, I can get a ticket fine using >> kinit. However then the following error pops up in the window I'm running >> Kerby in (as a test): >> >> Exception in thread "Thread-1" java.lang.RuntimeException: Error occured >> while checking udp connections >> at >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(KdcNetwork.java:105) >> at >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.access$000(KdcNetwork.java:39) >> at >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork$1.run(KdcNetwork.java:75) >> at java.lang.Thread.run(Thread.java:748) >> Caused by: java.nio.channels.ClosedChannelException >> at >> sun.nio.ch.DatagramChannelImpl.ensureOpen(DatagramChannelImpl.java:320) >> at sun.nio.ch.DatagramChannelImpl.receive(DatagramChannelImpl.java:331) >> at >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.checkUdpMessage(KdcNetwork.java:132) >> at >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(KdcNetwork.java:101) >> >> Colm. >> >> >>> On Fri, May 5, 2017 at 5:56 PM, Zheng, Kai <kai.zh...@intel.com> wrote: >>> >>> Colm, did you see udp problem now instead? I'm a little confused. Udp is >>> sure supported but may not be enabled by default, which should be okay, >>> imo. Thanks. >>> >>> Sent from iPhone >>> >>>> 在 2017年5月6日,上午12:02,Colm O hEigeartaigh <cohei...@apache.org> 写道: >>>> >>>> That's probably it. Why does the default transport not support UDP in >>> Kerby? >>>> >>>> Colm. >>>> >>>>> On Fri, May 5, 2017 at 4:54 PM, Li, Jiajia <jiajia...@intel.com> wrote: >>>>> >>>>> Are you sure add kdc_allow_udp = false in kdc.conf? >>>>> >>>>> Thanks >>>>> Jiajia >>>>> >>>>> -----Original Message----- >>>>> From: Colm O hEigeartaigh [mailto:cohei...@apache.org] >>>>> Sent: Friday, May 5, 2017 11:41 PM >>>>> To: Li, Jiajia <jiajia...@intel.com> >>>>> Cc: kerby@directory.apache.org; Zheng, Kai <kai.zh...@intel.com>; >>> mailto: >>>>> m.c.delig...@xs4all.nl <m.c.delig...@xs4all.nl> >>>>> Subject: Re: MIT Kerberos compatibility >>>>> >>>>> Sorry, it was my error, UDP was actually enabled there. But why am I >>> still >>>>> seeing that error message? >>>>> >>>>> Colm. >>>>> >>>>>> On Fri, May 5, 2017 at 4:39 PM, Li, Jiajia <jiajia...@intel.com> >>> wrote: >>>>>> >>>>>> Hi Colm, >>>>>> I also test the Kerby KDC with kerby kint and MIT kinit, and only >>>>>> listen the tcp port(disable udp), both got ticket successfully. But I >>>>>> don't get the error message. Both krb.conf and kdc.conf should set udp >>>>>> to be false, udp is enabled in default. >>>>>> >>>>>> Thanks >>>>>> Jiajia >>>>>> >>>>>> -----Original Message----- >>>>>> From: Colm O hEigeartaigh [mailto:cohei...@apache.org] >>>>>> Sent: Friday, May 5, 2017 11:34 PM >>>>>> To: kerby@directory.apache.org >>>>>> Cc: Zheng, Kai <kai.zh...@intel.com>; mailto:m.c.delig...@xs4all.nl < >>>>>> m.c.delig...@xs4all.nl> >>>>>> Subject: Re: MIT Kerberos compatibility >>>>>> >>>>>> Hi Jiajia, >>>>>> >>>>>> If UDP is disabled and we don't use Netty, I can get a token >>>>>> successfully via kinit. However I then see an error message in the >>> Kerby >>>>> console: >>>>>> >>>>>> Exception in thread "Thread-1" java.lang.RuntimeException: Error >>>>>> occured while checking udp connections >>>>>> at >>>>>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run( >>>>>> KdcNetwork.java:105) >>>>>> at >>>>>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork. >>>>>> access$000(KdcNetwork.java:39) >>>>>> at >>>>>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork$1. >>>>>> run(KdcNetwork.java:75) >>>>>> at java.lang.Thread.run(Thread.java:748) >>>>>> Caused by: java.nio.channels.ClosedChannelException >>>>>> at >>>>>> sun.nio.ch.DatagramChannelImpl.ensureOpen( >>> DatagramChannelImpl.java:320) >>>>>> at sun.nio.ch.DatagramChannelImpl.receive( >>>>>> DatagramChannelImpl.java:331) >>>>>> at >>>>>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork. >>>>>> checkUdpMessage(KdcNetwork.java:132) >>>>>> at >>>>>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run( >>>>>> KdcNetwork.java:101) >>>>>> >>>>>> I'm not sure why we are seeing UDP errors when it's disabled? >>>>>> >>>>>> Colm. >>>>>> >>>>>>> On Fri, May 5, 2017 at 3:57 PM, Li, Jiajia <jiajia...@intel.com> >>> wrote: >>>>>>> >>>>>>> Hi Colm, >>>>>>> The shell client can't connect to kdc if the UDP is disabled. >>>>>>> We don't use Netty in default. >>>>>>> What's your test-cases? The same as the Marc's? >>>>>>> >>>>>>> Thanks >>>>>>> Jiajia >>>>>>> >>>>>>> -----Original Message----- >>>>>>> From: Colm O hEigeartaigh [mailto:cohei...@apache.org] >>>>>>> Sent: Friday, May 5, 2017 10:09 PM >>>>>>> To: kerby@directory.apache.org >>>>>>> Cc: Zheng, Kai <kai.zh...@intel.com>; mailto:m.c.delig...@xs4all.nl >>>>>>> < m.c.delig...@xs4all.nl> >>>>>>> Subject: Re: MIT Kerberos compatibility >>>>>>> >>>>>>> Hi Jiajia, >>>>>>> >>>>>>> What are the issues if UDP is disabled and we don't use Netty? I >>>>>>> tried doing this with my own test-cases and it didn't work, so it >>>>>>> would be good to get this fixed soon. >>>>>>> >>>>>>> Colm. >>>>>>> >>>>>>> On Fri, May 5, 2017 at 2:46 PM, Li, Jiajia <jiajia...