Hi Marc,
In case you're not aware of this, please check out the latest fix made by
Jiajia. We thought your case may be different, but would be good to have a
check before we can repeat/fix your case. Thanks.
https://issues.apache.org/jira/browse/DIRKRB-625
Regards,
Kai
-Original Message-
From: Marc de Lignie [mailto:m.c.delig...@xs4all.nl]
Sent: Sunday, April 30, 2017 7:45 PM
To: kerby@directory.apache.org
Subject: Re: MIT Kerberos compatibility
Hi Kai,
The terminal output below is for the latest MIT Kerberos 1.15.1 (locally built
on Ubuntu Xenial). Before that, I also tested with the default Xenial MIT
Kerberos packages (1.13.2), with the same result. I did not try earlier MIT
Kerberos versions.
Marc
Op 29-04-17 om 21:42 schreef Marc de Lignie:
>
> Hi Kai,
>
> Thanks for the response. I prepared a minimal config that reproduces
> my problem.
>
> You can fetch the branch/commit from:
> https://github.com/vtslab/directory-kerby/commits/MitIssue
>
> This is relative to RC2, but I also tried this on trunk for my actual
> project.
>
> This config produces the debug and error messages below.
>
> 1. For the terminal with the bash + python script $ klist Ticket
> cache: FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> Default principal: dran...@test.com
>
> Valid starting ExpiresService principal
> 29-04-17 21:07:39 30-04-17 05:07:39 krbtgt/test@test.com
> renew until 29-04-17 21:07:39
>
> $ .
> kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/
> server/MitIssueTest.sh [15538] 1493491231.917606: Retrieving
> dran...@test.com from FILE:/etc/krb5/user/1000/client.keytab (vno 0,
> enctype 0) with result:
> 2/Key table file '/etc/krb5/user/1000/client.keytab' not found [15538]
> 1493491231.917827: Retrieving dran...@test.com from
> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result:
> 2/Key table file '/etc/krb5/user/1000/client.keytab' not found
> kerberos.authGSSClientInit successful [15538] 1493491231.918185:
> Getting credentials dran...@test.com -> test-service/localhost@ using
> ccache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> [15538] 1493491231.918210: Retrieving dran...@test.com ->
> test-service/localhost@ from
> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc with result:
> -1765328243/Matching credential not found (filename:
> kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc)
> [15538] 1493491231.918226: Retrying dran...@test.com ->
> test-service/localh...@test.com with result: -1765328243/Matching
> credential not found (filename:
> kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc)
> [15538] 1493491231.918229: Server has referral realm; starting with
> test-service/localh...@test.com [15538] 1493491231.918278: Retrieving
> dran...@test.com -> krbtgt/test@test.com from
> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc with result:
> 0/Success
> [15538] 1493491231.918281: Starting with TGT for client realm:
> dran...@test.com -> krbtgt/test@test.com [15538]
> 1493491231.918301: Requesting tickets for
> test-service/localh...@test.com, referrals on [15538]
> 1493491231.918326: Generated subkey for TGS request:
> aes128-cts/FA30
> [15538] 1493491231.918359: etypes requested in TGS request:
> aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1,
> rc4-hmac, camellia128-cts, camellia256-cts [15538] 1493491231.918484:
> Encoding request body and padata into FAST request [15538]
> 1493491231.918541: Sending request (836 bytes) to TEST.COM [15538]
> 1493491231.918597: Resolving hostname localhost [15538]
> 1493491231.918703: Initiating TCP connection to stream
> 127.0.0.1:44292
> [15538] 1493491231.918777: Sending TCP request to stream
> 127.0.0.1:44292 [15538] 1493491231.922803: TCP error receiving from
> stream
> 127.0.0.1:44292: 104/Connection reset by peer [15538]
> 1493491231.922812: Terminating TCP connection to stream
> 127.0.0.1:44292
> [15538] 1493491231.922858: Sending initial UDP request to dgram
> 127.0.0.1:44292
> ('First kerberos.authGSSClientStep not successful',
> GSSError(('Unspecified GSS failure. Minor code may provide more
> information', 851968), ("Cannot contact any KDC for realm 'TEST.COM'",
> -1765328228)))
>
> 2. For the terminal that runs mvn clean test -Dtest=MitIssueTest
> Running org.apache.kerby.kerberos.kerb.server.MitIssueTest
> 2017-04-29 21:07:39,182 DEBUG [main] backend.AbstractIdentityBackend:
> initialize called
> 2017-04-29 21:07:39,195 DEBUG [main] backend.AbstractIdentityBackend:
> getIdentity called, principalName = krbtgt/test@test.com
> 2017-04-29 21:07:39,195 DEBUG [main] backend.AbstractIdentityBackend:
> getIdentity failed, principalName = krbtgt/test@test.com
> 2017-04-29 21:07:39,212 DEBUG [main] backend.AbstractIdentityBackend:
> addIdentity successful, principalName = krbtgt/test@test.com
> 2017-04-29 21:07:39,212 DEBUG [main] backend.AbstractIdentityBackend:
> getIdentity called,