Re: [Kerby] TGS req failing with "Unexpected item context"

[Marc de Lignie]

I second Kai's compliments for Jiajia's work ! I will post my test report in 
the comments section of DIRKRB-631 soon after this message..

Cheers,   Marc


Thank you Jiajia for your taking time to fix this long hanging issue. The fix 
looks great!

Regards,
Kai

-Original Message-
From: Li, Jiajia [mailto:jiajia...@intel.com]
Sent: Wednesday, June 14, 2017 10:42 AM
To: kerby@directory.apache.org
Subject: RE: [Kerby] TGS req failing with "Unexpected item context"

Hi all,
I have some fix for this issue, could anyone help me to check it using your 
test env?

Commit log is:
commit a6224d2cf60e8e18ba5e307f1a4a2bc4c01a55b4
Author: plusplusjiajia <jiajia...@intel.com>
Date:   Wed Jun 14 10:43:46 2017 +0800

Fix DIRKRB-614 and DIRKRB-631.

Thanks
Jiajia

-Original Message-
From: Marc de Lignie [mailto:m.c.delig...@xs4all.nl]
Sent: Thursday, June 8, 2017 8:10 PM
To: kerby@directory.apache.org
Subject: Re: [Kerby] TGS req failing with "Unexpected item context"

Hi Kai,

See, my original logs from both the python client and the KDC at (this link is 
also present
in DIRKRB-631):

http://mail-archives.apache.org/mod_mbox/directory-kerby/201705.mbox/browser

Here, the logs of the python client coincide with Pratyush's report in the 
current thread.
The logs of the KDC coincide with the old
DIRKKRB-614 issue.

I would say all reports are related to the same error, Kerby not being able the 
decode the
FAST OTP requests of MIT Kerberos 1.11+. Also, all are related to a TGS request 
based on an
existing TGT.

Cheers,Marc


Op 06-06-17 om 21:07 schreef Marc de Lignie:

Dear all,

My bad, it seems I made a separate issue for this, which might add 
more details to DIRKRB-614 and might help you in finding the decode

error:

https://issues.apache.org/jira/browse/DIRKRB-631

The workaround I mentioned is there, in the comments.

Cheers,   Marc


Op 06-06-17 om 21:02 schreef Marc de Lignie:

Pratjush,

I just posted a temporary workaround as a comment below:

https://issues.apache.org/jira/browse/DIRKRB-614

Cheers,Marc


Kai wrote:

It seems so and we need to fix it. However, I don't see any obvious 
cause for it. Hope we can get to this sooner (should be next week) 
after some deadline is caught. Sorry for the late.


Regards,
Kai

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
Sent: Monday, June 05, 2017 12:04 AM
To: kerby@directory.apache.org
Subject: Re: [Kerby] TGS req failing with "Unexpected item context"

Looks like you're running into this known issue:

https://issues.apache.org/jira/browse/DIRKRB-614

Colm.

On Sat, Jun 3, 2017 at 8:09 PM, pratyush parimal 
<pratyush.pari...@gmail.com

wrote:



Hi everyone,

I'm writing a simple Java program that stands up a KDC using the 
SimpleKdcServer class, and I'm trying to use it for AS & TGS 
operations. Relevant code is below:


kdc = new SimpleKdcServer(); 
kdc.setKdcHost("kdc.example.com");

kdc.setKdcPort(60088);
kdc.setKdcRealm("EXAMPLE.COM");

kdc.setAllowUdp(false);
kdc.setWorkDir(keytabFile.getParentFile());

kdc.init();

kdc.createPrincipal("u...@example.com", "u1pwd"); 
kdc.createPrincipal("myservice/kdc.example@example.com",

"myservicepwd");

kdc.start();

I use kinit to fetch the TGT for my principal "u1" and that's 
successful.
However, the subsequent TGS req from my client program fails with 
the

error:

GSSAPI continuation error: Unknown code krcM 137

. I debugged through the source code for Kerby and saw that the full 
exception was not getting thrown because of a (e instanceof
KdcRecoverableException) check. When I print the stacktrace via a 
debugger, I see the following (apologies for the huge stack trace):


[pool-1-thread-1] INFO
org.apache.kerby.kerberos.kerb.server.request.KdcRequest - Found 
fast padata and starting to process it.

org.apache.kerby.kerberos.kerb.KrbException: Decoding failed at
org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:85)
at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:70)
at
org.apache.kerby.kerberos.kerb.server.request.KdcRequest.kdcFindFast
(
KdcRequest.java:213)
at
org.apache.kerby.kerberos.kerb.server.request.
KdcRequest.process(KdcRequest.java:170)
at
org.apache.kerby.kerberos.kerb.server.KdcHandler.
handleMessage(KdcHandler.java:116)
at
org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.
handleMessage(DefaultKdcHandler.java:67)
at
org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.run(
DefaultKdcHandler.java:52)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(
ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(
ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.IOException: Unexpected item context [0] 
[tag=0xA0, off=0, len=3+198], expecting 0x30 at 
org.apache.kerby.asn1.type.Asn1Encodeab

RE: [Kerby] TGS req failing with "Unexpected item context"

[Li, Jiajia]

Hi Pratyush,
The trunk is available.

