Re: [Kerby] TGS req failing with "Unexpected item context"
Hi Kai,
See, my original logs from both the python client and the KDC at (this
link is also present in DIRKRB-631):
http://mail-archives.apache.org/mod_mbox/directory-kerby/201705.mbox/browser
Here, the logs of the python client coincide with Pratyush's report in
the current thread. The logs of the KDC coincide with the old
DIRKKRB-614 issue.
I would say all reports are related to the same error, Kerby not being
able the decode the FAST OTP requests of MIT Kerberos 1.11+. Also, all
are related to a TGS request based on an existing TGT.
Cheers,Marc
Op 06-06-17 om 21:07 schreef Marc de Lignie:
Dear all,
My bad, it seems I made a separate issue for this, which might add
more details to DIRKRB-614 and might help you in finding the decode
error:
https://issues.apache.org/jira/browse/DIRKRB-631
The workaround I mentioned is there, in the comments.
Cheers, Marc
Op 06-06-17 om 21:02 schreef Marc de Lignie:
Pratjush,
I just posted a temporary workaround as a comment below:
https://issues.apache.org/jira/browse/DIRKRB-614
Cheers,Marc
Kai wrote:
It seems so and we need to fix it. However, I don't see any obvious
cause for it. Hope we can
get to this sooner (should be next week) after some deadline is
caught. Sorry for the late.
Regards,
Kai
-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
Sent: Monday, June 05, 2017 12:04 AM
To: kerby@directory.apache.org
Subject: Re: [Kerby] TGS req failing with "Unexpected item context"
Looks like you're running into this known issue:
https://issues.apache.org/jira/browse/DIRKRB-614
Colm.
On Sat, Jun 3, 2017 at 8:09 PM, pratyush parimal
<pratyush.pari...@gmail.com
wrote:
Hi everyone,
I'm writing a simple Java program that stands up a KDC using the
SimpleKdcServer class, and I'm trying to use it for AS & TGS
operations. Relevant code is below:
kdc = new SimpleKdcServer();
kdc.setKdcHost("kdc.example.com");
kdc.setKdcPort(60088);
kdc.setKdcRealm("EXAMPLE.COM");
kdc.setAllowUdp(false);
kdc.setWorkDir(keytabFile.getParentFile());
kdc.init();
kdc.createPrincipal("u...@example.com", "u1pwd");
kdc.createPrincipal("myservice/kdc.example@example.com",
"myservicepwd");
kdc.start();
I use kinit to fetch the TGT for my principal "u1" and that's
successful.
However, the subsequent TGS req from my client program fails with the
error:
GSSAPI continuation error: Unknown code krcM 137
. I debugged through the source code for Kerby and saw that the full
exception was not getting thrown because of a (e instanceof
KdcRecoverableException) check. When I print the stacktrace via a
debugger, I see the following (apologies for the huge stack trace):
[pool-1-thread-1] INFO
org.apache.kerby.kerberos.kerb.server.request.KdcRequest - Found
fast padata and starting to process it.
org.apache.kerby.kerberos.kerb.KrbException: Decoding failed at
org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:85)
at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:70)
at
org.apache.kerby.kerberos.kerb.server.request.KdcRequest.kdcFindFast(
KdcRequest.java:213)
at
org.apache.kerby.kerberos.kerb.server.request.
KdcRequest.process(KdcRequest.java:170)
at
org.apache.kerby.kerberos.kerb.server.KdcHandler.
handleMessage(KdcHandler.java:116)
at
org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.
handleMessage(DefaultKdcHandler.java:67)
at
org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.run(
DefaultKdcHandler.java:52)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(
ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(
ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.IOException: Unexpected item context [0]
[tag=0xA0, off=0, len=3+198], expecting 0x30 at
org.apache.kerby.asn1.type.Asn1Encodeable.decode(
Asn1Encodeable.java:219)
at org.apache.kerby.asn1.type.Asn1Encodeable.decode(
Asn1Encodeable.java:207)
at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:83)
... 9 more
org.apache.kerby.kerberos.kerb.KrbException: Decoding failed at
org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:85)
at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:70)
at
org.apache.kerby.kerberos.kerb.server.request.KdcRequest.kdcFindFast(
KdcRequest.java:213)
at
org.apache.kerby.kerberos.kerb.server.request.
