RE: [Kerby] TGS req failing with "Unexpected item context"

[Zheng, Kai]

Thank you Jiajia for your taking time to fix this long hanging issue. The fix 
looks great!

Regards,
Kai

-Original Message-
From: Li, Jiajia [mailto:jiajia...@intel.com] 
Sent: Wednesday, June 14, 2017 10:42 AM
To: kerby@directory.apache.org
Subject: RE: [Kerby] TGS req failing with "Unexpected item context"

Hi all,
I have some fix for this issue, could anyone help me to check it using your 
test env? 

Commit log is:
commit a6224d2cf60e8e18ba5e307f1a4a2bc4c01a55b4
Author: plusplusjiajia 
Date:   Wed Jun 14 10:43:46 2017 +0800

Fix DIRKRB-614 and DIRKRB-631.

Thanks
Jiajia

-Original Message-
From: Marc de Lignie [mailto:m.c.delig...@xs4all.nl]
Sent: Thursday, June 8, 2017 8:10 PM
To: kerby@directory.apache.org
Subject: Re: [Kerby] TGS req failing with "Unexpected item context"

Hi Kai,

See, my original logs from both the python client and the KDC at (this link is 
also present in DIRKRB-631):

http://mail-archives.apache.org/mod_mbox/directory-kerby/201705.mbox/browser

Here, the logs of the python client coincide with Pratyush's report in the 
current thread. The logs of the KDC coincide with the old
DIRKKRB-614 issue.

I would say all reports are related to the same error, Kerby not being able the 
decode the FAST OTP requests of MIT Kerberos 1.11+. Also, all are related to a 
TGS request based on an existing TGT.

Cheers,Marc


Op 06-06-17 om 21:07 schreef Marc de Lignie:
> Dear all,
>
> My bad, it seems I made a separate issue for this, which might add 
> more details to DIRKRB-614 and might help you in finding the decode
> error:
>
> https://issues.apache.org/jira/browse/DIRKRB-631
>
> The workaround I mentioned is there, in the comments.
>
> Cheers,   Marc
>
>
> Op 06-06-17 om 21:02 schreef Marc de Lignie:
>> Pratjush,
>>
>> I just posted a temporary workaround as a comment below:
>>
>> https://issues.apache.org/jira/browse/DIRKRB-614
>>
>> Cheers,Marc
>>
>>
>> Kai wrote:
>>
>> It seems so and we need to fix it. However, I don't see any obvious 
>> cause for it. Hope we can get to this sooner (should be next week) 
>> after some deadline is caught. Sorry for the late.
>>
>> Regards,
>> Kai
>>
>> -Original Message-
>> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
>> Sent: Monday, June 05, 2017 12:04 AM
>> To: kerby@directory.apache.org
>> Subject: Re: [Kerby] TGS req failing with "Unexpected item context"
>>
>> Looks like you're running into this known issue:
>>
>> https://issues.apache.org/jira/browse/DIRKRB-614
>>
>> Colm.
>>
>> On Sat, Jun 3, 2017 at 8:09 PM, pratyush parimal 
>> >> wrote:
>>
>>> Hi everyone,
>>>
>>> I'm writing a simple Java program that stands up a KDC using the 
>>> SimpleKdcServer class, and I'm trying to use it for AS & TGS 
>>> operations. Relevant code is below:
>>>
>>> kdc = new SimpleKdcServer(); 
>>> kdc.setKdcHost("kdc.example.com");
>>> kdc.setKdcPort(60088);
>>> kdc.setKdcRealm("EXAMPLE.COM");
>>>
>>> kdc.setAllowUdp(false);
>>> kdc.setWorkDir(keytabFile.getParentFile());
>>>
>>> kdc.init();
>>>
>>> kdc.createPrincipal("u...@example.com", "u1pwd"); 
>>> kdc.createPrincipal("myservice/kdc.example@example.com",
>>> "myservicepwd");
>>>
>>> kdc.start();
>>>
>>> I use kinit to fetch the TGT for my principal "u1" and that's 
>>> successful.
>>> However, the subsequent TGS req from my client program fails with 
>>> the
>>> error:
>>>
>>> GSSAPI continuation error: Unknown code krcM 137
>>>
>>> . I debugged through the source code for Kerby and saw that the full 
>>> exception was not getting thrown because of a (e instanceof
>>> KdcRecoverableException) check. When I print the stacktrace via a 
>>> debugger, I see the following (apologies for the huge stack trace):
>>>
>>> [pool-1-thread-1] INFO
>>> org.apache.kerby.kerberos.kerb.server.request.KdcRequest - Found 
>>> fast padata and starting to process it.
>>> org.apache.kerby.kerberos.kerb.KrbException: Decoding failed at
>>> org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:85)
>>> at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:70)
>>> at
>>> org.apache.kerby.kerberos.kerb.server.request.KdcRequest.kdcFindFast
>>> (
>>> KdcRequest.java:213)
>>> at
>>> org.apache.kerby.kerberos.kerb.server.request.
>>> KdcRequest.process(KdcRequest.java:170)
>>> at
>>> org.apache.kerby.kerberos.kerb.server.KdcHandler.
>>> handleMessage(KdcHandler.java:116)
>>> at
>>> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.
>>> handleMessage(DefaultKdcHandler.java:67)
>>> at
>>> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.run(
>>> DefaultKdcHandler.java:52)
>>> at
>>> java.util.concurrent.ThreadPoolExecutor.runWorker(
>>> ThreadPoolExecutor.java:1145)
>>> at
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(
>>> ThreadPoolExecutor.java:615)
>>> at java.lang.Thread.run(Thread.java:745)
>>> Caused by: java.io.IOException: Unexpected item context [0] 
>>> [tag=0xA0, off=0, 

RE: [Kerby] TGS req failing with "Unexpected item context"

[Li, Jiajia]

Hi all,
I have some fix for this issue, could anyone help me to check it using your 
test env? 