Thanks
Jiajia

-Original Message-
From: pratyush parimal [mailto:pratyush.pari...@gmail.com] 
Sent: Thursday, June 15, 2017 2:50 AM
To: kerby@directory.apache.org; Colm O hEigeartaigh <cohei...@apache.org>
Subject: Re: [Kerby] TGS req failing with "Unexpected item context"

Hi all,

I'm so excited to hear that the issue was addressed. I'd like to test it out as 
well.
What branch specifically should I checkout to get this fix? Is it available in 
master/trunk?

Cheers,
Pratyush

On Wed, Jun 14, 2017 at 6:44 AM, Colm O hEigeartaigh <cohei...@apache.org>
wrote:

> Yes, it fixes the issue that I ran into, thanks Jiajia!
>
> Colm.
>
> On Wed, Jun 14, 2017 at 6:30 AM, Zheng, Kai <kai.zh...@intel.com> wrote:
>
> > Thank you Jiajia for your taking time to fix this long hanging 
> > issue. The fix looks great!
> >
> > Regards,
> > Kai
> >
> > -Original Message-
> > From: Li, Jiajia [mailto:jiajia...@intel.com]
> > Sent: Wednesday, June 14, 2017 10:42 AM
> > To: kerby@directory.apache.org
> > Subject: RE: [Kerby] TGS req failing with "Unexpected item context"
> >
> > Hi all,
> > I have some fix for this issue, could anyone help me to check it 
> > using your test env?
> >
> > Commit log is:
> > commit a6224d2cf60e8e18ba5e307f1a4a2bc4c01a55b4
> > Author: plusplusjiajia <jiajia...@intel.com>
> > Date:   Wed Jun 14 10:43:46 2017 +0800
> >
> > Fix DIRKRB-614 and DIRKRB-631.
> >
> > Thanks
> > Jiajia
> >
> > -Original Message-
> > From: Marc de Lignie [mailto:m.c.delig...@xs4all.nl]
> > Sent: Thursday, June 8, 2017 8:10 PM
> > To: kerby@directory.apache.org
> > Subject: Re: [Kerby] TGS req failing with "Unexpected item context"
> >
> > Hi Kai,
> >
> > See, my original logs from both the python client and the KDC at 
> > (this link is also present in DIRKRB-631):
> >
> > http://mail-archives.apache.org/mod_mbox/directory-kerby/
> > 201705.mbox/browser
> >
> > Here, the logs of the python client coincide with Pratyush's report 
> > in
> the
> > current thread. The logs of the KDC coincide with the old
> > DIRKKRB-614 issue.
> >
> > I would say all reports are related to the same error, Kerby not 
> > being able the decode the FAST OTP requests of MIT Kerberos 1.11+. 
> > Also, all
> are
> > related to a TGS request based on an existing TGT.
> >
> > Cheers,Marc
> >
> >
> > Op 06-06-17 om 21:07 schreef Marc de Lignie:
> > > Dear all,
> > >
> > > My bad, it seems I made a separate issue for this, which might add 
> > > more details to DIRKRB-614 and might help you in finding the 
> > > decode
> > > error:
> > >
> > > https://issues.apache.org/jira/browse/DIRKRB-631
> > >
> > > The workaround I mentioned is there, in the comments.
> > >
> > > Cheers,   Marc
> > >
> > >
> > > Op 06-06-17 om 21:02 schreef Marc de Lignie:
> > >> Pratjush,
> > >>
> > >> I just posted a temporary workaround as a comment below:
> > >>
> > >> https://issues.apache.org/jira/browse/DIRKRB-614
> > >>
> > >> Cheers,Marc
> > >>
> > >>
> > >> Kai wrote:
> > >>
> > >> It seems so and we need to fix it. However, I don't see any 
> > >> obvious cause for it. Hope we can get to this sooner (should be 
> > >> next week) after some deadline is caught. Sorry for the late.
> > >>
> > >> Regards,
> > >> Kai
> > >>
> > >> -Original Message-
> > >> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> > >> Sent: Monday, June 05, 2017 12:04 AM
> > >> To: kerby@directory.apache.org
> > >> Subject: Re: [Kerby] TGS req failing with "Unexpected item context"
> > >>
> > >> Looks like you're running into this known issue:
> > >>
> > >> https://issues.apache.org/jira/browse/DIRKRB-614
> > >>
> > >> Colm.
> > >>
> > >> On Sat, Jun 3, 2017 at 8:09 PM, pratyush parimal 
> > >> <pratyush.pari...@gmail.com
> > >>> wrote:
> > >>
> > >>> Hi everyone,
> > >>>
> > >>> I'm writing a simple Java program that stands up a KDC using the 
> > >>> SimpleKdcServer class, and I'm trying to use it for AS