KdcRequest.process(KdcRequest.java:170)
at
org.apache.kerby.kerberos.kerb.server.KdcHandler.
handleMessage(KdcHandler.java:116)
at
org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.
handleMessage(DefaultKdcHandler.java:67)
at
org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.run(
DefaultKdcHandler.java:52)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(
ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(
ThreadPoolExecutor.java:6
Re: [Kerby] TGS req failing with "Unexpected item context"
I second Kai's compliments for Jiajia's work ! I will post my test report in
the comments section of DIRKRB-631 soon after this message..
Cheers, Marc
Thank you Jiajia for your taking time to fix this long hanging issue. The fix
looks great!
Regards,
Kai
-Original Message-
From: Li, Jiajia [mailto:jiajia...@intel.com]
Sent: Wednesday, June 14, 2017 10:42 AM
To: kerby@directory.apache.org
Subject: RE: [Kerby] TGS req failing with "Unexpected item context"
Hi all,
I have some fix for this issue, could anyone help me to check it using your
test env?
Commit log is:
commit a6224d2cf60e8e18ba5e307f1a4a2bc4c01a55b4
Author: plusplusjiajia <jiajia...@intel.com>
Date: Wed Jun 14 10:43:46 2017 +0800
Fix DIRKRB-614 and DIRKRB-631.
Thanks
Jiajia
-Original Message-----
From: Marc de Lignie [mailto:m.c.delig...@xs4all.nl]
Sent: Thursday, June 8, 2017 8:10 PM
To: kerby@directory.apache.org
Subject: Re: [Kerby] TGS req failing with "Unexpected item context"
Hi Kai,
See, my original logs from both the python client and the KDC at (this link is
also present
in DIRKRB-631):
http://mail-archives.apache.org/mod_mbox/directory-kerby/201705.mbox/browser
Here, the logs of the python client coincide with Pratyush's report in the
current thread.
The logs of the KDC coincide with the old
DIRKKRB-614 issue.
I would say all reports are related to the same error, Kerby not being able the
decode the
FAST OTP requests of MIT Kerberos 1.11+. Also, all are related to a TGS request
based on an
existing TGT.
Cheers,Marc
Op 06-06-17 om 21:07 schreef Marc de Lignie:
Dear all,
My bad, it seems I made a separate issue for this, which might add
more details to DIRKRB-614 and might help you in finding the decode
error:
https://issues.apache.org/jira/browse/DIRKRB-631
The workaround I mentioned is there, in the comments.
Cheers, Marc
Op 06-06-17 om 21:02 schreef Marc de Lignie:
Pratjush,
I just posted a temporary workaround as a comment below:
https://issues.apache.org/jira/browse/DIRKRB-614
Cheers,Marc
Kai wrote:
It seems so and we need to fix it. However, I don't see any obvious
cause for it. Hope we can get to this sooner (should be next week)
after some deadline is caught. Sorry for the late.
Regards,
Kai
-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
Sent: Monday, June 05, 2017 12:04 AM
To: kerby@directory.apache.org
Subject: Re: [Kerby] TGS req failing with "Unexpected item context"
Looks like you're running into this known issue:
https://issues.apache.org/jira/browse/DIRKRB-614
Colm.
On Sat, Jun 3, 2017 at 8:09 PM, pratyush parimal
<pratyush.pari...@gmail.com
wrote:
Hi everyone,
I'm writing a simple Java program that stands up a KDC using the
SimpleKdcServer class, and I'm trying to use it for AS & TGS
operations. Relevant code is below:
kdc = new SimpleKdcServer();
kdc.setKdcHost("kdc.example.com");
kdc.setKdcPort(60088);
kdc.setKdcRealm("EXAMPLE.COM");
kdc.setAllowUdp(false);
kdc.setWorkDir(keytabFile.getParentFile());
kdc.init();
kdc.createPrincipal("u...@example.com", "u1pwd");
kdc.createPrincipal("myservice/kdc.example@example.com",
"myservicepwd");
kdc.start();
I use kinit to fetch the TGT for my principal "u1" and that's
successful.
