Hi Pratyush, The trunk is available. Thanks Jiajia
-----Original Message----- From: pratyush parimal [mailto:[email protected]] Sent: Thursday, June 15, 2017 2:50 AM To: [email protected]; Colm O hEigeartaigh <[email protected]> Subject: Re: [Kerby] TGS req failing with "Unexpected item context" Hi all, I'm so excited to hear that the issue was addressed. I'd like to test it out as well. What branch specifically should I checkout to get this fix? Is it available in master/trunk? Cheers, Pratyush On Wed, Jun 14, 2017 at 6:44 AM, Colm O hEigeartaigh <[email protected]> wrote: > Yes, it fixes the issue that I ran into, thanks Jiajia! > > Colm. > > On Wed, Jun 14, 2017 at 6:30 AM, Zheng, Kai <[email protected]> wrote: > > > Thank you Jiajia for your taking time to fix this long hanging > > issue. The fix looks great! > > > > Regards, > > Kai > > > > -----Original Message----- > > From: Li, Jiajia [mailto:[email protected]] > > Sent: Wednesday, June 14, 2017 10:42 AM > > To: [email protected] > > Subject: RE: [Kerby] TGS req failing with "Unexpected item context" > > > > Hi all, > > I have some fix for this issue, could anyone help me to check it > > using your test env? > > > > Commit log is: > > commit a6224d2cf60e8e18ba5e307f1a4a2bc4c01a55b4 > > Author: plusplusjiajia <[email protected]> > > Date: Wed Jun 14 10:43:46 2017 +0800 > > > > Fix DIRKRB-614 and DIRKRB-631. > > > > Thanks > > Jiajia > > > > -----Original Message----- > > From: Marc de Lignie [mailto:[email protected]] > > Sent: Thursday, June 8, 2017 8:10 PM > > To: [email protected] > > Subject: Re: [Kerby] TGS req failing with "Unexpected item context" > > > > Hi Kai, > > > > See, my original logs from both the python client and the KDC at > > (this link is also present in DIRKRB-631): > > > > http://mail-archives.apache.org/mod_mbox/directory-kerby/ > > 201705.mbox/browser > > > > Here, the logs of the python client coincide with Pratyush's report > > in > the > > current thread. The logs of the KDC coincide with the old > > DIRKKRB-614 issue. > > > > I would say all reports are related to the same error, Kerby not > > being able the decode the FAST OTP requests of MIT Kerberos 1.11+. > > Also, all > are > > related to a TGS request based on an existing TGT. > > > > Cheers, Marc > > > > > > Op 06-06-17 om 21:07 schreef Marc de Lignie: > > > Dear all, > > > > > > My bad, it seems I made a separate issue for this, which might add > > > more details to DIRKRB-614 and might help you in finding the > > > decode > > > error: > > > > > > https://issues.apache.org/jira/browse/DIRKRB-631 > > > > > > The workaround I mentioned is there, in the comments. > > > > > > Cheers, Marc > > > > > > > > > Op 06-06-17 om 21:02 schreef Marc de Lignie: > > >> Pratjush, > > >> > > >> I just posted a temporary workaround as a comment below: > > >> > > >> https://issues.apache.org/jira/browse/DIRKRB-614 > > >> > > >> Cheers, Marc > > >> > > >> > > >> Kai wrote: > > >> > > >> It seems so and we need to fix it. However, I don't see any > > >> obvious cause for it. Hope we can get to this sooner (should be > > >> next week) after some deadline is caught. Sorry for the late. > > >> > > >> Regards, > > >> Kai > > >> > > >> -----Original Message----- > > >> From: Colm O hEigeartaigh [mailto:[email protected]] > > >> Sent: Monday, June 05, 2017 12:04 AM > > >> To: [email protected] > > >> Subject: Re: [Kerby] TGS req failing with "Unexpected item context" > > >> > > >> Looks like you're running into this known issue: > > >> > > >> https://issues.apache.org/jira/browse/DIRKRB-614 > > >> > > >> Colm. > > >> > > >> On Sat, Jun 3, 2017 at 8:09 PM, pratyush parimal > > >> <[email protected] > > >>> wrote: > > >> > > >>> Hi everyone, > > >>> > > >>> I'm writing a simple Java program that stands up a KDC using the > > >>> SimpleKdcServer class, and I'm trying to use it for AS & TGS > > >>> operations. Relevant code is below: > > >>> > > >>> kdc = new SimpleKdcServer(); > > >>> kdc.setKdcHost("kdc.example.com"); > > >>> kdc.setKdcPort(60088); > > >>> kdc.setKdcRealm("EXAMPLE.COM"); > > >>> > > >>> kdc.setAllowUdp(false); > > >>> kdc.setWorkDir(keytabFile.getParentFile()); > > >>> > > >>> kdc.init(); > > >>> > > >>> kdc.createPrincipal("[email protected]", "u1pwd"); > > >>> kdc.createPrincipal("myservice/[email protected]", > > >>> "myservicepwd"); > > >>> > > >>> kdc.start(); > > >>> > > >>> I use kinit to fetch the TGT for my principal "u1" and that's > > >>> successful. > > >>> However, the subsequent TGS req from my client program fails > > >>> with the > > >>> error: > > >>> > > >>> GSSAPI continuation error: Unknown code krcM 137 > > >>> > > >>> . I debugged through the source code for Kerby and saw that the > > >>> full exception was not getting thrown because of a (e instanceof > > >>> KdcRecoverableException) check. When I print the stacktrace via > > >>> a debugger, I see the following (apologies for the huge stack trace): > > >>> > > >>> [pool-1-thread-1] INFO > > >>> org.apache.kerby.kerberos.kerb.server.request.KdcRequest - Found > > >>> fast padata and starting to process it. > > >>> org.apache.kerby.kerberos.kerb.KrbException: Decoding failed at > > >>> org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:85) > > >>> at > > >>> org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:70) > > >>> at > > >>> org.apache.kerby.kerberos.kerb.server.request.KdcRequest.kdcFind > > >>> Fast > > >>> ( > > >>> KdcRequest.java:213) > > >>> at > > >>> org.apache.kerby.kerberos.kerb.server.request. > > >>> KdcRequest.process(KdcRequest.java:170) > > >>> at > > >>> org.apache.kerby.kerberos.kerb.server.KdcHandler. > > >>> handleMessage(KdcHandler.java:116) > > >>> at > > >>> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler. > > >>> handleMessage(DefaultKdcHandler.java:67) > > >>> at > > >>> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.run > > >>> ( > > >>> DefaultKdcHandler.java:52) > > >>> at > > >>> java.util.concurrent.ThreadPoolExecutor.runWorker( > > >>> ThreadPoolExecutor.java:1145) > > >>> at > > >>> java.util.concurrent.ThreadPoolExecutor$Worker.run( > > >>> ThreadPoolExecutor.java:615) > > >>> at java.lang.Thread.run(Thread.java:745) > > >>> Caused by: java.io.IOException: Unexpected item context [0] > > >>> [tag=0xA0, off=0, len=3+198], expecting 0x30 at > > >>> org.apache.kerby.asn1.type.Asn1Encodeable.decode( > > >>> Asn1Encodeable.java:219) > > >>> at org.apache.kerby.asn1.type.Asn1Encodeable.decode( > > >>> Asn1Encodeable.java:207) > > >>> at > > >>> org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:83) > > >>> ... 