Re: [Kerby] TGS req failing with "Unexpected item context"

[pratyush parimal]

Hi all,

I'm so excited to hear that the issue was addressed. I'd like to test it
out as well.
What branch specifically should I checkout to get this fix? Is it available
in master/trunk?

Cheers,
Pratyush

On Wed, Jun 14, 2017 at 6:44 AM, Colm O hEigeartaigh <cohei...@apache.org>
wrote:

> Yes, it fixes the issue that I ran into, thanks Jiajia!
>
> Colm.
>
> On Wed, Jun 14, 2017 at 6:30 AM, Zheng, Kai <kai.zh...@intel.com> wrote:
>
> > Thank you Jiajia for your taking time to fix this long hanging issue. The
> > fix looks great!
> >
> > Regards,
> > Kai
> >
> > -Original Message-
> > From: Li, Jiajia [mailto:jiajia...@intel.com]
> > Sent: Wednesday, June 14, 2017 10:42 AM
> > To: kerby@directory.apache.org
> > Subject: RE: [Kerby] TGS req failing with "Unexpected item context"
> >
> > Hi all,
> > I have some fix for this issue, could anyone help me to check it using
> > your test env?
> >
> > Commit log is:
> > commit a6224d2cf60e8e18ba5e307f1a4a2bc4c01a55b4
> > Author: plusplusjiajia <jiajia...@intel.com>
> > Date:   Wed Jun 14 10:43:46 2017 +0800
> >
> > Fix DIRKRB-614 and DIRKRB-631.
> >
> > Thanks
> > Jiajia
> >
> > -Original Message-
> > From: Marc de Lignie [mailto:m.c.delig...@xs4all.nl]
> > Sent: Thursday, June 8, 2017 8:10 PM
> > To: kerby@directory.apache.org
> > Subject: Re: [Kerby] TGS req failing with "Unexpected item context"
> >
> > Hi Kai,
> >
> > See, my original logs from both the python client and the KDC at (this
> > link is also present in DIRKRB-631):
> >
> > http://mail-archives.apache.org/mod_mbox/directory-kerby/
> > 201705.mbox/browser
> >
> > Here, the logs of the python client coincide with Pratyush's report in
> the
> > current thread. The logs of the KDC coincide with the old
> > DIRKKRB-614 issue.
> >
> > I would say all reports are related to the same error, Kerby not being
> > able the decode the FAST OTP requests of MIT Kerberos 1.11+. Also, all
> are
> > related to a TGS request based on an existing TGT.
> >
> > Cheers,Marc
> >
> >
> > Op 06-06-17 om 21:07 schreef Marc de Lignie:
> > > Dear all,
> > >
> > > My bad, it seems I made a separate issue for this, which might add
> > > more details to DIRKRB-614 and might help you in finding the decode
> > > error:
> > >
> > > https://issues.apache.org/jira/browse/DIRKRB-631
> > >
> > > The workaround I mentioned is there, in the comments.
> > >
> > > Cheers,   Marc
> > >
> > >
> > > Op 06-06-17 om 21:02 schreef Marc de Lignie:
> > >> Pratjush,
> > >>
> > >> I just posted a temporary workaround as a comment below:
> > >>
> > >> https://issues.apache.org/jira/browse/DIRKRB-614
> > >>
> > >> Cheers,Marc
> > >>
> > >>
> > >> Kai wrote:
> > >>
> > >> It seems so and we need to fix it. However, I don't see any obvious
> > >> cause for it. Hope we can get to this sooner (should be next week)
> > >> after some deadline is caught. Sorry for the late.
> > >>
> > >> Regards,
> > >> Kai
> > >>
> > >> -Original Message-
> > >> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> > >> Sent: Monday, June 05, 2017 12:04 AM
> > >> To: kerby@directory.apache.org
> > >> Subject: Re: [Kerby] TGS req failing with "Unexpected item context"
> > >>
> > >> Looks like you're running into this known issue:
> > >>
> > >> https://issues.apache.org/jira/browse/DIRKRB-614
> > >>
> > >> Colm.
> > >>
> > >> On Sat, Jun 3, 2017 at 8:09 PM, pratyush parimal
> > >> <pratyush.pari...@gmail.com
> > >>> wrote:
> > >>
> > >>> Hi everyone,
> > >>>
> > >>> I'm writing a simple Java program that stands up a KDC using the
> > >>> SimpleKdcServer class, and I'm trying to use it for AS & TGS
> > >>> operations. Relevant code is below:
> > >>>
> > >>> kdc = new SimpleKdcServer();
> > >>> kdc.setKdcHost("kdc.example.com");
> > >>> kdc.setKdcPort(60088);
> > >>> kdc.setKdcRealm("EXAMPLE.COM");
> &

Re: [Kerby] TGS req failing with "Unexpected item context"

[Colm O hEigeartaigh]

Yes, it fixes the issue that I ran into, thanks Jiajia!