@intel.com> >>>>> wrote: >>>>>>> >>>>>>>> Hi Marc, >>>>>>>>>>> - your KRB5 tracing looks quite different. What OS and >>>>>>>>>>> mit-kerberos >>>>>>>> version did you use? >>>>>>>> I use mac os and the python version is 2.7.10 >>>>>>>> >>>>>>>>>>> - your KRB5 tracing shows UDP comms between kerberos client and >>>>>>>>>>> KDC, >>>>>>>> despite the allowUDP = false setting >>>>>>>>>>> in my test. I did this setting because I get different >>>>>>>>>>> problems >>>>>>>> without it, see the additional logs below. So, >>>>>>>>>>> we must also be aware of networking problems at my side. >>>>>>>> I enable the UDP and use netty network, there are some issues if >>>>>>>> UDP disabled, you can create a JIRA for this and we can fix this >>>>>>>> issue in the next release version. >>>>>>>> >>>>>>>> The changes in my side as following: >>>>>>>> >>>>>>>> protected boolean allowUdp() { >>>>>>>> return true; >>>>>>>> } >>>>>>>> @Override >>>>>>>> protected void prepareKdc() throws KrbException { >>>>>>>> getKdcServer().setInnerKdcImpl( >>>>>>>> new NettyKdcServerImpl(getKdcServer().getKdcSetting())); >>>>>>>> super.prepareKdc(); >>>>>>>> } >>>>>>>> >>>>>>>> Here is log of MitIssueTest: >>>>>>>> [INFO] Running org.apache.kerby.kerberos.kerb.server.MitIssueTest >>>>>>>> [nioEventLoopGroup-2-1] INFO >>>>>>>> io.netty.handler.logging.LoggingHandler >>>>>>>> - >>>>>>>> [id: 0x2634fe6b] REGISTERED >>>>>>>> [nioEventLoopGroup-2-1] INFO >>>>>>>> io.netty.handler.logging.LoggingHandler >>>>>>>> - >>>>>>>> [id: 0x2634fe6b] BIND(0.0.0.0/0.0.0.0:53957) >>>>>>>> [nioEventLoopGroup-2-1] INFO >>>>>>>> io.netty.handler.logging.LoggingHandler - >>>>>>>> [id: 0x2634fe6b, /0:0:0:0:0:0:0:0:53957] ACTIVE [main] INFO >>>>>>>> org.apache.kerby.kerberos.kdc.impl.NettyKdcServerImpl - Netty kdc >>>>>>>> server started. >>>>>>>> [nioEventLoopGroup-2-1] INFO >>>>>>>> io.netty.handler.logging.LoggingHandler >>>>>>>> - >>>>>>>> [id: 0x2634fe6b, /0:0:0:0:0:0:0:0:53957] RECEIVED: [id: >>>>>>>> 0xdac7228b, / >>>>>>>> 127.0.0.1:53961 => /127.0.0.1:53957] >>>>>>>> [defaultEventExecutorGroup-4-1] INFO >>>>>>>> org.apache.kerby.kerberos.kerb.server.request.AsRequest >>>>>>>> - AS_REQ ISSUE: authtime 1493991123792,dran...@test.com for >>>>>>>> krbtgt/ test....@test.com [main] INFO >>>>>>>> org.apache.kerby.kerberos.kerb.client.impl.DefaultInternalKrbClien >>>>>>>> t >>>>>>>> - Send to kdc success. >>>>>>>> [main] INFO org.apache.kerby.kerberos.kerb.client.KrbClientBase - >>>>>>>> Storing the tgt to the credential cache file. >>>>>>>> [nioEventLoopGroup-5-1] INFO >>>>>>>> org.apache.kerby.kerberos.kerb.server.request.KdcRequest >>>>>>>> - The preauth data is empty. >>>>>>>> [nioEventLoopGroup-5-1] INFO >>>>>>>> org.apache.kerby.kerberos.kerb.server.KdcHandler >>>>>>>> - KRB error occurred while processing request:Additional >>>>>>>> pre-authentication required [nioEventLoopGroup-5-1] INFO >>>>>>>> org.apache.kerby.kerberos.kerb.server.request.AsRequest >>>>>>>> - AS_REQ ISSUE: authtime >>>>>>>> 1493991123859,test-service/localh...@test.com >>>>>>>> for krbtgt/test....@test.com >>>>>>>> [nioEventLoopGroup-5-1] INFO >>>>>>>> org.apache.kerby.kerberos.kerb.server.request.TgsRequest >>>>>>>> - TGS_REQ ISSUE: authtime 1493991142850,drankye for test-service/ >>>>>>>> localh...@test.com >>>>>>>> >>>>>>>> Thanks >>>>>>>> Jiajia >>>>>>>> >>>>>>>> -----Original Message----- >>>>>>>> From: Zheng, Kai >>>>>>>> Sent: Friday, May 5, 2017 7:46 PM >>>>>>>> To: kerby@directory.apache.org; Li, Jiajia <jiajia...@intel.com> >>>>>>>> Subject: RE: MIT Kerberos compatibility >>>>>>>> >>>>>>>> Hi Marc, >>>>>>>> >>>>>>>> Looks like this is quite environment related, could you fire an >>>>>>>> issue for this? I would suggest we target it to 1.1.0, which can >>>>>>>> be done in >>>>>>> June. >>>>>>>> >>>>>>>> Regards, >>>>>>>> Kai >>>>>>>> >>>>>>>> -----Original Message----- >>>>>>>> From: Marc de Lignie [mailto:m.c.delig...@xs4all.nl] >>>>>>>> Sent: Friday, May 05, 2017 4:44 PM >>>>>>>> To: Li, Jiajia <jiajia...@intel.com> >>>>>>>> Cc: kerby@directory.apache.org >>>>>>>> Subject: Re: MIT Kerberos compatibility >>>>>>>> >>>>>>>> Hi Jiajia, >>>>>>>> >>>>>>>> Great to read that you made progress on this issue and to see a >>>>>>>> working config at your side. Below, I list my progress below (with >>>>>>>> trunk merged into my MitIssue branch), but I am afraid we are not >>>>>>>> done >>>>>>> yet. >>>>>>>> >>>>>>>> Things that stand out: >>>>>>>> >>>>>>>> - the kdc decoding error is solved, relative to the logs without >>>>>>>> your patch >>>>>>>> >>>>>>>> - your KRB5 tracing looks quite different. What OS and >>>>>>>> mit-kerberos version did you use? >>>>>>>> >>>>>>>> - your KRB5 tracing shows UDP comms between kerberos client and >>>>>>>> KDC, despite the allowUDP = false setting in my test. I did this >>>>>>>> setting because I get different problems without it, see the >>>>>>>> additional logs below. So, we must also be aware of networking >>>>> problems at my side. >>>>>>>> >>>>>>>> - the "Response was not from master KDC" msg is not relevant; it >>>>>>>> disappears if you manually add master_kdc to the realms section of >>>>>>>> the krb5.conf >>>>>>>> >>>>>>>> I have no idea how to proceed from here, so that is why I just >>>>>>>> document the status at my side and ask about your - apparently >>>>>>>> working - >>>>>>> config. >>>>>>>> >>>>>>>> Cheers, Marc >>>>>>>> >>>>>>>> >>>>>>>> KDC logging with allowUDP = false: >>>>>>>> >>>>>>>> [INFO] Running org.apache.kerby.kerberos.kerb.server.MitIssueTest >>>>>>>> [pool-1-thread-1] INFO >>>>>>>> org.apache.kerby.kerberos.kerb.server.request.AsRequest - AS_REQ >>>>>> ISSUE: >>>>>>>> authtime 1493970789075,dran...@test.com for >>>>>>>> krbtgt/test....