However, the subsequent TGS req from my client program fails with
the
error:
GSSAPI continuation error: Unknown code krcM 137
. I debugged through the source code for Kerby and saw that the full
exception was not getting thrown because of a (e instanceof
KdcRecoverableException) check. When I print the stacktrace via a
debugger, I see the following (apologies for the huge stack trace):
[pool-1-thread-1] INFO
org.apache.kerby.kerberos.kerb.server.request.KdcRequest - Found
fast padata and starting to process it.
org.apache.kerby.kerberos.kerb.KrbException: Decoding failed at
org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:85)
at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:70)
at
org.apache.kerby.kerberos.kerb.server.request.KdcRequest.kdcFindFast
(
KdcRequest.java:213)
at
org.apache.kerby.kerberos.kerb.server.request.
KdcRequest.process(KdcRequest.java:170)
at
org.apache.kerby.kerberos.kerb.server.KdcHandler.
handleMessage(KdcHandler.java:116)
at
org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.
handleMessage(DefaultKdcHandler.java:67)
at
org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.run(
DefaultKdcHandler.java:52)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(
ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(
ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.IOException: Unexpected item context [0]
[tag=0xA0, off=0, len=3+198], expecting 0x30 at
org.apache.kerby.asn1.type.Asn1Encodeab
Re: MIT Kerberos compatibility
cache_conf_data/negative-cache/test-service\134/localhost\1...@test.com@X-CACHECONF: in cache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc 2017-05-04T20:44:06 set-error: -1765328243: Did not find credential for krb5_ccache_conf_data/lkdc-hostname@X-CACHECONF: in cache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc 2017-05-04T20:44:06 set-error: -1765328243: Did not find credential for krb5_ccache_conf_data/sitename@X-CACHECONF: in cache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc 2017-05-04T20:44:06 set-error: -1765328243: Did not find credential for test-service/localh...@test.com in cache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc 2017-05-04T20:44:06 set-error: -1765328234: Encryption type des-cbc-md5-deprecated not supported 2017-05-04T20:44:06 set-error: -1765328234: Encryption type des-cbc-md4-deprecated not supported 2017-05-04T20:44:06 set-error: -1765328234: Encryption type des-cbc-crc-deprecated not supported 2017-05-04T20:44:06 Trying to find service kdc for realm TEST.COM flags 0 2017-05-04T20:44:06 configuration file for realm TEST.COM found 2017-05-04T20:44:06 submissing new requests to new host 2017-05-04T20:44:06 host_create: setting hostname localhost 2017-05-04T20:44:06 connecting to host: udp ::1:52534 (localhost) tid: 0001 2017-05-04T20:44:06 host_create: setting hostname localhost 2017-05-04T20:44:06 Queuing host in future (in 3s), its the 2 address on the same name: udp 127.0.0.1:52534 (localhost) tid: 0002 2017-05-04T20:44:06 writing packet: udp ::1:52534 (localhost) tid: 0001 2017-05-04T20:44:06 reading packet: udp ::1:52534 (localhost) tid: 0001 2017-05-04T20:44:06 host completed: udp ::1:52534 (localhost) tid: 0001 2017-05-04T20:44:06 krb5_sendto_context TEST.COM done: 0 hosts 1 packets 1 wc: 0.048927 nr: 0.000932 kh: 0.000814 tid: 0002 2017-05-04T20:44:06 tkt: extract key 17/763641F3 2017-05-04T20:44:06 set-error: -1765328353: Decrypt integrity check failed for checksum type hmac-sha1-96-aes128, key type aes128-cts-hmac-sha1-96 2017-05-04T20:44:06 tkt: extract key 17/3084A95C 2017-05-04T20:44:06 krb5_get_credentials_with_flags: TEST.COM wc: 0.050317 2017-05-04T20:44:06 set-error: -1765328243: Did not find credential for krb5_ccache_conf_data/realm-config@X-CACHECONF: in cache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc 2017-05-04T20:44:06 set-error: -1765328243: Did not find credential for krb5_ccache_conf_data/time-offset/test-service\134/localhost\1...