Colm.

On Wed, Jun 14, 2017 at 6:30 AM, Zheng, Kai <kai.zh...@intel.com> wrote:

> Thank you Jiajia for your taking time to fix this long hanging issue. The
> fix looks great!
>
> Regards,
> Kai
>
> -Original Message-
> From: Li, Jiajia [mailto:jiajia...@intel.com]
> Sent: Wednesday, June 14, 2017 10:42 AM
> To: kerby@directory.apache.org
> Subject: RE: [Kerby] TGS req failing with "Unexpected item context"
>
> Hi all,
> I have some fix for this issue, could anyone help me to check it using
> your test env?
>
> Commit log is:
> commit a6224d2cf60e8e18ba5e307f1a4a2bc4c01a55b4
> Author: plusplusjiajia <jiajia...@intel.com>
> Date:   Wed Jun 14 10:43:46 2017 +0800
>
> Fix DIRKRB-614 and DIRKRB-631.
>
> Thanks
> Jiajia
>
> -Original Message-
> From: Marc de Lignie [mailto:m.c.delig...@xs4all.nl]
> Sent: Thursday, June 8, 2017 8:10 PM
> To: kerby@directory.apache.org
> Subject: Re: [Kerby] TGS req failing with "Unexpected item context"
>
> Hi Kai,
>
> See, my original logs from both the python client and the KDC at (this
> link is also present in DIRKRB-631):
>
> http://mail-archives.apache.org/mod_mbox/directory-kerby/
> 201705.mbox/browser
>
> Here, the logs of the python client coincide with Pratyush's report in the
> current thread. The logs of the KDC coincide with the old
> DIRKKRB-614 issue.
>
> I would say all reports are related to the same error, Kerby not being
> able the decode the FAST OTP requests of MIT Kerberos 1.11+. Also, all are
> related to a TGS request based on an existing TGT.
>
> Cheers,Marc
>
>
> Op 06-06-17 om 21:07 schreef Marc de Lignie:
> > Dear all,
> >
> > My bad, it seems I made a separate issue for this, which might add
> > more details to DIRKRB-614 and might help you in finding the decode
> > error:
> >
> > https://issues.apache.org/jira/browse/DIRKRB-631
> >
> > The workaround I mentioned is there, in the comments.
> >
> > Cheers,   Marc
> >
> >
> > Op 06-06-17 om 21:02 schreef Marc de Lignie:
> >> Pratjush,
> >>
> >> I just posted a temporary workaround as a comment below:
> >>
> >> https://issues.apache.org/jira/browse/DIRKRB-614
> >>
> >> Cheers,Marc
> >>
> >>
> >> Kai wrote:
> >>
> >> It seems so and we need to fix it. However, I don't see any obvious
> >> cause for it. Hope we can get to this sooner (should be next week)
> >> after some deadline is caught. Sorry for the late.
> >>
> >> Regards,
> >> Kai
> >>
> >> -Original Message-
> >> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> >> Sent: Monday, June 05, 2017 12:04 AM
> >> To: kerby@directory.apache.org
> >> Subject: Re: [Kerby] TGS req failing with "Unexpected item context"
> >>
> >> Looks like you're running into this known issue:
> >>
> >> https://issues.apache.org/jira/browse/DIRKRB-614
> >>
> >> Colm.
> >>
> >> On Sat, Jun 3, 2017 at 8:09 PM, pratyush parimal
> >> <pratyush.pari...@gmail.com
> >>> wrote:
> >>
> >>> Hi everyone,
> >>>
> >>> I'm writing a simple Java program that stands up a KDC using the
> >>> SimpleKdcServer class, and I'm trying to use it for AS & TGS
> >>> operations. Relevant code is below:
> >>>
> >>> kdc = new SimpleKdcServer();
> >>> kdc.setKdcHost("kdc.example.com");
> >>> kdc.setKdcPort(60088);
> >>> kdc.setKdcRealm("EXAMPLE.COM");
> >>>
> >>> kdc.setAllowUdp(false);
> >>> kdc.setWorkDir(keytabFile.getParentFile());
> >>>
> >>> kdc.init();
> >>>
> >>> kdc.createPrincipal("u...@example.com", "u1pwd");
> >>> kdc.createPrincipal("myservice/kdc.example@example.com",
> >>> "myservicepwd");
> >>>
> >>> kdc.start();
> >>>
> >>> I use kinit to fetch the TGT for my principal "u1" and that's
> >>> successful.
> >>> However, the subsequent TGS req from my client program fails with
> >>> the
> >>> error:
> >>>
> >>> GSSAPI continuation error: Unknown code krcM 137
> >>>
> >>> . I debugged through the source code for Kerby and saw that the