Commit log is:
commit a6224d2cf60e8e18ba5e307f1a4a2bc4c01a55b4
Author: plusplusjiajia 
Date:   Wed Jun 14 10:43:46 2017 +0800

Fix DIRKRB-614 and DIRKRB-631.

Thanks
Jiajia

-Original Message-
From: Marc de Lignie [mailto:m.c.delig...@xs4all.nl] 
Sent: Thursday, June 8, 2017 8:10 PM
To: kerby@directory.apache.org
Subject: Re: [Kerby] TGS req failing with "Unexpected item context"

Hi Kai,

See, my original logs from both the python client and the KDC at (this link is 
also present in DIRKRB-631):

http://mail-archives.apache.org/mod_mbox/directory-kerby/201705.mbox/browser

Here, the logs of the python client coincide with Pratyush's report in the 
current thread. The logs of the KDC coincide with the old
DIRKKRB-614 issue.

I would say all reports are related to the same error, Kerby not being able the 
decode the FAST OTP requests of MIT Kerberos 1.11+. Also, all are related to a 
TGS request based on an existing TGT.

Cheers,Marc


Op 06-06-17 om 21:07 schreef Marc de Lignie:
> Dear all,
>
> My bad, it seems I made a separate issue for this, which might add 
> more details to DIRKRB-614 and might help you in finding the decode
> error:
>
> https://issues.apache.org/jira/browse/DIRKRB-631
>
> The workaround I mentioned is there, in the comments.
>
> Cheers,   Marc
>
>
> Op 06-06-17 om 21:02 schreef Marc de Lignie:
>> Pratjush,
>>
>> I just posted a temporary workaround as a comment below:
>>
>> https://issues.apache.org/jira/browse/DIRKRB-614
>>
>> Cheers,Marc
>>
>>
>> Kai wrote:
>>
>> It seems so and we need to fix it. However, I don't see any obvious 
>> cause for it. Hope we can get to this sooner (should be next week) 
>> after some deadline is caught. Sorry for the late.
>>
>> Regards,
>> Kai
>>
>> -Original Message-
>> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
>> Sent: Monday, June 05, 2017 12:04 AM
>> To: kerby@directory.apache.org
>> Subject: Re: [Kerby] TGS req failing with "Unexpected item context"
>>
>> Looks like you're running into this known issue:
>>
>> https://issues.apache.org/jira/browse/DIRKRB-614
>>
>> Colm.
>>
>> On Sat, Jun 3, 2017 at 8:09 PM, pratyush parimal 
>> >> wrote:
>>
>>> Hi everyone,
>>>
>>> I'm writing a simple Java program that stands up a KDC using the 
>>> SimpleKdcServer class, and I'm trying to use it for AS & TGS 
>>> operations. Relevant code is below:
>>>
>>> kdc = new SimpleKdcServer(); 
>>> kdc.setKdcHost("kdc.example.com");
>>> kdc.setKdcPort(60088);
>>> kdc.setKdcRealm("EXAMPLE.COM");
>>>
>>> kdc.setAllowUdp(false);
>>> kdc.setWorkDir(keytabFile.getParentFile());
>>>
>>> kdc.init();
>>>
>>> kdc.createPrincipal("u...@example.com", "u1pwd"); 
>>> kdc.createPrincipal("myservice/kdc.example@example.com",
>>> "myservicepwd");
>>>
>>> kdc.start();
>>>
>>> I use kinit to fetch the TGT for my principal "u1" and that's 
>>> successful.
>>> However, the subsequent TGS req from my client program fails with 
>>> the
>>> error:
>>>
>>> GSSAPI continuation error: Unknown code krcM 137
>>>
>>> . I debugged through the source code for Kerby and saw that the full 
>>> exception was not getting thrown because of a (e instanceof
>>> KdcRecoverableException) check. When I print the stacktrace via a 
>>> debugger, I see the following (apologies for the huge stack trace):
>>>
>>> [pool-1-thread-1] INFO
>>> org.apache.kerby.kerberos.kerb.server.request.KdcRequest - Found 
>>> fast padata and starting to process it.
>>> org.apache.kerby.kerberos.kerb.KrbException: Decoding failed at
>>> org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:85)
>>> at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:70)
>>> at
>>> org.apache.kerby.kerberos.kerb.server.request.KdcRequest.kdcFindFast
>>> (
>>> KdcRequest.java:213)
>>> at
>>> org.apache.kerby.kerberos.kerb.server.request.
>>> KdcRequest.process(KdcRequest.java:170)
>>> at
>>> org.apache.kerby.kerberos.kerb.server.KdcHandler.
>>> handleMessage(KdcHandler.java:116)
>>> at
>>> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.
>>> handleMessage(DefaultKdcHandler.java:67)
>>> at
>>> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.run(
>>> DefaultKdcHandler.java:52)
>>> at
>>> java.util.concurrent.ThreadPoolExecutor.runWorker(
>>> ThreadPoolExecutor.java:1145)
>>> at
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(
>>> ThreadPoolExecutor.java:615)
>>> at java.lang.Thread.run(Thread.java:745)
>>> Caused by: java.io.IOException: Unexpected item context [0] 
>>> [tag=0xA0, off=0, len=3+198], expecting 0x30 at 
>>> org.apache.kerby.asn1.type.Asn1Encodeable.decode(
>>> Asn1Encodeable.java:219)
>>> at org.apache.kerby.asn1.type.Asn1Encodeable.decode(
>>> Asn1Encodeable.java:207)
>>> at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:83)
>>> ... 9 more
>>>