@test.com@X-CACHECONF: in cache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc 2017-05-04T20:44:06 Setting up PFS for auth context 2017-05-04T20:44:06 set-error: -1765328234: Encryption type des-cbc-md5-deprecated not supported 2017-05-04T20:44:06 set-error: -1765328234: Encryption type des-cbc-md4-deprecated not supported 2017-05-04T20:44:06 set-error: -1765328234: Encryption type des-cbc-crc-deprecated not supported First kerberos.authGSSClientStep successful Thanks Jiajia -Original Message- From: Zheng, Kai [mailto:kai.zh...@intel.com] Sent: Wednesday, May 3, 2017 7:29 PM To: kerby@directory.apache.org Subject: RE: MIT Kerberos compatibility Hi Marc, In case you're not aware of this, please check out the latest fix made by Jiajia. We thought your case may be different, but would be good to have a check before we can repeat/fix your case. Thanks. https://issues.apache.org/jira/browse/DIRKRB-625 Regards, Kai -----Original Message- From: Marc de Lignie [mailto:m.c.delig...@xs4all.nl] Sent: Sunday, April 30, 2017 7:45 PM To: kerby@directory.apache.org Subject: Re: MIT Kerberos compatibility Hi Kai, The terminal output below is for the latest MIT Kerberos 1.15.1 (locally built on Ubuntu Xenial). Before that, I also tested with the default Xenial MIT Kerberos packages (1.13.2), with the same result. I did not try earlier MIT Kerberos versions. Marc Op 29-04-17 om 21:42 schreef Marc de Lignie: Hi Kai, Thanks for the response. I prepared a minimal config that reproduces my problem. You can fetch the branch/commit from: https://github.com/vtslab/directory-kerby/commits/MitIssue This is relative to RC2, but I also tried this on trunk for my actual project. This config produces the debug and error messages below. 1. For the terminal with the bash + python script $ klist Ticket cache: FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc Default principal: dran...@test.com Valid starting ExpiresService principal 29-04-17 21:07:39 30-04-17 05:07:39 krbtgt/test@test.com renew until 29-04-17 21:07:39 $ . kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/ server/MitIssueTest.sh [15538] 1493491231.917606: Retrieving dran...@test.com from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found [15538] 1493491231.917827: Retrieving dran...@test.com from FILE:/etc/krb5/user/1000/client.keytab (vno 0,
Re: MIT Kerberos compatibility
-service/localh...@test.com from FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc [26558] 1494229795.731541: Creating authenticator for dran...@test.com -> test-service/localhost@, seqnum 682578751, subkey aes128-cts/6920, session key aes128-cts/B24D [26558] 1494229795.731564: Negotiating for enctypes in authenticator: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac First kerberos.authGSSClientStep successful $ klist Ticket cache: FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc Default principal: dran...@test.com Valid starting ExpiresService principal 05/08/17 09:33:27 05/09/17 09:33:27 krbtgt/test@test.com renew until 05/09/17 09:33:27 05/08/17 09:49:55 05/09/17 09:33:27 test-service/localhost@ renew until 05/09/17 09:33:27 05/08/17 09:49:55 05/09/17 09:33:27 test-service/localh...@test.com renew until 05/09/17 09:33:27 Op 07-05-17 om 16:12 schreef Marc de Lignie: Hi Jiajia and Kai, Puzzled by the fact that the Mit Kerberos over python service ticket request works on Jiajia's system but not on mine. I attempted to request the service ticket with Mit Kerberos's kinit tool and it worked. This means that my issue probably lies in the kerberos python wrapper around the Mit Kerberos shared libs (or in the way how I use it). I tried both with the Debian python-kerberos package, https://pypi.python.org/pypi/kerberos and with https://pypi.python.org/pypi/pykerberos/1.1.14, neither of which got the ticket. This still makes me curious where Mac-OS gets its python kerberos package from :-) Here, the kinit shell commands to reproduce my test. cd $PROJECTROOT WORKDIR=kerby-kerb/kerb-kdc-test/target/tmp export KRB5_CONFIG=$WORKDIR/krb5.conf export KRB5CCNAME=$WORKDIR/test-tkt.cc export KRB5_TRACE=/dev/stdout $ kinit -S test-service/localhost [3141] 1494161999.566468: Getting initial credentials for dran...