RE: [Kerby] TGS req failing with "Unexpected item context"

[Zheng, Kai]

Thank you Jiajia for your taking time to fix this long hanging issue. The fix 
looks great!

Regards,
Kai

-Original Message-
From: Li, Jiajia [mailto:jiajia...@intel.com] 
Sent: Wednesday, June 14, 2017 10:42 AM
To: kerby@directory.apache.org
Subject: RE: [Kerby] TGS req failing with "Unexpected item context"

Hi all,
I have some fix for this issue, could anyone help me to check it using your 
test env? 

Commit log is:
commit a6224d2cf60e8e18ba5e307f1a4a2bc4c01a55b4
Author: plusplusjiajia <jiajia...@intel.com>
Date:   Wed Jun 14 10:43:46 2017 +0800

Fix DIRKRB-614 and DIRKRB-631.

Thanks
Jiajia

-Original Message-
From: Marc de Lignie [mailto:m.c.delig...@xs4all.nl]
Sent: Thursday, June 8, 2017 8:10 PM
To: kerby@directory.apache.org
Subject: Re: [Kerby] TGS req failing with "Unexpected item context"

Hi Kai,

See, my original logs from both the python client and the KDC at (this link is 
also present in DIRKRB-631):

http://mail-archives.apache.org/mod_mbox/directory-kerby/201705.mbox/browser

Here, the logs of the python client coincide with Pratyush's report in the 
current thread. The logs of the KDC coincide with the old
DIRKKRB-614 issue.

I would say all reports are related to the same error, Kerby not being able the 
decode the FAST OTP requests of MIT Kerberos 1.11+. Also, all are related to a 
TGS request based on an existing TGT.

Cheers,Marc


Op 06-06-17 om 21:07 schreef Marc de Lignie:
> Dear all,
>
> My bad, it seems I made a separate issue for this, which might add 
> more details to DIRKRB-614 and might help you in finding the decode
> error:
>
> https://issues.apache.org/jira/browse/DIRKRB-631
>
> The workaround I mentioned is there, in the comments.
>
> Cheers,   Marc
>
>
> Op 06-06-17 om 21:02 schreef Marc de Lignie:
>> Pratjush,
>>
>> I just posted a temporary workaround as a comment below:
>>
>> https://issues.apache.org/jira/browse/DIRKRB-614
>>
>> Cheers,Marc
>>
>>
>> Kai wrote:
>>
>> It seems so and we need to fix it. However, I don't see any obvious 
>> cause for it. Hope we can get to this sooner (should be next week) 
>> after some deadline is caught. Sorry for the late.
>>
>> Regards,
>> Kai
>>
>> -----Original Message-----
>> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
>> Sent: Monday, June 05, 2017 12:04 AM
>> To: kerby@directory.apache.org
>> Subject: Re: [Kerby] TGS req failing with "Unexpected item context"
>>
>> Looks like you're running into this known issue:
>>
>> https://issues.apache.org/jira/browse/DIRKRB-614
>>
>> Colm.
>>
>> On Sat, Jun 3, 2017 at 8:09 PM, pratyush parimal 
>> <pratyush.pari...@gmail.com
>>> wrote:
>>
>>> Hi everyone,
>>>
>>> I'm writing a simple Java program that stands up a KDC using the 
>>> SimpleKdcServer class, and I'm trying to use it for AS & TGS 
>>> operations. Relevant code is below:
>>>
>>> kdc = new SimpleKdcServer(); 
>>> kdc.setKdcHost("kdc.example.com");
>>> kdc.setKdcPort(60088);
>>> kdc.setKdcRealm("EXAMPLE.COM");
>>>
>>> kdc.setAllowUdp(false);
>>> kdc.setWorkDir(keytabFile.getParentFile());
>>>
>>> kdc.init();
>>>
>>> kdc.createPrincipal("u...@example.com", "u1pwd"); 
>>> kdc.createPrincipal("myservice/kdc.example@example.com",
>>> "myservicepwd");
>>>
>>> kdc.start();
>>>
>>> I use kinit to fetch the TGT for my principal "u1" and that's 
>>> successful.
>>> However, the subsequent TGS req from my client program fails with 
>>> the
>>> error:
>>>
>>> GSSAPI continuation error: Unknown code krcM 137
>>>
>>> . I debugged through the source code for Kerby and saw that the full 
>>> exception was not getting thrown because of a (e instanceof
>>> KdcRecoverableException) check. When I print the stacktrace via a 
>>> debugger, I see the following (apologies for the huge stack trace):
>>>
>>> [pool-1-thread-1] INFO
>>> org.apache.kerby.kerberos.kerb.server.request.KdcRequest - Found 
>>> fast padata and starting to process it.
>>> org.apache.kerby.kerberos.kerb.KrbException: Decoding failed at
>>> org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:85)
>>> at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:70)
>>> at
>>> org.apache.kerby.kerberos.kerb.server.request.KdcRequest.kdcFindFast
>>> (
>>> KdcRequest.