@test.com [main] INFO >>>>>>>> org.apache.kerby.kerberos.kerb.client.impl.DefaultInternalKrbClien >>>>>>>> t >>>>>>>> - Send to kdc success. >>>>>>>> [main] INFO org.apache.kerby.kerberos.kerb.client.KrbClientBase - >>>>>>>> Storing the tgt to the credential cache file. >>>>>>>> [pool-1-thread-1] INFO >>>>>>>> org.apache.kerby.kerberos.kerb.server.request.KdcRequest - The >>>>>>>> preauth data is empty. >>>>>>>> [pool-1-thread-1] INFO >>>>>>>> org.apache.kerby.kerberos.kerb.server.KdcHandler >>>>>>>> - KRB error occurred while processing request:Additional >>>>>>>> pre-authentication required [pool-1-thread-1] INFO >>>>>>>> org.apache.kerby.kerberos.kerb.server.request.AsRequest - AS_REQ >>>>>> ISSUE: >>>>>>>> authtime 1493970789108,test-service/localh...@test.com for krbtgt/ >>>>>>>> test....@test.com [pool-1-thread-1] INFO >>>>>>>> org.apache.kerby.kerberos.kerb.server.request.KdcRequest >>>>>>>> - Found fast padata and starting to process it. >>>>>>>> [pool-1-thread-1] INFO >>>>>>>> org.apache.kerby.kerberos.kerb.server.request.KdcRequest - Found >>>>>>>> fast padata and starting to process it. >>>>>>>> >>>>>>>> Python script KRB5 tracing (MIT Kerberos 1.13.2 of Ubuntu Xenial) >>>>>>>> with allowUDP = false: >>>>>>>> >>>>>>>> $ . >>>>>>>> kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/ >>>>>>>> kerberos/kerb/server/MitIssueTest.sh >>>>>>>> [25281] 1493970797.298753: Retrieving dran...@test.com from >>>>>>>> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with >>>>> result: >>>>>>>> 2/Key table file '/etc/krb5/user/1000/client.keytab' not found >>>>>>>> [25281] >>>>>>>> 1493970797.298952: Retrieving dran...@test.com from >>>>>>>> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with >>>>> result: >>>>>>>> 2/Key table file '/etc/krb5/user/1000/client.keytab' not found >>>>>>>> [25281] >>>>>>>> 1493970797.299106: Retrieving dran...@test.com from >>>>>>>> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with >>>>> result: >>>>>>>> 2/Key table file '/etc/krb5/user/1000/client.keytab' not found >>>>>>>> [25281] >>>>>>>> 1493970797.299213: Retrieving dran...@test.com from >>>>>>>> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with >>>>> result: >>>>>>>> 2/Key table file '/etc/krb5/user/1000/client.keytab' not found >>>>>>>> [25281] >>>>>>>> 1493970797.299323: Retrieving dran...@test.com from >>>>>>>> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with >>>>> result: >>>>>>>> 2/Key table file '/etc/krb5/user/1000/client.keytab' not found >>>>>>>> [25281] >>>>>>>> 1493970797.299436: Retrieving dran...@test.com from >>>>>>>> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with >>>>> result: >>>>>>>> 2/Key table file '/etc/krb5/user/1000/client.keytab' not found >>>>>>>> [25281] >>>>>>>> 1493970797.299545: Retrieving dran...@test.com from >>>>>>>> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with >>>>> result: >>>>>>>> 2/Key table file '/etc/krb5/user/1000/client.keytab' not found >>>>>>>> [25281] >>>>>>>> 1493970797.299654: Retrieving dran...@test.com from >>>>>>>> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with >>>>> result: >>>>>>>> 2/Key table file '/etc/krb5/user/1000/client.keytab' not found >>>>>>>> kerberos.authGSSClientInit successful [25281] 1493970797.299922: >>>>>>>> Getting credentials dran...@test.com -> test-service/localhost@ >>>>>>>> using ccache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc >>>>>>>> [25281] 1493970797.299945: Retrieving dran...@test.com -> >>>>>>>> test-service/localhost@ from >>>>>>>> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc >>>>>>>> with result: >>>>>>>> -1765328243/Matching credential not found [25281] 1493970797.299959: >>>>>>>> Retrying dran...@test.com -> test-service/localh...@test.com with >>>>>>> result: >>>>>>>> -1765328243/Matching credential not found [25281] 1493970797.299962: >>>>>>>> Server has referral realm; starting with >>>>>>>> test-service/localh...@test.com [25281] >>>>>>>> 1493970797.299975: Retrieving dran...@test.com -> >>>>>>>> krbtgt/test....@test.com from >>>>>>>> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc >>>>>>> with result: >>>>>>>> 0/Success [25281] 1493970797.299979: Starting with TGT for client >>>>>> realm: >>>>>>>> dran...@test.com -> krbtgt/test....@test.com [25281] >>>>>> 1493970797.299981: >>>>>>>> Requesting tickets for test-service/localh...@test.com, referrals >>>>>>>> on [25281] 1493970797.299994: Generated subkey for TGS request: >>>>>>>> aes128-cts/1B9B [25281] 1493970797.300009: etypes requested in TGS >>>>>>> request: >>>>>>>> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, >>>>>>>> camellia256-cts [25281] 1493970797.300054: Encoding request body >>>>>>>> and padata into FAST request [25281] 1493970797.300080: Sending >>>>>>>> request >>>>>>>> (823 bytes) to TEST.COM [25281] 1493970797.300091: Resolving >>>>>>>> hostname localhost [25281] >>>>>>>> 1493970797.300136: Initiating TCP connection to stream >>>>>>>> 127.0.0.1:34319 >>>>>>>> [25281] 1493970797.300191: Sending TCP request to stream >>>>>>>> 127.0.0.1:34319 [25281] 1493970797.303610: Received answer (125 >>>>>>>> bytes) from stream >>>>>>>> 127.0.0.1:34319 >>>>>>>> [25281] 1493970797.303618: Terminating TCP connection to stream >>>>>>>> 127.0.0.1:34319 >>>>>>>> [25281] 1493970797.553126: Response was not from master KDC >>>>>>>> [25281] >>>>>>>> 1493970797.553198: TGS request result: -1765323383/Unknown code >>>>>>>> krcM >>>>>>>> 137 [25281] 1493970797.553234: Requesting tickets for >>>>>>>> test-service/ localh...