@test.com [3141] 1494161999.566835: Setting initial creds service to test-service/localhost [3141] 1494161999.566952: Sending request (168 bytes) to TEST.COM [3141] 1494161999.566997: Resolving hostname localhost [3141] 1494161999.567467: Sending initial UDP request to dgram 127.0.0.1:45527 [3141] 1494161999.573494: Received answer (555 bytes) from dgram 127.0.0.1:45527 [3141] 1494161999.576791: Response was not from master KDC [3141] 1494161999.576822: Salt derived from principal: TEST.COMdrankye [3141] 1494161999.576824: Getting AS key, salt "TEST.COMdrankye", params "" Password for dran...@test.com: [3141] 1494162015.450071: AS key obtained from gak_fct: aes128-cts/0548 [3141] 1494162015.450101: Decrypted AS reply; session key is: aes128-cts/4EFE [3141] 1494162015.450103: FAST negotiation: unavailable [3141] 1494162015.450112: Initializing FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc with default princ dran...@test.com [3141] 1494162015.450305: Storing dran...@test.com -> test-service/localh...@test.com in FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc $ klist Ticket cache: FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc Default principal: dran...@test.com Valid starting ExpiresService principal 07-05-17 14:59:59 08-05-17 14:59:59 test-service/localh...@test.com renew until 08-05-17 14:59:59 What is also notable here is that the TestKdc only produces one log message: [nioEventLoopGroup-5-1] INFO org.apache.kerby.kerberos.kerb.server.request.AsRequest - AS_REQ ISSUE: authtime 1494164956766,dran...@test.com for test-service/localh...@test.com while in the error situation from python it produces (and not the AS_REQ line): [nioEventLoopGroup-5-1] INFO org.apache.kerby.kerberos.kerb.server.request.KdcRequest - Found fast padata and starting to process it. [nioEventLoopGroup-5-1] INFO org.apache.kerby.kerberos.kerb.server.request.KdcRequest - Found fast padata and starting to process it. Note also that kinit requires to give the password while in the python testcase it is attempted to use the tgt from the credential cache. Maybe it also useful to restate my target: I want to authenticate a python client towards a service using GSSAPI with SASL (the service being gremlin-server from the Apache Tinkerpop project). So I want to get the service ticket using GSSAPI and an existing tgt from the credential cache. Any additional hints are welcome, good luck with the Kerby GA release. Marc Op 05-05-17 om 22:12 schreef Marc de Lignie: Hi Jiajia, Thanks for the netty config option. This indeed helped to get rid of the udp errors, but did not help in getting the service ticket (final error message remains the same). I also noticed that I get the same error from the python console whether I specify the right service name or some service name for which no service principal exists in the TestKdc. I did not succeed in getting mvn tst to print the debug logging of the various kdc classes involved. Did you check with klist whether dr
RE: [Kerby] TGS req failing with "Unexpected item context"
Pratjush, I just posted a temporary workaround as a comment below: https://issues.apache.org/jira/browse/DIRKRB-614 Cheers,Marc Kai wrote: It seems so and we need to fix it. However, I don't see any obvious cause for it. Hope we can get to this sooner (should be next week) after some deadline is caught. Sorry for the late. Regards, Kai -Original Message- From: Colm O hEigeartaigh [mailto:cohei...@apache.org] Sent: Monday, June 05, 2017 12:04 AM To: kerby@directory.apache.org Subject: Re: [Kerby] TGS req failing with "Unexpected item context" Looks like you're running into this known issue: https://issues.apache.org/jira/browse/DIRKRB-614 Colm. On Sat, Jun 3, 2017 at 8:09 PM, pratyush parimal
Re: [Kerby] TGS req failing with "Unexpected item context"
Dear all,
My bad, it seems I made a separate issue for this, which might add more
details to DIRKRB-614 and might help you in finding the decode error:
https://issues.apache.org/jira/browse/DIRKRB-631
The workaround I mentioned is there, in the comments.