RE: [Kerby] TGS req failing with "Unexpected item context"

[Li, Jiajia]

Hi all,
I have some fix for this issue, could anyone help me to check it using your 
test env? 

Commit log is:
commit a6224d2cf60e8e18ba5e307f1a4a2bc4c01a55b4
Author: plusplusjiajia <jiajia...@intel.com>
Date:   Wed Jun 14 10:43:46 2017 +0800

Fix DIRKRB-614 and DIRKRB-631.

Thanks
Jiajia

-Original Message-
From: Marc de Lignie [mailto:m.c.delig...@xs4all.nl] 
Sent: Thursday, June 8, 2017 8:10 PM
To: kerby@directory.apache.org
Subject: Re: [Kerby] TGS req failing with "Unexpected item context"

Hi Kai,

See, my original logs from both the python client and the KDC at (this link is 
also present in DIRKRB-631):

http://mail-archives.apache.org/mod_mbox/directory-kerby/201705.mbox/browser

Here, the logs of the python client coincide with Pratyush's report in the 
current thread. The logs of the KDC coincide with the old
DIRKKRB-614 issue.

I would say all reports are related to the same error, Kerby not being able the 
decode the FAST OTP requests of MIT Kerberos 1.11+. Also, all are related to a 
TGS request based on an existing TGT.

Cheers,Marc


Op 06-06-17 om 21:07 schreef Marc de Lignie:
> Dear all,
>
> My bad, it seems I made a separate issue for this, which might add 
> more details to DIRKRB-614 and might help you in finding the decode
> error:
>
> https://issues.apache.org/jira/browse/DIRKRB-631
>
> The workaround I mentioned is there, in the comments.
>
> Cheers,   Marc
>
>
> Op 06-06-17 om 21:02 schreef Marc de Lignie:
>> Pratjush,
>>
>> I just posted a temporary workaround as a comment below:
>>
>> https://issues.apache.org/jira/browse/DIRKRB-614
>>
>> Cheers,Marc
>>
>>
>> Kai wrote:
>>
>> It seems so and we need to fix it. However, I don't see any obvious 
>> cause for it. Hope we can get to this sooner (should be next week) 
>> after some deadline is caught. Sorry for the late.
>>
>> Regards,
>> Kai
>>
>> -----Original Message-
>> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
>> Sent: Monday, June 05, 2017 12:04 AM
>> To: kerby@directory.apache.org
>> Subject: Re: [Kerby] TGS req failing with "Unexpected item context"
>>
>> Looks like you're running into this known issue:
>>
>> https://issues.apache.org/jira/browse/DIRKRB-614
>>
>> Colm.
>>
>> On Sat, Jun 3, 2017 at 8:09 PM, pratyush parimal 
>> <pratyush.pari...@gmail.com
>>> wrote:
>>
>>> Hi everyone,
>>>
>>> I'm writing a simple Java program that stands up a KDC using the 
>>> SimpleKdcServer class, and I'm trying to use it for AS & TGS 
>>> operations. Relevant code is below:
>>>
>>> kdc = new SimpleKdcServer(); 
>>> kdc.setKdcHost("kdc.example.com");
>>> kdc.setKdcPort(60088);
>>> kdc.setKdcRealm("EXAMPLE.COM");
>>>
>>> kdc.setAllowUdp(false);
>>> kdc.setWorkDir(keytabFile.getParentFile());
>>>
>>> kdc.init();
>>>
>>> kdc.createPrincipal("u...@example.com", "u1pwd"); 
>>> kdc.createPrincipal("myservice/kdc.example@example.com",
>>> "myservicepwd");
>>>
>>> kdc.start();
>>>
>>> I use kinit to fetch the TGT for my principal "u1" and that's 
>>> successful.
>>> However, the subsequent TGS req from my client program fails with 
>>> the
>>> error:
>>>
>>> GSSAPI continuation error: Unknown code krcM 137
>>>
>>> . I debugged through the source code for Kerby and saw that the full 
>>> exception was not getting thrown because of a (e instanceof
>>> KdcRecoverableException) check. When I print the stacktrace via a 
>>> debugger, I see the following (apologies for the huge stack trace):
>>>
>>> [pool-1-thread-1] INFO
>>> org.apache.kerby.kerberos.kerb.server.request.KdcRequest - Found 
>>> fast padata and starting to process it.
>>> org.apache.kerby.kerberos.kerb.KrbException: Decoding failed at
>>> org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:85)
>>> at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:70)
>>> at
>>> org.apache.kerby.kerberos.kerb.server.request.KdcRequest.kdcFindFast
>>> (
>>> KdcRequest.java:213)
>>> at
>>> org.apache.kerby.kerberos.kerb.server.request.
>>> KdcRequest.process(KdcRequest.java:170)
>>> at
>>> org.apache.kerby.kerberos.kerb.server.KdcHandler.
>>> handleMessage(KdcHandler.java:116)
>>> at
>>&