@test.com, referrals off [25281] >>>>> 1493970797.553273: >>>>>>>> Generated subkey for TGS request: aes128-cts/94C6 [25281] >>>>>> 1493970797.553323: >>>>>>>> etypes requested in TGS request: aes256-cts, aes128-cts, >>>>>>>> des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts [25281] >>>>>>>> 1493970797.553436: Encoding request body and padata into FAST >>>>>>>> request >>>>>>> [25281] 1493970797.553532: >>>>>>>> Sending request (823 bytes) to TEST.COM [25281] 1493970797.553567: >>>>>>>> Resolving hostname localhost [25281] 1493970797.553745: Initiating >>>>>>>> TCP connection to stream >>>>>>>> 127.0.0.1:34319 >>>>>>>> [25281] 1493970797.553889: Sending TCP request to stream >>>>>>>> 127.0.0.1:34319 [25281] 1493970797.558297: Received answer (125 >>>>>>>> bytes) from stream >>>>>>>> 127.0.0.1:34319 >>>>>>>> [25281] 1493970797.558318: Terminating TCP connection to stream >>>>>>>> 127.0.0.1:34319 >>>>>>>> [25281] 1493970797.561189: Response was not from master KDC >>>>>>>> [25281] >>>>>>>> 1493970797.561258: TGS request result: -1765323383/Unknown code >>>>>>>> krcM >>>>>>>> 137 ('First kerberos.authGSSClientStep not successful', >>>>>>>> GSSError(('Unspecified GSS failure. Minor code may provide more >>>>>>>> information', 851968), ('Unknown code krcM 137', -1765323383))) >>>>>>>> >>>>>>>> >>>>>>>> KDC logging with allowUDP = true: >>>>>>>> >>>>>>>> [INFO] Running org.apache.kerby.kerberos.kerb.server.MitIssueTest >>>>>>>> [pool-1-thread-1] INFO >>>>>>>> org.apache.kerby.kerberos.kerb.server.request.AsRequest - AS_REQ >>>>>> ISSUE: >>>>>>>> authtime 1493972505784,dran...@test.com for >>>>>>>> krbtgt/test....@test.com [main] INFO >>>>>>>> org.apache.kerby.kerberos.kerb.client.impl.DefaultInternalKrbClien >>>>>>>> t >>>>>>>> - Send to kdc success. >>>>>>>> [main] INFO org.apache.kerby.kerberos.kerb.client.KrbClientBase - >>>>>>>> Storing the tgt to the credential cache file. >>>>>>>> [pool-1-thread-1] INFO >>>>>>>> org.apache.kerby.kerberos.kerb.server.request.KdcRequest - The >>>>>>>> preauth data is empty. >>>>>>>> [pool-1-thread-1] INFO >>>>>>>> org.apache.kerby.kerberos.kerb.server.KdcHandler >>>>>>>> - KRB error occurred while processing request:Additional >>>>>>>> pre-authentication required [pool-1-thread-2] INFO >>>>>>>> org.apache.kerby.kerberos.kerb.server.request.AsRequest - AS_REQ >>>>>> ISSUE: >>>>>>>> authtime 1493972505948,test-service/localh...@test.com for krbtgt/ >>>>>>>> test....@test.com Exception in thread "Thread-0" >>>>>>>> java.lang.RuntimeException: Error occured while checking udp >>>>>> connections >>>>>>>> at >>>>>>>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run( >>>>>>>> KdcNetwork.java:105) >>>>>>>> at >>>>>>>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork. >>>>>>>> access$000(KdcNetwork.java:39) >>>>>>>> at >>>>>>>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork$1. >>>>>>>> run(KdcNetwork.java:75) >>>>>>>> at java.lang.Thread.run(Thread.java:748) >>>>>>>> Caused by: java.nio.channels.ClosedChannelException >>>>>>>> at >>>>>>>> sun.nio.ch.DatagramChannelImpl.ensureOpen( >>>>>> DatagramChannelImpl.java:320) >>>>>>>> at sun.nio.ch.DatagramChannelImpl.receive( >>>>>>>> DatagramChannelImpl.java:331) >>>>>>>> at >>>>>>>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork. >>>>>>>> checkUdpMessage(KdcNetwork.java:132) >>>>>>>> at >>>>>>>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run( >>>>>>>> KdcNetwork.java:101) >>>>>>>> ... 3 more >>>>>>>> >>>>>>>> >>>>>>>> krb5.conf: >>>>>>>> >>>>>>>> [libdefaults] >>>>>>>> kdc_realm = TEST.COM >>>>>>>> default_realm = TEST.COM >>>>>>>> udp_preference_limit = 4096 >>>>>>>> kdc_tcp_port = 37080 >>>>>>>> kdc_udp_port = 36525 >>>>>>>> >>>>>>>> [realms] >>>>>>>> TEST.COM = { >>>>>>>> kdc = localhost:36525 >>>>>>>> } >>>>>>>> >>>>>>>> And port 36525 does not show up in `netstat -l` (while 37080 does) >>>>>>>> >>>>>>>> >>>>>>>> Op 04-05-17 om 14:55 schreef Li, Jiajia: >>>>>>>>> Hi Marc, >>>>>>>>> I try to run your test(through applying your patch in the trunk) >>>>>>>>> , I >>>>>>>> think it's success now. Could you take some time to check about it? >>>>>>>>> Here is the log: >>>>>>>>> >>>>>>>>> directory-kerby git:(trunk) ? . >>>>>>>>> kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos >>>>>>>>> /k >>>>>>>>> er >>>>>>>>> b/ >>>>>>>>> server/MitIssueTest.sh >>>>>>>>> kerberos.authGSSClientInit successful >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328234: entypes not >>>>>>>>> supported >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328243: Did not find >>>>>>>>> credential for krb5_ccache_conf_data/realm-config@X-CACHECONF: >>>>>>>>> in cache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328243: Did not find >>>>>>>>> credential for test-service/localh...@test.com in cache >>>>>>>>> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328243: Did not find >>>>>>>>> credential for >>>>>>>>> krb5_ccache_conf_data/negative-cache/test-service\134/localhost\ >>>>>>>>> 13 >>>>>>>>> 4@ >>>>>>>>> TE >>>>>>>>> ST.COM@X-CACHECONF: in cache >>>>>>>>> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328243: Did not find >>>>>>>>> credential for krb5_ccache_conf_data/lkdc-hostname@X-CACHECONF: >>>>>>>>> in cache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328243: Did not find >>>>>>>>> credential for krb5_ccache_conf_data/sitename@X-CACHECONF: in >>>>>>>>> cache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328243: Did not find >>>>>>>>> credential for test-service/localh...