Looks like you're running into this known issue: https://issues.apache.org/jira/browse/DIRKRB-614
Colm. On Sat, Jun 3, 2017 at 8:09 PM, pratyush parimal <[email protected] > wrote: > Hi everyone, > > I'm writing a simple Java program that stands up a KDC using > the SimpleKdcServer class, and I'm trying to use it for AS & TGS > operations. Relevant code is below: > > kdc = new SimpleKdcServer(); > kdc.setKdcHost("kdc.example.com"); > kdc.setKdcPort(60088); > kdc.setKdcRealm("EXAMPLE.COM"); > > kdc.setAllowUdp(false); > kdc.setWorkDir(keytabFile.getParentFile()); > > kdc.init(); > > kdc.createPrincipal("[email protected]", "u1pwd"); > kdc.createPrincipal("myservice/[email protected]", > "myservicepwd"); > > kdc.start(); > > I use kinit to fetch the TGT for my principal "u1" and that's successful. > However, the subsequent TGS req from my client program fails with the > error: > > GSSAPI continuation error: Unknown code krcM 137 > > . I debugged through the source code for Kerby and saw that the full > exception was not getting thrown because of a (e instanceof > KdcRecoverableException) check. When I print the stacktrace via a debugger, > I see the following (apologies for the huge stack trace): > > [pool-1-thread-1] INFO > org.apache.kerby.kerberos.kerb.server.request.KdcRequest - Found fast > padata and starting to process it. > org.apache.kerby.kerberos.kerb.KrbException: Decoding failed > at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:85) > at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:70) > at > org.apache.kerby.kerberos.kerb.server.request.KdcRequest.kdcFindFast( > KdcRequest.java:213) > at > org.apache.kerby.kerberos.kerb.server.request. > KdcRequest.process(KdcRequest.java:170) > at > org.apache.kerby.kerberos.kerb.server.KdcHandler. > handleMessage(KdcHandler.java:116) > at > org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler. > handleMessage(DefaultKdcHandler.java:67) > at > org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.run( > DefaultKdcHandler.java:52) > at > java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:745) > Caused by: java.io.IOException: Unexpected item context [0] [tag=0xA0, > off=0, len=3+198], expecting 0x30 > at org.apache.kerby.asn1.type.Asn1Encodeable.decode( > Asn1Encodeable.java:219) > at org.apache.kerby.asn1.type.Asn1Encodeable.decode( > Asn1Encodeable.java:207) > at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:83) > ... 9 more > org.apache.kerby.kerberos.kerb.KrbException: Decoding failed > at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:85) > at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:70) > at > org.apache.kerby.kerberos.kerb.server.request.KdcRequest.kdcFindFast( > KdcRequest.java:213) > at > org.apache.kerby.kerberos.kerb.server.request. > KdcRequest.process(KdcRequest.java:170) > at > org.apache.kerby.kerberos.kerb.server.KdcHandler. > handleMessage(KdcHandler.java:116) > at > org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler. > handleMessage(DefaultKdcHandler.java:67) > at > org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.run( > DefaultKdcHandler.java:52) > at > java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:745) > Caused by: java.io.IOException: Unexpected item context [0] [tag=0xA0, > off=0, len=3+198], expecting 0x30 > at org.apache.kerby.asn1.type.Asn1Encodeable.decode( > Asn1Encodeable.java:219) > at org.apache.kerby.asn1.type.Asn1Encodeable.decode( > Asn1Encodeable.java:207) > at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:83) > ... 9 more > > The client program (and also kinit) were using the krb5.conf that was > auto-generated by the SimpleKdcServer in the workdir, and looked like the > following (I just replaced localhost with the FQDN of my machine): > > [libdefaults] > kdc_realm = EXAMPLE.COM > default_realm = EXAMPLE.COM > udp_preference_limit = 1 > kdc_tcp_port = 60088 > #_KDC_UDP_PORT_ > > [realms] > EXAMPLE.COM = { > kdc = kdc.example.com:60088 > } > > I had also enabled KRB5_TRACE on my client program that was making the TGS > req, and it shows the following: > > > [1588796] 1496515969.488037: ccselect can't find appropriate cache for > server principal myservice/kdc.example.com@ > [1588796] 1496515969.488112: Getting credentials [email protected] -> > myservice/kdc.example.com@ using ccache FILE:/tmp/krb5cc_20474 > [1588796] 1496515969.488170: Retrieving [email protected] -> > myservice/kdc.example.com@ from FILE:/tmp/krb5cc_20474 with result: > -1765328243/Matching credential not found (filename: /tmp/krb5cc_20474) > [1588796] 1496515969.488206: Retrying [email protected] -> myservice/ > [email protected] with result: -1765328243/Matching credential > not found (filename: /tmp/krb5cc_20474) > [1588796] 1496515969.488214: Server has referral realm; starting with > myservice/[email protected] > [1588796] 1496515969.488250: Retrieving [email protected] -> krbtgt/ > [email protected] from FILE:/tmp/krb5cc_20474 with result: 0/Success > [1588796] 1496515969.488259: Starting with TGT for client realm: > [email protected] -> krbtgt/[email protected] > [1588796] 1496515969.488266: Requesting tickets for myservice/ > [email protected], referrals on > [1588796] 1496515969.488298: Generated subkey for TGS request: > aes128-cts/476E > [1588796] 1496515969.488345: etypes requested in TGS request: aes256-cts, > aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts > [1588796] 1496515969.488460: Encoding request body and padata into FAST > request > [1588796] 1496515969.488522: Sending request (835 bytes) to EXAMPLE.COM > [1588796] 1496515969.488553: Resolving hostname kdc.example.com > [1588796] 1496515969.488621: Initiating TCP connection to stream > 172.17.0.53:60088 > [1588796] 1496515969.488682: Sending TCP request to stream > 172.17.0.53:60088 > [1588796] 1496515969.492213: Received answer (134 bytes) from stream > 172.17.0.53:60088 > [1588796] 1496515969.492222: Terminating TCP connection to stream > 172.17.0.53:60088 > [1588796] 1496515969.492292: Response was not from master KDC > [1588796] 1496515969.492309: TGS request result: -1765323383/Unknown code > krcM 137 > [1588796] 1496515969.492332: Requesting tickets for myservice/ > [email protected], referrals off > [1588796] 1496515969.492351: Generated subkey for TGS request: > aes128-cts/AECC > [1588796] 1496515969.492377: etypes requested in TGS request: aes256-cts, > aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts > [1588796] 1496515969.492430: Encoding request body and padata into FAST > request > [1588796] 1496515969.492483: Sending request (835 bytes) to EXAMPLE.COM > [1588796] 1496515969.492493: Resolving hostname kdc.example.com > [1588796] 1496515969.492543: Initiating TCP connection to stream > 172.17.0.53:60088 > [1588796] 1496515969.492586: Sending TCP request to stream > 172.17.0.53:60088 > [1588796] 1496515969.496886: Received answer (134 bytes) from stream > 172.17.0.53:60088 > [1588796] 1496515969.496894: Terminating TCP connection to stream > 172.17.0.53:60088 > [1588796] 1496515969.496948: Response was not from master KDC > [1588796] 1496515969.496963: TGS request result: -1765323383/Unknown code > krcM 137 > > > I've tried the same scenario with the MIT krb5kdc service with the same > principals, and the TGS req is successful, with the trace log: > > [1590761] 1496516355.23070: ccselect module realm chose cache > FILE:/tmp/krb5cc_20474 with client principal [email protected] for server > principal myservice/[email protected] > [1590761] 1496516355.23150: Getting credentials [email protected] -> > myservice/ > [email protected] using ccache FILE:/tmp/krb5cc_20474 > [1590761] 1496516355.23212: Retrieving [email protected] -> myservice/ > [email protected] from FILE:/tmp/krb5cc_20474 with result: > -1765328243/Matching credential not found (filename: /tmp/krb5cc_20474) > [1590761] 1496516355.23260: Retrieving [email protected] -> krbtgt/ > [email protected] from FILE:/tmp/krb5cc_20474 with result: 0/Success > [1590761] 1496516355.23269: Starting with TGT for client realm: > [email protected] -> krbtgt/[email protected] > [1590761] 1496516355.23277: Requesting tickets for myservice/ > [email protected], referrals on > [1590761] 1496516355.23312: Generated subkey for TGS request: > aes256-cts/3F0A > [1590761] 1496516355.23368: etypes requested in TGS request: aes256-cts, > aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts > [1590761] 1496516355.23485: Encoding request body and padata into FAST > request > [1590761] 1496516355.23552: Sending request (933 bytes) to EXAMPLE.COM > [1590761] 1496516355.23581: Resolving hostname kdc.example.com > [1590761] 1496516355.23651: Sending initial UDP request to dgram > 172.17.0.53:88 > [1590761] 1496516355.24205: Received answer (912 bytes) from dgram > 172.17.0.53:88 > [1590761] 1496516355.24223: Response was not from master KDC > [1590761] 1496516355.24240: Decoding FAST response > [1590761] 1496516355.24334: FAST reply key: aes256-cts/8818 > [1590761] 1496516355.24376: TGS reply is for [email protected] -> myservice/ > [email protected] with session key aes256-cts/126E > [1590761] 1496516355.24390: TGS request result: 0/Success > [1590761] 1496516355.24395: Received creds for desired service myservice/ > [email protected] > [1590761] 1496516355.24401: Storing [email protected] -> myservice/ > [email protected] in FILE:/tmp/krb5cc_20474 > [1590761] 1496516355.24517: Retrieving [email protected] -> krbtgt/ > [email protected] from FILE:/tmp/krb5cc_20474 with result: 0/Success > [1590761] 1496516355.24528: Get cred via TGT krbtgt/ > [email protected] > after requesting krbtgt/[email protected] (canonicalize off) > [1590761] 1496516355.24546: Generated subkey for TGS request: > aes256-cts/0D91 > [1590761] 1496516355.24574: etypes requested in TGS request: aes256-cts > [1590761] 1496516355.24633: Encoding request body and padata into FAST > request > [1590761] 1496516355.24689: Sending request (931 bytes) to EXAMPLE.COM > [1590761] 1496516355.24699: Resolving hostname kdc.example.com > [1590761] 1496516355.24750: Sending initial UDP request to dgram > 172.17.0.53:88 > [1590761] 1496516355.25098: Received answer (900 bytes) from dgram > 172.17.0.53:88 > [1590761] 1496516355.25115: Response was not from master KDC > [1590761] 1496516355.25127: Decoding FAST response > [1590761] 1496516355.25198: FAST reply key: aes256-cts/03AB > [1590761] 1496516355.25234: TGS reply is for [email protected] -> krbtgt/ > [email protected] with session key aes256-cts/A423 > [1590761] 1496516355.25246: Got cred; 0/Success > [1590761] 1496516355.25315: Creating authenticator for [email protected] -> > myservice/[email protected], seqnum 751690771, subkey > aes256-cts/91D0, session key aes256-cts/126E > > > > My best guess is that maybe I'm missing some configuration steps in my Java > code and that's causing the FAST request to fail. I couldn't find any code > examples for kerby anywhere which can help me with my use case. Does anyone > have any ideas about the above? > > Apologies again for the long email, just wanted to share my trials so far. > Have a nice weekend. > > Cheers, > Pratyush > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
