Hi everyone,
I'm writing a simple Java program that stands up a KDC using
the SimpleKdcServer class, and I'm trying to use it for AS & TGS
operations. Relevant code is below:
kdc = new SimpleKdcServer();
kdc.setKdcHost("kdc.example.com");
kdc.setKdcPort(60088);
kdc.setKdcRealm("EXAMPLE.COM");
kdc.setAllowUdp(false);
kdc.setWorkDir(keytabFile.getParentFile());
kdc.init();
kdc.createPrincipal("[email protected]", "u1pwd");
kdc.createPrincipal("myservice/[email protected]",
"myservicepwd");
kdc.start();
I use kinit to fetch the TGT for my principal "u1" and that's successful.
However, the subsequent TGS req from my client program fails with the error:
GSSAPI continuation error: Unknown code krcM 137
. I debugged through the source code for Kerby and saw that the full
exception was not getting thrown because of a (e instanceof
KdcRecoverableException) check. When I print the stacktrace via a debugger,
I see the following (apologies for the huge stack trace):
[pool-1-thread-1] INFO
org.apache.kerby.kerberos.kerb.server.request.KdcRequest - Found fast
padata and starting to process it.
org.apache.kerby.kerberos.kerb.KrbException: Decoding failed
at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:85)
at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:70)
at
org.apache.kerby.kerberos.kerb.server.request.KdcRequest.kdcFindFast(KdcRequest.java:213)
at
org.apache.kerby.kerberos.kerb.server.request.KdcRequest.process(KdcRequest.java:170)
at
org.apache.kerby.kerberos.kerb.server.KdcHandler.handleMessage(KdcHandler.java:116)
at
org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.handleMessage(DefaultKdcHandler.java:67)
at
org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.run(DefaultKdcHandler.java:52)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.IOException: Unexpected item context [0] [tag=0xA0,
off=0, len=3+198], expecting 0x30
at org.apache.kerby.asn1.type.Asn1Encodeable.decode(Asn1Encodeable.java:219)
at org.apache.kerby.asn1.type.Asn1Encodeable.decode(Asn1Encodeable.java:207)
at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:83)
... 9 more
org.apache.kerby.kerberos.kerb.KrbException: Decoding failed
at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:85)
at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:70)
at
org.apache.kerby.kerberos.kerb.server.request.KdcRequest.kdcFindFast(KdcRequest.java:213)
at
org.apache.kerby.kerberos.kerb.server.request.KdcRequest.process(KdcRequest.java:170)
at
org.apache.kerby.kerberos.kerb.server.KdcHandler.handleMessage(KdcHandler.java:116)
at
org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.handleMessage(DefaultKdcHandler.java:67)
at
org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.run(DefaultKdcHandler.java:52)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.IOException: Unexpected item context [0] [tag=0xA0,
off=0, len=3+198], expecting 0x30
at org.apache.kerby.asn1.type.Asn1Encodeable.decode(Asn1Encodeable.java:219)
at org.apache.kerby.asn1.type.Asn1Encodeable.decode(Asn1Encodeable.java:207)
at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:83)
... 9 more
The client program (and also kinit) were using the krb5.conf that was
auto-generated by the SimpleKdcServer in the workdir, and looked like the
following (I just replaced localhost with the FQDN of my machine):
[libdefaults]
kdc_realm = EXAMPLE.COM
default_realm = EXAMPLE.COM
udp_preference_limit = 1
kdc_tcp_port = 60088
#_KDC_UDP_PORT_
[realms]
EXAMPLE.COM = {
kdc = kdc.example.com:60088
}
I had also enabled KRB5_TRACE on my client program that was making the TGS
req, and it shows the following:
[1588796] 1496515969.488037: ccselect can't find appropriate cache for
server principal myservice/kdc.example.com@
[1588796] 1496515969.488112: Getting credentials [email protected] ->
myservice/kdc.example.com@ using ccache FILE:/tmp/krb5cc_20474
[1588796] 1496515969.488170: Retrieving [email protected] ->
myservice/kdc.example.com@ from FILE:/tmp/krb5cc_20474 with result:
-1765328243/Matching credential not found (filename: /tmp/krb5cc_20474)
[1588796] 1496515969.488206: Retrying [email protected] -> myservice/
[email protected] with result: -1765328243/Matching credential
not found (filename: /tmp/krb5cc_20474)
[1588796] 1496515969.488214: Server has referral realm; starting with
myservice/[email protected]
[1588796] 1496515969.488250: Retrieving [email protected] -> krbtgt/
[email protected] from FILE:/tmp/krb5cc_20474 with result: 0/Success
[1588796] 1496515969.488259: Starting with TGT for client realm:
[email protected] -> krbtgt/[email protected]
[1588796] 1496515969.488266: Requesting tickets for myservice/
[email protected], referrals on
[1588796] 1496515969.488298: Generated subkey for TGS request:
aes128-cts/476E
[1588796] 1496515969.488345: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[1588796] 1496515969.488460: Encoding request body and padata into FAST
request
[1588796] 1496515969.488522: Sending request (835 bytes) to EXAMPLE.COM
[1588796] 1496515969.488553: Resolving hostname kdc.example.com
[1588796] 1496515969.488621: Initiating TCP connection to stream