@test.com in cache >>>>>>>>> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328234: Encryption type >>>>>>>>> des-cbc-md5-deprecated not supported >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328234: Encryption type >>>>>>>>> des-cbc-md4-deprecated not supported >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328234: Encryption type >>>>>>>>> des-cbc-crc-deprecated not supported >>>>>>>>> 2017-05-04T20:44:06 Trying to find service kdc for realm >>>>>>>>> TEST.COM flags 0 >>>>>>>>> 2017-05-04T20:44:06 configuration file for realm TEST.COM found >>>>>>>>> 2017-05-04T20:44:06 submissing new requests to new host >>>>>>>>> 2017-05-04T20:44:06 host_create: setting hostname localhost >>>>>>>>> 2017-05-04T20:44:06 connecting to host: udp ::1:52534 >>>>>>>>> (localhost) >>>>>> tid: >>>>>>>>> 00000001 >>>>>>>>> 2017-05-04T20:44:06 host_create: setting hostname localhost >>>>>>>>> 2017-05-04T20:44:06 Queuing host in future (in 3s), its the 2 >>>>>>>>> address on the same name: udp 127.0.0.1:52534 (localhost) tid: >>>>>>>>> 00000002 >>>>>>>>> 2017-05-04T20:44:06 writing packet: udp ::1:52534 (localhost) tid: >>>>>>>>> 00000001 >>>>>>>>> 2017-05-04T20:44:06 reading packet: udp ::1:52534 (localhost) tid: >>>>>>>>> 00000001 >>>>>>>>> 2017-05-04T20:44:06 host completed: udp ::1:52534 (localhost) tid: >>>>>>>>> 00000001 >>>>>>>>> 2017-05-04T20:44:06 krb5_sendto_context TEST.COM done: 0 hosts 1 >>>>>>>>> packets 1 wc: 0.048927 nr: 0.000932 kh: 0.000814 tid: 00000002 >>>>>>>>> 2017-05-04T20:44:06 tkt: extract key 17/763641F3 >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328353: Decrypt integrity >>>>>>>>> check failed for checksum type hmac-sha1-96-aes128, key type >>>>>>>>> aes128-cts-hmac-sha1-96 >>>>>>>>> 2017-05-04T20:44:06 tkt: extract key 17/3084A95C >>>>>>>>> 2017-05-04T20:44:06 krb5_get_credentials_with_flags: TEST.COM wc: >>>>>>>>> 0.050317 >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328243: Did not find >>>>>>>>> credential for krb5_ccache_conf_data/realm-config@X-CACHECONF: >>>>>>>>> in cache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328243: Did not find >>>>>>>>> credential for >>>>>>>>> krb5_ccache_conf_data/time-offset/test-service\134/ >>>>>> localhost\134@TEST. >>>>>>>>> COM@X-CACHECONF: in cache >>>>>>>>> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc >>>>>>>>> 2017-05-04T20:44:06 Setting up PFS for auth context >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328234: Encryption type >>>>>>>>> des-cbc-md5-deprecated not supported >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328234: Encryption type >>>>>>>>> des-cbc-md4-deprecated not supported >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328234: Encryption type >>>>>>>>> des-cbc-crc-deprecated not supported First >>>>>>>>> kerberos.authGSSClientStep successful >>>>>>>>> >>>>>>>>> Thanks >>>>>>>>> Jiajia >>>>>>>>> >>>>>>>>> -----Original Message----- >>>>>>>>> From: Zheng, Kai [mailto:kai.zh...@intel.com] >>>>>>>>> Sent: Wednesday, May 3, 2017 7:29 PM >>>>>>>>> To: kerby@directory.apache.org >>>>>>>>> Subject: RE: MIT Kerberos compatibility >>>>>>>>> >>>>>>>>> Hi Marc, >>>>>>>>> >>>>>>>>> In case you're not aware of this, please check out the latest >>>>>>>>> fix made >>>>>>>> by Jiajia. We thought your case may be different, but would be >>>>>>>> good to have a check before we can repeat/fix your case. Thanks. >>>>>>>>> https://issues.apache.org/jira/browse/DIRKRB-625 >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> Kai >>>>>>>>> >>>>>>>>> -----Original Message----- >>>>>>>>> From: Marc de Lignie [mailto:m.c.delig...@xs4all.nl] >>>>>>>>> Sent: Sunday, April 30, 2017 7:45 PM >>>>>>>>> To: kerby@directory.apache.org >>>>>>>>> Subject: Re: MIT Kerberos compatibility >>>>>>>>> >>>>>>>>> Hi Kai, >>>>>>>>> >>>>>>>>> The terminal output below is for the latest MIT Kerberos 1.15.1 >>>>>>>>> (locally >>>>>>>> built on Ubuntu Xenial). Before that, I also tested with the >>>>>>>> default Xenial MIT Kerberos packages (1.13.2), with the same >>>>>>>> result. I did not try earlier MIT Kerberos versions. >>>>>>>>> >>>>>>>>> Marc >>>>>>>>> >>>>>>>>> Op 29-04-17 om 21:42 schreef Marc de Lignie: >>>>>>>>>> Hi Kai, >>>>>>>>>> >>>>>>>>>> Thanks for the response. I prepared a minimal config that >>>>>>>>>> reproduces my problem. >>>>>>>>>> >>>>>>>>>> You can fetch the branch/commit from: >>>>>>>>>> https://github.com/vtslab/directory-kerby/commits/MitIssue >>>>>>>>>> >>>>>>>>>> This is relative to RC2, but I also tried this on trunk for my >>>>>>>>>> actual project. >>>>>>>>>> >>>>>>>>>> This config produces the debug and error messages below. >>>>>>>>>> >>>>>>>>>> 1. For the terminal with the bash + python script $ klist >>>>>>>>>> Ticket >>>>>>>>>> cache: FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc >>>>>>>>>> Default principal: dran...@test.com >>>>>>>>>> >>>>>>>>>> Valid starting Expires Service principal >>>>>>>>>> 29-04-17 21:07:39 30-04-17 05:07:39 krbtgt/test....@test.com >>>>>>>>>> renew until 29-04-17 21:07:39 >>>>>>>>>> >>>>>>>>>> $ . >>>>>>>>>> kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerbero >>>>>>>>>> s/ ke rb / server/MitIssueTest.sh [15538] 1493491231.917606: >>>>>>>>>> Retrieving dran...