Re: [Kerby] TGS req failing with "Unexpected item context"

[Marc de Lignie]

Hi Kai,

See, my original logs from both the python client and the KDC at (this 
link is also present in DIRKRB-631):


http://mail-archives.apache.org/mod_mbox/directory-kerby/201705.mbox/browser

Here, the logs of the python client coincide with Pratyush's report in 
the current thread. The logs of the KDC coincide with the old 
DIRKKRB-614 issue.


I would say all reports are related to the same error, Kerby not being 
able the decode the FAST OTP requests of MIT Kerberos 1.11+. Also, all 
are related to a TGS request based on an existing TGT.


Cheers,Marc


Op 06-06-17 om 21:07 schreef Marc de Lignie:

Dear all,

My bad, it seems I made a separate issue for this, which might add 
more details to DIRKRB-614 and might help you in finding the decode 
error:


https://issues.apache.org/jira/browse/DIRKRB-631

The workaround I mentioned is there, in the comments.

Cheers,   Marc


Op 06-06-17 om 21:02 schreef Marc de Lignie:

Pratjush,

I just posted a temporary workaround as a comment below:

https://issues.apache.org/jira/browse/DIRKRB-614

Cheers,Marc


Kai wrote:

It seems so and we need to fix it. However, I don't see any obvious 
cause for it. Hope we can
get to this sooner (should be next week) after some deadline is 
caught. Sorry for the late.


Regards,
Kai

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
Sent: Monday, June 05, 2017 12:04 AM
To: kerby@directory.apache.org
Subject: Re: [Kerby] TGS req failing with "Unexpected item context"

Looks like you're running into this known issue:

https://issues.apache.org/jira/browse/DIRKRB-614

Colm.

On Sat, Jun 3, 2017 at 8:09 PM, pratyush parimal 
<pratyush.pari...@gmail.com

wrote:



Hi everyone,

I'm writing a simple Java program that stands up a KDC using the 
SimpleKdcServer class, and I'm trying to use it for AS & TGS 
operations. Relevant code is below:


kdc = new SimpleKdcServer();
kdc.setKdcHost("kdc.example.com");
kdc.setKdcPort(60088);
kdc.setKdcRealm("EXAMPLE.COM");

kdc.setAllowUdp(false);
kdc.setWorkDir(keytabFile.getParentFile());

kdc.init();

kdc.createPrincipal("u...@example.com", "u1pwd"); 
kdc.createPrincipal("myservice/kdc.example@example.com",

"myservicepwd");

kdc.start();

I use kinit to fetch the TGT for my principal "u1" and that's 
successful.

However, the subsequent TGS req from my client program fails with the
error:

GSSAPI continuation error: Unknown code krcM 137

. I debugged through the source code for Kerby and saw that the full 
exception was not getting thrown because of a (e instanceof
KdcRecoverableException) check. When I print the stacktrace via a 
debugger, I see the following (apologies for the huge stack trace):


[pool-1-thread-1] INFO
org.apache.kerby.kerberos.kerb.server.request.KdcRequest - Found 
fast padata and starting to process it.
org.apache.kerby.kerberos.kerb.KrbException: Decoding failed at 
org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:85)

at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:70)
at
org.apache.kerby.kerberos.kerb.server.request.KdcRequest.kdcFindFast(
KdcRequest.java:213)
at
org.apache.kerby.kerberos.kerb.server.request.
KdcRequest.process(KdcRequest.java:170)
at
org.apache.kerby.kerberos.kerb.server.KdcHandler.
handleMessage(KdcHandler.java:116)
at
org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.
handleMessage(DefaultKdcHandler.java:67)
at
org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.run(
DefaultKdcHandler.java:52)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(
ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(
ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.IOException: Unexpected item context [0] 
[tag=0xA0, off=0, len=3+198], expecting 0x30 at 
org.apache.kerby.asn1.type.Asn1Encodeable.decode(