Cheers, Marc
Op 06-06-17 om 21:02 schreef Marc de Lignie:
Pratjush,
I just posted a temporary workaround as a comment below:
https://issues.apache.org/jira/browse/DIRKRB-614
Cheers,Marc
Kai wrote:
It seems so and we need to fix it. However, I don't see any obvious
cause for it. Hope we can
get to this sooner (should be next week) after some deadline is
caught. Sorry for the late.
Regards,
Kai
-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
Sent: Monday, June 05, 2017 12:04 AM
To: kerby@directory.apache.org
Subject: Re: [Kerby] TGS req failing with "Unexpected item context"
Looks like you're running into this known issue:
https://issues.apache.org/jira/browse/DIRKRB-614
Colm.
On Sat, Jun 3, 2017 at 8:09 PM, pratyush parimal
<pratyush.pari...@gmail.com
wrote:
Hi everyone,
I'm writing a simple Java program that stands up a KDC using the
SimpleKdcServer class, and I'm trying to use it for AS & TGS
operations. Relevant code is below:
kdc = new SimpleKdcServer();
kdc.setKdcHost("kdc.example.com");
kdc.setKdcPort(60088);
kdc.setKdcRealm("EXAMPLE.COM");
kdc.setAllowUdp(false);
kdc.setWorkDir(keytabFile.getParentFile());
kdc.init();
kdc.createPrincipal("u...@example.com", "u1pwd");
kdc.createPrincipal("myservice/kdc.example@example.com",
"myservicepwd");
kdc.start();
I use kinit to fetch the TGT for my principal "u1" and that's
successful.
However, the subsequent TGS req from my client program fails with the
error:
GSSAPI continuation error: Unknown code krcM 137
. I debugged through the source code for Kerby and saw that the full
exception was not getting thrown because of a (e instanceof
KdcRecoverableException) check. When I print the stacktrace via a
debugger, I see the following (apologies for the huge stack trace):
[pool-1-thread-1] INFO
org.apache.kerby.kerberos.kerb.server.request.KdcRequest - Found fast
padata and starting to process it.
org.apache.kerby.kerberos.kerb.KrbException: Decoding failed at
org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:85)
at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:70)
at
org.apache.kerby.kerberos.kerb.server.request.KdcRequest.kdcFindFast(
KdcRequest.java:213)
at
org.apache.kerby.kerberos.kerb.server.request.
KdcRequest.process(KdcRequest.java:170)
at
org.apache.kerby.kerberos.kerb.server.KdcHandler.
handleMessage(KdcHandler.java:116)
at
org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.
handleMessage(DefaultKdcHandler.java:67)
at
org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.run(
DefaultKdcHandler.java:52)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(
ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(
ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.IOException: Unexpected item context [0]
[tag=0xA0, off=0, len=3+198], expecting 0x30 at
org.apache.kerby.asn1.type.Asn1Encodeable.decode(
Asn1Encodeable.java:219)
at org.apache.kerby.asn1.type.Asn1Encodeable.decode(
Asn1Encodeable.java:207)
at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:83)
... 9 more
org.apache.kerby.kerberos.kerb.KrbException: Decoding failed at
org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:85)
at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:70)
at
org.apache.kerby.kerberos.kerb.server.request.KdcRequest.kdcFindFast(
KdcRequest.java:213)
at
org.apache.kerby.kerberos.kerb.server.request.
KdcRequest.process(KdcRequest.java:170)
at
org.apache.kerby.kerberos.kerb.server.KdcHandler.
handleMessage(KdcHandler.java:116)
at
org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.
handleMessage(DefaultKdcHandler.java:67)
at
org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.run(
DefaultKdcHandler.java:52)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(
ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(
ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.IOException: Unexpected item context [0]
[tag=0xA0, off=0, len=3+198], expecting 0x30 at
org.apache.kerby.asn1.type.Asn1Encodeable.decode(
Asn1Encodeable.java:219)
at org.apache.kerby.asn1.type.Asn1Encodeable.decode(
Asn1Encodeable.java:207)
at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:83)
... 9 more
The client program (and also kinit) were using the krb5.conf that was
auto-generated by the SimpleKdcServer in the workdir, and looked like
the following (I just replaced localhost with the FQDN of my machine):
[libdefaults]