@test.com from >>>>>>>>>> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with >>>>>>>>>> result: >>>>>>>>>> 2/Key table file '/etc/krb5/user/1000/client.keytab' not found >>>>>>>>>> [15538] >>>>>>>>>> 1493491231.917827: Retrieving dran...@test.com from >>>>>>>>>> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with >>>>>>> result: >>>>>>>>>> 2/Key table file '/etc/krb5/user/1000/client.keytab' not found >>>>>>>>>> kerberos.authGSSClientInit successful [15538] 1493491231.918185: >>>>>>>>>> Getting credentials dran...@test.com -> test-service/localhost@ >>>>>>>>>> using ccache >>>>>>>>>> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc >>>>>>>>>> [15538] 1493491231.918210: Retrieving dran...@test.com -> >>>>>>>>>> test-service/localhost@ from >>>>>>>>>> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc with result: >>>>>>>>>> -1765328243/Matching credential not found (filename: >>>>>>>>>> kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc) >>>>>>>>>> [15538] 1493491231.918226: Retrying dran...@test.com -> >>>>>>>>>> test-service/localh...@test.com with result: >>>>>>>>>> -1765328243/Matching credential not found (filename: >>>>>>>>>> kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc) >>>>>>>>>> [15538] 1493491231.918229: Server has referral realm; starting >>>>>>>>>> with test-service/localh...@test.com [15538] 1493491231.918278: >>>>>>>>>> Retrieving dran...@test.com -> krbtgt/test....@test.com from >>>>>>>>>> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc with result: >>>>>>>>>> 0/Success >>>>>>>>>> [15538] 1493491231.918281: Starting with TGT for client realm: >>>>>>>>>> dran...@test.com -> krbtgt/test....@test.com [15538] >>>>>>>>>> 1493491231.918301: Requesting tickets for >>>>>>>>>> test-service/localh...@test.com, referrals on [15538] >>>>>>>>>> 1493491231.918326: Generated subkey for TGS request: >>>>>>>>>> aes128-cts/FA30 >>>>>>>>>> [15538] 1493491231.918359: etypes requested in TGS request: >>>>>>>>>> aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, >>>>>>>>>> des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts >>>>>>>>>> [15538] >>>>>> 1493491231.918484: >>>>>>>>>> Encoding request body and padata into FAST request [15538] >>>>>>>>>> 1493491231.918541: Sending request (836 bytes) to TEST.COM >>>>>>>>>> [15538] >>>>>>>>>> 1493491231.918597: Resolving hostname localhost [15538] >>>>>>>>>> 1493491231.918703: Initiating TCP connection to stream >>>>>>>>>> 127.0.0.1:44292 >>>>>>>>>> [15538] 1493491231.918777: Sending TCP request to stream >>>>>>>>>> 127.0.0.1:44292 [15538] 1493491231.922803: TCP error receiving >>>>>>>>>> from stream >>>>>>>>>> 127.0.0.1:44292: 104/Connection reset by peer [15538] >>>>>>>>>> 1493491231.922812: Terminating TCP connection to stream >>>>>>>>>> 127.0.0.1:44292 >>>>>>>>>> [15538] 1493491231.922858: Sending initial UDP request to dgram >>>>>>>>>> 127.0.0.1:44292 >>>>>>>>>> ('First kerberos.authGSSClientStep not successful', >>>>>>>>>> GSSError(('Unspecified GSS failure. Minor code may provide >>>>>>>>>> more information', 851968), ("Cannot contact any KDC for realm >>>>>>>>>> 'TEST.COM'", >>>>>>>>>> -1765328228))) >>>>>>>>>> >>>>>>>>>> 2. For the terminal that runs mvn clean test >>>>>>>>>> -Dtest=MitIssueTest Running >>>>>>>>>> org.apache.kerby.kerberos.kerb.server.MitIssueTest >>>>>>>>>> 2017-04-29 21:07:39,182 DEBUG [main] backend. >>>>>> AbstractIdentityBackend: >>>>>>>>>> initialize called >>>>>>>>>> 2017-04-29 21:07:39,195 DEBUG [main] backend. >>>>>> AbstractIdentityBackend: >>>>>>>>>> getIdentity called, principalName = krbtgt/test....@test.com >>>>>>>>>> 2017-04-29 21:07:39,195 DEBUG [main] backend. >>>>>> AbstractIdentityBackend: >>>>>>>>>> getIdentity failed, principalName = krbtgt/test....@test.com >>>>>>>>>> 2017-04-29 21:07:39,212 DEBUG [main] backend. >>>>>> AbstractIdentityBackend: >>>>>>>>>> addIdentity successful, principalName = >>>>>>>>>> krbtgt/test....@test.com >>>>>>>>>> 2017-04-29 21:07:39,212 DEBUG [main] backend. >>>>>> AbstractIdentityBackend: >>>>>>>>>> getIdentity called, principalName = kadmin/test....@test.com >>>>>>>>>> 2017-04-29 21:07:39,212 DEBUG [main] backend. >>>>>> AbstractIdentityBackend: >>>>>>>>>> getIdentity failed, principalName = kadmin/test....@test.com >>>>>>>>>> 2017-04-29 21:07:39,213 DEBUG [main] backend. >>>>>> AbstractIdentityBackend: >>>>>>>>>> addIdentity successful, principalName = >>>>>>>>>> kadmin/test....@test.com >>>>>>>>>> 2017-04-29 21:07:39,216 DEBUG [main] backend. >>>>>> AbstractIdentityBackend: >>>>>>>>>> start called >>>>>>>>>> 2017-04-29 21:07:39,232 DEBUG [main] backend. >>>>>> AbstractIdentityBackend: >>>>>>>>>> addIdentity successful, principalName = >>>>>>>>>> test-service/localh...@test.com >>>>>>>>>> 2017-04-29 21:07:39,425 DEBUG [main] backend. >>>>>> AbstractIdentityBackend: >>>>>>>>>> addIdentity successful, principalName = dran...@test.com >>>>>>>>>> 2017-04-29 21:07:39,465 DEBUG [pool-1-thread-1] >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity called, >>>>>>>>>> principalName = krbtgt/test....@test.com >>>>>>>>>> 2017-04-29 21:07:39,465 DEBUG [pool-1-thread-1] >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity successful, >>>>>>>>>> principalName = krbtgt/test....