172.17.0.53:60088
[1588796] 1496515969.488682: Sending TCP request to stream 172.17.0.53:60088
[1588796] 1496515969.492213: Received answer (134 bytes) from stream
172.17.0.53:60088
[1588796] 1496515969.492222: Terminating TCP connection to stream
172.17.0.53:60088
[1588796] 1496515969.492292: Response was not from master KDC
[1588796] 1496515969.492309: TGS request result: -1765323383/Unknown code
krcM 137
[1588796] 1496515969.492332: Requesting tickets for myservice/
[email protected], referrals off
[1588796] 1496515969.492351: Generated subkey for TGS request:
aes128-cts/AECC
[1588796] 1496515969.492377: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[1588796] 1496515969.492430: Encoding request body and padata into FAST
request
[1588796] 1496515969.492483: Sending request (835 bytes) to EXAMPLE.COM
[1588796] 1496515969.492493: Resolving hostname kdc.example.com
[1588796] 1496515969.492543: Initiating TCP connection to stream
172.17.0.53:60088
[1588796] 1496515969.492586: Sending TCP request to stream 172.17.0.53:60088
[1588796] 1496515969.496886: Received answer (134 bytes) from stream
172.17.0.53:60088
[1588796] 1496515969.496894: Terminating TCP connection to stream
172.17.0.53:60088
[1588796] 1496515969.496948: Response was not from master KDC
[1588796] 1496515969.496963: TGS request result: -1765323383/Unknown code
krcM 137
I've tried the same scenario with the MIT krb5kdc service with the same
principals, and the TGS req is successful, with the trace log:
[1590761] 1496516355.23070: ccselect module realm chose cache
FILE:/tmp/krb5cc_20474 with client principal [email protected] for server
principal myservice/[email protected]
[1590761] 1496516355.23150: Getting credentials [email protected] -> myservice/
[email protected] using ccache FILE:/tmp/krb5cc_20474
[1590761] 1496516355.23212: Retrieving [email protected] -> myservice/
[email protected] from FILE:/tmp/krb5cc_20474 with result:
-1765328243/Matching credential not found (filename: /tmp/krb5cc_20474)
[1590761] 1496516355.23260: Retrieving [email protected] -> krbtgt/
[email protected] from FILE:/tmp/krb5cc_20474 with result: 0/Success
[1590761] 1496516355.23269: Starting with TGT for client realm:
[email protected] -> krbtgt/[email protected]
[1590761] 1496516355.23277: Requesting tickets for myservice/
[email protected], referrals on
[1590761] 1496516355.23312: Generated subkey for TGS request:
aes256-cts/3F0A
[1590761] 1496516355.23368: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[1590761] 1496516355.23485: Encoding request body and padata into FAST
request
[1590761] 1496516355.23552: Sending request (933 bytes) to EXAMPLE.COM
[1590761] 1496516355.23581: Resolving hostname kdc.example.com
[1590761] 1496516355.23651: Sending initial UDP request to dgram
172.17.0.53:88
[1590761] 1496516355.24205: Received answer (912 bytes) from dgram
172.17.0.53:88
[1590761] 1496516355.24223: Response was not from master KDC
[1590761] 1496516355.24240: Decoding FAST response
[1590761] 1496516355.24334: FAST reply key: aes256-cts/8818
[1590761] 1496516355.24376: TGS reply is for [email protected] -> myservice/
[email protected] with session key aes256-cts/126E
[1590761] 1496516355.24390: TGS request result: 0/Success
[1590761] 1496516355.24395: Received creds for desired service myservice/
[email protected]
[1590761] 1496516355.24401: Storing [email protected] -> myservice/
[email protected] in FILE:/tmp/krb5cc_20474
[1590761] 1496516355.24517: Retrieving [email protected] -> krbtgt/
[email protected] from FILE:/tmp/krb5cc_20474 with result: 0/Success
[1590761] 1496516355.24528: Get cred via TGT krbtgt/[email protected]
after requesting krbtgt/[email protected] (canonicalize off)
[1590761] 1496516355.24546: Generated subkey for TGS request:
aes256-cts/0D91
[1590761] 1496516355.24574: etypes requested in TGS request: aes256-cts
[1590761] 1496516355.24633: Encoding request body and padata into FAST
request
[1590761] 1496516355.24689: Sending request (931 bytes) to EXAMPLE.COM
[1590761] 1496516355.24699: Resolving hostname kdc.example.com
[1590761] 1496516355.24750: Sending initial UDP request to dgram
172.17.0.53:88
[1590761] 1496516355.25098: Received answer (900 bytes) from dgram
172.17.0.53:88
[1590761] 1496516355.25115: Response was not from master KDC
[1590761] 1496516355.25127: Decoding FAST response
[1590761] 1496516355.25198: FAST reply key: aes256-cts/03AB
[1590761] 1496516355.25234: TGS reply is for [email protected] -> krbtgt/
[email protected] with session key aes256-cts/A423
[1590761] 1496516355.25246: Got cred; 0/Success
[1590761] 1496516355.25315: Creating authenticator for [email protected] ->
myservice/[email protected], seqnum 751690771, subkey
aes256-cts/91D0, session key aes256-cts/126E
My best guess is that maybe I'm missing some configuration steps in my Java
code and that's causing the FAST request to fail. I couldn't find any code
examples for kerby anywhere which can help me with my use case. Does anyone
have any ideas about the above?
Apologies again for the long email, just wanted to share my trials so far.
Have a nice weekend.
Cheers,
Pratyush