9 more > > >>> org.apache.kerby.kerberos.kerb.KrbException: Decoding failed at > > >>> org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:85) > > >>> at > > >>> org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:70) > > >>> at > > >>> org.apache.kerby.kerberos.kerb.server.request.KdcRequest.kdcFind > > >>> Fast > > >>> ( > > >>> KdcRequest.java:213) > > >>> at > > >>> org.apache.kerby.kerberos.kerb.server.request. > > >>> KdcRequest.process(KdcRequest.java:170) > > >>> at > > >>> org.apache.kerby.kerberos.kerb.server.KdcHandler. > > >>> handleMessage(KdcHandler.java:116) > > >>> at > > >>> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler. > > >>> handleMessage(DefaultKdcHandler.java:67) > > >>> at > > >>> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.run > > >>> ( > > >>> DefaultKdcHandler.java:52) > > >>> at > > >>> java.util.concurrent.ThreadPoolExecutor.runWorker( > > >>> ThreadPoolExecutor.java:1145) > > >>> at > > >>> java.util.concurrent.ThreadPoolExecutor$Worker.run( > > >>> ThreadPoolExecutor.java:615) > > >>> at java.lang.Thread.run(Thread.java:745) > > >>> Caused by: java.io.IOException: Unexpected item context [0] > > >>> [tag=0xA0, off=0, len=3+198], expecting 0x30 at > > >>> org.apache.kerby.asn1.type.Asn1Encodeable.decode( > > >>> Asn1Encodeable.java:219) > > >>> at org.apache.kerby.asn1.type.Asn1Encodeable.decode( > > >>> Asn1Encodeable.java:207) > > >>> at > > >>> org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:83) > > >>> ... 9 more > > >>> > > >>> The client program (and also kinit) were using the krb5.conf > > >>> that was auto-generated by the SimpleKdcServer in the workdir, > > >>> and looked like the following (I just replaced localhost with > > >>> the FQDN of my > > >>> machine): > > >>> > > >>> [libdefaults] > > >>> kdc_realm = EXAMPLE.COM > > >>> default_realm = EXAMPLE.COM > > >>> udp_preference_limit = 1 > > >>> kdc_tcp_port = 60088 > > >>> #_KDC_UDP_PORT_ > > >>> > > >>> [realms] > > >>> EXAMPLE.COM = { > > >>> kdc = kdc.example.com:60088 > > >>> } > > >>> > > >>> I had also enabled KRB5_TRACE on my client program that was > > >>> making the TGS req, and it shows the following: > > >>> > > >>> > > >>> [1588796] 1496515969.488037: ccselect can't find appropriate > > >>> cache for server principal myservice/kdc.example.com@ [1588796] > > >>> 1496515969.488112: Getting credentials [email protected] -> > > >>> myservice/kdc.example.com@ using ccache FILE:/tmp/krb5cc_20474 > > >>> [1588796] 1496515969.488170: Retrieving [email protected] -> > > >>> myservice/kdc.example.com@ from FILE:/tmp/krb5cc_20474 with result: > > >>> -1765328243/Matching credential not found (filename: > > >>> /tmp/krb5cc_20474) [1588796] 1496515969.488206: Retrying > > >>> [email protected] -> myservice/ [email protected] with > > >>> result: -1765328243/Matching credential not found (filename: > > >>> /tmp/krb5cc_20474) [1588796] 1496515969.488214: Server has > > >>> referral realm; starting with > > >>> myservice/[email protected] > > >>> [1588796] 1496515969.488250: Retrieving [email protected] -> > > >>> krbtgt/ [email protected] from FILE:/tmp/krb5cc_20474 with result: > > >>> 0/Success [1588796] 1496515969.488259: Starting with TGT for > > >>> client > > >>> realm: > > >>> [email protected] -> krbtgt/[email protected] [1588796] > > >>> 1496515969.488266: Requesting tickets for myservice/ > > >>> [email protected], referrals on [1588796] > > >>> 1496515969.488298: Generated subkey for TGS request: > > >>> aes128-cts/476E > > >>> [1588796] 1496515969.488345: etypes requested in TGS request: > > >>> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, > > >>> camellia128-cts, camellia256-cts [1588796] 1496515969.488460: > > >>> Encoding request body and padata into FAST request [1588796] > > >>> 1496515969.488522: Sending request (835 bytes) to EXAMPLE.COM [1588796] > > >>> 1496515969.488553: > > >>> Resolving hostname kdc.example.com [1588796] 1496515969.488621: > > >>> Initiating TCP connection to stream > > >>> 172.17.0.53:60088 > > >>> [1588796] 1496515969.488682: Sending TCP request to stream > > >>> 172.17.0.53:60088 > > >>> [1588796] 1496515969.492213: Received answer (134 bytes) from > > >>> stream > > >>> 172.17.0.53:60088 > > >>> [1588796] 1496515969.492222: Terminating TCP connection to > > >>> stream > > >>> 172.17.0.53:60088 > > >>> [1588796] 1496515969.492292: Response was not from master KDC > > >>> [1588796] 1496515969.492309: TGS request result: > > >>> -1765323383/Unknown code krcM 137 [1588796] 1496515969.492332: > > >>> Requesting tickets for myservice/ [email protected], > > >>> referrals off [1588796] > > >>> 1496515969.492351: Generated subkey for TGS request: > > >>> aes128-cts/AECC > > >>> [1588796] 1496515969.492377: etypes requested in TGS request: > > >>> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, > > >>> camellia128-cts, camellia256-cts [1588796] 1496515969.492430: > > >>> Encoding request body and padata into FAST request [1588796] > > >>> 1496515969.492483: Sending request (835 bytes) to EXAMPLE.COM [1588796] > > >>> 1496515969.492493: > > >>> Resolving hostname kdc.example.com [1588796] 1496515969.492543: > > >>> Initiating TCP connection to stream > > >>> 172.17.0.53:60088 > > >>> [1588796] 1496515969.492586: Sending TCP request to stream > > >>> 172.17.0.53:60088 > > >>> [1588796] 1496515969.496886: Received answer (134 bytes) from > > >>> stream > > >>> 172.17.0.53:60088 > > >>> [1588796] 1496515969.496894: Terminating TCP connection to > > >>> stream > > >>> 172.17.0.53:60088 > > >>> [1588796] 1496515969.496948: Response was not from master KDC > > >>> [1588796] 1496515969.496963: TGS request result: > > >>> -1765323383/Unknown code krcM 137 > > >>> > > >>> > > >>> I've tried the same scenario with the MIT krb5kdc service with > > >>> the same principals, and the TGS req is successful, with the trace log: > > >>> > > >>> [1590761] 1496516355.23070: ccselect module realm chose cache > > >>> FILE:/tmp/krb5cc_20474 with client principal [email protected] for > > >>> server principal myservice/[email protected] > > >>> [1590761] 1496516355.23150: Getting credentials [email protected] > > >>> -> myservice/ [email protected] using ccache > > >>> FILE:/tmp/krb5cc_20474 [1590761] 1496516355.23212: Retrieving > > >>> [email protected] -> myservice/ [email protected] from > > >>> FILE:/tmp/krb5cc_20474 with result: > > >>> -1765328243/Matching credential not found (filename: > > >>> /tmp/krb5cc_20474) [1590761] 1496516355.23260: Retrieving > > >>> [email protected] -> krbtgt/ [email protected] from > > >>> FILE:/tmp/krb5cc_20474 with result: 0/Success [1590761] > > >>> 1496516355.23269: Starting with > > >> TGT for client realm: > > >>> [email protected] -> krbtgt/[email protected] [1590761] > > >>> 1496516355.23277: Requesting tickets for myservice/ > > >>> [email protected], referrals on [1590761] > > >>> 1496516355.23312: Generated subkey for TGS request: > > >>> aes256-cts/3F0A > > >>> [1590761] 1496516355.23368: etypes requested in TGS request: > > >>> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, > > >>> camellia128-cts, camellia256-cts [1590761] 1496516355.23485: > > >>> Encoding request body and padata into FAST request [1590761] > > >>> 1496516355.23552: Sending request (933 bytes) to EXAMPLE.COM [1590761] > > >>> 1496516355.23581: > > >>> Resolving hostname kdc.example.com [1590761] 1496516355.23651: > > >>> Sending initial UDP request to dgram > > >>> 172.17.0.53:88 > > >>> [1590761] 1496516355.24205: Received answer (912 bytes) from > > >>> dgram > > >>> 172.17.0.53:88 > > >>> [1590761] 1496516355.24223: Response was not from master KDC > > >>> [1590761] 1496516355.24240: Decoding FAST response [1590761] > > >>> 1496516355.24334: FAST reply key: aes256-cts/8818 [1590761] > > >>> 1496516355.24376: TGS reply is for [email protected] -> myservice/ > > >>> [email protected] with session key aes256-cts/126E > > >>> [1590761] 1496516355.24390: TGS request result: 0/Success > > >>> [1590761] > > >>> 1496516355.24395: Received creds for desired service myservice/ > > >>> [email protected] [1590761] 1496516355.24401: Storing > > >>> [email protected] -> myservice/ [email protected] in > > >>> FILE:/tmp/krb5cc_20474 [1590761] 1496516355.24517: Retrieving > > >>> [email protected] -> krbtgt/ [email protected] from > > >>> FILE:/tmp/krb5cc_20474 with result: 0/Success [1590761] > > >>> 1496516355.24528: Get cred via TGT krbtgt/ > > >>> [email protected] after requesting > > >>> krbtgt/[email protected] (canonicalize off) [1590761] > > >>> 1496516355.24546: Generated subkey for TGS request: > > >>> aes256-cts/0D91 > > >>> [1590761] 1496516355.24574: etypes requested in TGS request: > > >>> aes256-cts [1590761] 1496516355.24633: Encoding request body and > > >>> padata into FAST request [1590761] 1496516355.24689: Sending > > >>> request > > >>> (931 bytes) to EXAMPLE.COM [1590761] 1496516355.24699: Resolving > > >>> hostname kdc.example.com [1590761] 1496516355.24750: Sending > > >>> initial UDP request to dgram > > >>> 172.17.0.53:88 > > >>> [1590761] 1496516355.25098: Received answer (900 bytes) from > > >>> dgram > > >>> 172.17.0.53:88 > > >>> [1590761] 1496516355.25115: Response was not from master KDC > > >>> [1590761] 1496516355.25127: Decoding FAST response [1590761] > > >>> 1496516355.25198: FAST reply key: aes256-cts/03AB [1590761] > > >>> 1496516355.25234: TGS reply is for [email protected] -> krbtgt/ > > >>> [email protected] with session key aes256-cts/A423 > > >>> [1590761] > > >>> 1496516355.25246: Got cred; 0/Success [1590761] 1496516355.25315: > > >>> Creating authenticator for [email protected] -> > > >>> myservice/[email protected], seqnum 751690771, subkey > > >>> aes256-cts/91D0, session key aes256-cts/126E > > >>> > > >>> > > >>> > > >>> My best guess is that maybe I'm missing some configuration steps > > >>> in my Java code and that's causing the FAST request to fail. I > > >>> couldn't find any code examples for kerby anywhere which can > > >>> help me with my use case. Does anyone have any ideas about the above? > > >>> > > >>> Apologies again for the long email, just wanted to share my > > >>> trials so far. > > >>> Have a nice weekend. > > >>> > > >>> Cheers, > > >>> Pratyush > > >>> > > >> > > >> > > >> > > >> -- > > >> Colm O hEigeartaigh > > >> > > >> Talend Community Coder > > >> http://coders.talend.com > > >> > > > > > > > -- > > Marc de Lignie > > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com >