@test.com >>>>>>>>>> 2017-04-29 21:07:39,465 INFO [pool-1-thread-1] >>>>> request.KdcRequest: >>>>>>>>>> Client entry is empty. >>>>>>>>>> 2017-04-29 21:07:39,465 DEBUG [pool-1-thread-1] >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity called, >>>>>>>>>> principalName = dran...@test.com >>>>>>>>>> 2017-04-29 21:07:39,465 DEBUG [pool-1-thread-1] >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity successful, >>>>>>>>>> principalName = dran...@test.com >>>>>>>>>> 2017-04-29 21:07:39,465 DEBUG [pool-1-thread-1] >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity called, >>>>>>>>>> principalName = krbtgt/test....@test.com >>>>>>>>>> 2017-04-29 21:07:39,465 DEBUG [pool-1-thread-1] >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity successful, >>>>>>>>>> principalName = krbtgt/test....@test.com >>>>>>>>>> 2017-04-29 21:07:39,476 DEBUG [pool-1-thread-1] >>>>>>>>>> impl.DefaultKdcHandler: Transport or decoding error occurred, >>>>>>>>>> disconnecting abnormally java.io.EOFException >>>>>>>>>> at java.io.DataInputStream.readInt(DataInputStream.java:392) >>>>>>>>>> at >>>>>>>>>> org.apache.kerby.kerberos.kerb.transport.KrbTcpTransport. >>>>>>>> receiveMessage(KrbTcpTransport.java:54) >>>>>>>>>> at >>>>>>>>>> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.ru >>>>>>>>>> n( >>>>>>>> DefaultKdcHandler.java:46) >>>>>>>>>> at >>>>>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker( >>>>>>>> ThreadPoolExecutor.java:1142) >>>>>>>>>> at >>>>>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run( >>>>>>>> ThreadPoolExecutor.java:617) >>>>>>>>>> at java.lang.Thread.run(Thread.java:748) >>>>>>>>>> 2017-04-29 21:07:39,477 INFO [main] client.KrbClientBase: >>>>>>>>>> Storing the tgt to the credential cache file. >>>>>>>>>> 2017-04-29 21:07:39,491 DEBUG [main] backend. >>>>>> AbstractIdentityBackend: >>>>>>>>>> getIdentity called, principalName = >>>>>>>>>> test-service/localh...@test.com >>>>>>>>>> 2017-04-29 21:07:39,491 DEBUG [main] backend. >>>>>> AbstractIdentityBackend: >>>>>>>>>> getIdentity successful, principalName = >>>>>>>>>> test-service/localh...@test.com >>>>>>>>>> 2017-04-29 21:07:39,498 DEBUG [pool-1-thread-1] >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity called, >>>>>>>>>> principalName = krbtgt/test....@test.com >>>>>>>>>> 2017-04-29 21:07:39,498 DEBUG [pool-1-thread-1] >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity successful, >>>>>>>>>> principalName = krbtgt/test....@test.com >>>>>>>>>> 2017-04-29 21:07:39,498 INFO [pool-1-thread-1] >>>>> request.KdcRequest: >>>>>>>>>> Client entry is empty. >>>>>>>>>> 2017-04-29 21:07:39,499 DEBUG [pool-1-thread-1] >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity called, >>>>>>>>>> principalName = test-service/localh...@test.com >>>>>>>>>> 2017-04-29 21:07:39,499 DEBUG [pool-1-thread-1] >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity successful, >>>>>>>>>> principalName = test-service/localh...@test.com >>>>>>>>>> 2017-04-29 21:07:39,499 DEBUG [pool-1-thread-1] >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity called, >>>>>>>>>> principalName = krbtgt/test....@test.com >>>>>>>>>> 2017-04-29 21:07:39,499 DEBUG [pool-1-thread-1] >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity successful, >>>>>>>>>> principalName = krbtgt/test....@test.com >>>>>>>>>> 2017-04-29 21:07:39,499 INFO [pool-1-thread-1] >>>>> request.KdcRequest: >>>>>>>>>> The preauth data is empty. >>>>>>>>>> 2017-04-29 21:07:39,501 INFO [pool-1-thread-1] server.KdcHandler: >>>>>>>>>> KRB error occurred while processing request:Additional >>>>>>>>>> pre-authentication required >>>>>>>>>> 2017-04-29 21:07:39,502 DEBUG [pool-1-thread-1] >>>>>>>>>> impl.DefaultKdcHandler: Transport or decoding error occurred, >>>>>>>>>> disconnecting abnormally java.io.EOFException >>>>>>>>>> at java.io.DataInputStream.readInt(DataInputStream.java:392) >>>>>>>>>> at >>>>>>>>>> org.apache.kerby.kerberos.kerb.transport.KrbTcpTransport. >>>>>>>> receiveMessage(KrbTcpTransport.java:54) >>>>>>>>>> at >>>>>>>>>> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.ru >>>>>>>>>> n( >>>>>>>> DefaultKdcHandler.java:46) >>>>>>>>>> at >>>>>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker( >>>>>>>> ThreadPoolExecutor.java:1142) >>>>>>>>>> at >>>>>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run( >>>>>>>> ThreadPoolExecutor.java:617) >>>>>>>>>> at java.lang.Thread.run(Thread.java:748) >>>>>>>>>> 2017-04-29 21:07:39,505 DEBUG [pool-1-thread-1] >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity called, >>>>>>>>>> principalName = krbtgt/test....@test.com >>>>>>>>>> 2017-04-29 21:07:39,505 DEBUG [pool-1-thread-1] >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity successful, >>>>>>>>>> principalName = krbtgt/test....@test.com >>>>>>>>>> 2017-04-29 21:07:39,505 INFO [pool-1-thread-1] >>>>> request.KdcRequest: >>>>>>>>>> Client entry is empty. >>>>>>>>>> 2017-04-29 21:07:39,506 DEBUG [pool-1-thread-1] >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity called, >>>>>>>>>> principalName = test-service/localh...@test.com >>>>>>>>>> 2017-04-29 21:07:39,506 DEBUG [pool-1-thread-1] >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity successful, >>>>>>>>>> principalName = test-service/localh...@test.com >>>>>>>>>> 2017-04-29 21:07:39,506 DEBUG [pool-1-thread-1] >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity called, >>>>>>>>>> principalName = krbtgt/test....@test.com >>>>>>>>>> 2017-04-29 21:07:39,506 DEBUG [pool-1-thread-1] >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity successful, >>>>>>>>>> principalName = krbtgt/test....@test.com >>>>>>>>>> 2017-04-29 21:07:39,510 DEBUG [pool-1-thread-1] >>>>>>>>>> impl.DefaultKdcHandler: Transport or decoding error occurred, >>>>>>>>>> disconnecting abnormally java.io.EOFException >>>>>>>>>> at java.io.DataInputStream.readInt(DataInputStream.java:392) >>>>>>>>>> at >>>>>>>>>> org.apache.kerby.kerberos.kerb.transport.KrbTcpTransport. >>>>>>>> receiveMessage(KrbTcpTransport.java:54) >>>>>>>>>> at >>>>>>>>>> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.ru >>>>>>>>>> n( >>>>>>>> DefaultKdcHandler.java:46) >>>>>>>>>> at >>>>>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker( >>>>>>>> ThreadPoolExecutor.java:1142) >>>>>>>>>> at >>>>>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run( >>>>>>>> ThreadPoolExecutor.java:617) >>>>>>>>>> at java.lang.Thread.run(Thread.java:748) >>>>>>>>>> 2017-04-29 21:07:55,602 DEBUG [pool-1-thread-1] >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity called, >>>>>>>>>> principalName = krbtgt/test....@test.com >>>>>>>>>> 2017-04-29 21:07:55,602 DEBUG [pool-1-thread-1] >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity successful, >>>>>>>>>> principalName = krbtgt/test....@test.com >>>>>>>>>> 2017-04-29 21:07:55,602 INFO [pool-1-thread-1] >>>>> request.KdcRequest: >>>>>>>>>> Found fast padata and start to process it. >>>>>>>>>> 2017-04-29 21:07:55,603 ERROR [pool-1-thread-1] >>>>>>>>>> impl.DefaultKdcHandler: Error occured while processing request: >>>>>>>>>> org.apache.kerby.kerberos.kerb.KrbException: Decoding failed >>>>>>>>>> at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec. >>>>>>>> java:85) >>>>>>>>>> at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec. >>>>>>>> java:70) >>>>>>>>>> at >>>>>>>>>> org.apache.kerby.kerberos.kerb.server.request.KdcRequest.kdcFin >>>>>>>>>> dF >>>>>>>>>> as >>>>>>>>>> t( >>>>>>>> KdcRequest.java:208) >>>>>>>>>> at >>>>>>>>>> org.apache.kerby.kerberos.kerb.server.request. >>>>>>>> KdcRequest.process(KdcRequest.java:168) >>>>>>>>>> at >>>>>>>>>> org.apache.kerby.kerberos.kerb.server.KdcHandler. >>>>>>>> handleMessage(KdcHandler.java:115) >>>>>>>>>> at >>>>>>>>>> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler. >>>>>>>> handleMessage(DefaultKdcHandler.java:67) >>>>>>>>>> at >>>>>>>>>> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.ru >>>>>>>>>> n( >>>>>>>> DefaultKdcHandler.java:52) >>>>>>>>>> at >>>>>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker( >>>>>>>> ThreadPoolExecutor.java:1142) >>>>>>>>>> at >>>>>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run( >>>>>>>> ThreadPoolExecutor.java:617) >>>>>>>>>> at java.lang.Thread.run(Thread.java:748) >>>>>>>>>> Caused by: java.io.IOException: Unexpected item context [0] >>>>>>>>>> [tag=0xA0, off=0, len=3+207], expecting 0x30 >>>>>>>>>> at >>>>>>>>>> org.apache.kerby.asn1.type.Asn1Encodeable.decode( >>>>>>>> Asn1Encodeable.java:210) >>>>>>>>>> at >>>>>>>>>> org.apache.kerby.asn1.type.Asn1Encodeable.decode( >>>>>>>> Asn1Encodeable.java:197) >>>>>>>>>> at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec. >>>>>>>> java:83) >>>>>>>>>> ... 9 more >>>>>>>>>> 2017-04-29 21:07:55,604 DEBUG [pool-1-thread-1] >>>>>>>>>> impl.DefaultKdcHandler: Transport or decoding error occurred, >>>>>>>>>> disconnecting abnormally >>>>>>>>>> java.net.SocketException: Socket closed >>>>>>>>>> at java.net.SocketInputStream.socketRead0(Native Method) >>>>>>>>>> at java.net.SocketInputStream.socketRead(SocketInputStream. >>>>>>>> java:116) >>>>>>>>>> at java.net.SocketInputStream.read(SocketInputStream.java: >>>>> 171) >>>>>>>>>> at java.net.SocketInputStream.read(SocketInputStream.java: >>>>> 141) >>>>>>>>>> at java.net.SocketInputStream.read(SocketInputStream.java: >>>>> 224) >>>>>>>>>> at java.io.DataInputStream.readInt(DataInputStream.java:387) >>>>>>>>>> at >>>>>>>>>> org.apache.kerby.kerberos.kerb.transport.KrbTcpTransport. >>>>>>>> receiveMessage(KrbTcpTransport.java:54) >>>>>>>>>> at >>>>>>>>>> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.ru >>>>>>>>>> n( >>>>>>>> DefaultKdcHandler.java:46) >>>>>>>>>> at >>>>>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker( >>>>>>>> ThreadPoolExecutor.java:1142) >>>>>>>>>> at >>>>>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run( >>>>>>>> ThreadPoolExecutor.java:617) >>>>>>>>>> at java.lang.Thread.run(Thread.java:748) >>>>>>>>>> >>>>>>>>>> In a FreeIPA environment these python lines "just" work. >>>>>>>>>> >>>>>>>>>> Any suggestions are welcome! >>>>>>>>>> >>>>>>>>>> Marc >>>>>>>>>> >>>>>>>>>> >>>>>>>>> -- >>>>>>>>> Marc de Lignie >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Marc de Lignie >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Colm O hEigeartaigh >>>>>>> >>>>>>> Talend Community Coder >>>>>>> http://coders.talend.com >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Colm O hEigeartaigh >>>>>> >>>>>> Talend Community Coder >>>>>> http://coders.talend.com >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Colm O hEigeartaigh >>>>> >>>>> Talend Community Coder >>>>> http://coders.talend.com >>>>> >>>> >>>> >>>> >>>> -- >>>> Colm O hEigeartaigh >>>> >>>> Talend Community Coder >>>> http://coders.talend.com >>> >>> >> >> >> -- >> Colm O hEigeartaigh >> >> Talend Community Coder >> http://coders.talend.com