Asn1Encodeable.java:219)
at org.apache.kerby.asn1.type.Asn1Encodeable.decode(
Asn1Encodeable.java:207)
at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:83)
... 9 more
org.apache.kerby.kerberos.kerb.KrbException: Decoding failed at 
org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:85)

at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:70)
at
org.apache.kerby.kerberos.kerb.server.request.KdcRequest.kdcFindFast(
KdcRequest.java:213)
at
org.apache.kerby.kerberos.kerb.server.request.
KdcRequest.process(KdcRequest.java:170)
at
org.apache.kerby.kerberos.kerb.server.KdcHandler.
handleMessage(KdcHandler.java:116)
at
org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.
handleMessage(DefaultKdcHandler.java:67)
at
org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.run(
DefaultKdcHandler.java:52)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(
ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(
ThreadPoolExecutor.java:6

RE: [Kerby] TGS req failing with "Unexpected item context"

[Zheng, Kai]

Hi Marc,

Thanks for your report and digging. I don't quite follow and am not sure it's 
pointing to the same issue? In your case does Kerby KDC report the same 
exception?

Regards,
Kai

-Original Message-
From: Marc de Lignie [mailto:m.c.delig...@xs4all.nl] 
Sent: Wednesday, June 07, 2017 3:02 AM
To: kerby@directory.apache.org
Subject: RE: [Kerby] TGS req failing with "Unexpected item context"

Pratjush,

I just posted a temporary workaround as a comment below:

https://issues.apache.org/jira/browse/DIRKRB-614

Cheers,Marc


Kai wrote:

It seems so and we need to fix it. However, I don't see any obvious cause for 
it. Hope we can get to this sooner (should be next week) after some deadline is 
caught. Sorry for the late.

Regards,
Kai

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
Sent: Monday, June 05, 2017 12:04 AM
To: kerby@directory.apache.org
Subject: Re: [Kerby] TGS req failing with "Unexpected item context"

Looks like you're running into this known issue:

https://issues.apache.org/jira/browse/DIRKRB-614

Colm.

On Sat, Jun 3, 2017 at 8:09 PM, pratyush parimal <pratyush.pari...@gmail.com
> wrote:

> Hi everyone,
>
> I'm writing a simple Java program that stands up a KDC using the 
> SimpleKdcServer class, and I'm trying to use it for AS & TGS 
> operations. Relevant code is below:
>
> kdc = new SimpleKdcServer();
> kdc.setKdcHost("kdc.example.com");
> kdc.setKdcPort(60088);
> kdc.setKdcRealm("EXAMPLE.COM");
>
> kdc.setAllowUdp(false);
> kdc.setWorkDir(keytabFile.getParentFile());
>
> kdc.init();
>
> kdc.createPrincipal("u...@example.com", "u1pwd"); 
> kdc.createPrincipal("myservice/kdc.example@example.com",
> "myservicepwd");
>
> kdc.start();
>
> I use kinit to fetch the TGT for my principal "u1" and that's successful.
> However, the subsequent TGS req from my client program fails with the
> error:
>
> GSSAPI continuation error: Unknown code krcM 137
>
> . I debugged through the source code for Kerby and saw that the full 
> exception was not getting thrown because of a (e instanceof
> KdcRecoverableException) check. When I print the stacktrace via a 
> debugger, I see the following (apologies for the huge stack trace):
>
> [pool-1-thread-1] INFO
> org.apache.kerby.kerberos.kerb.server.request.KdcRequest - Found fast 
> padata and starting to process it.
> org.apache.kerby.kerberos.kerb.KrbException: Decoding failed at
> org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:85)
> at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:70)
> at
> org.apache.kerby.kerberos.kerb.server.request.KdcRequest.kdcFindFast(
> KdcRequest.java:213)
> at
> org.apache.kerby.kerberos.kerb.server.request.
> KdcRequest.process(KdcRequest.java:170)
> at
> org.apache.kerby.kerberos.kerb.server.KdcHandler.
> handleMessage(KdcHandler.java:116)
> at
> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.
> handleMessage(DefaultKdcHandler.java:67)
> at
> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.run(
> DefaultKdcHandler.java:52)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1145)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: java.io.IOException: Unexpected item context [0] [tag=0xA0, 
> off=0, len=3+198], expecting 0x30 at 
> org.apache.kerby.asn1.type.Asn1Encodeable.decode(
> Asn1Encodeable.java:219)
> at org.apache.kerby.asn1.type.Asn1Encodeable.decode(
> Asn1Encodeable.java:207)
> at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:83)
> ... 9 more
> org.apache.kerby.kerberos.kerb.KrbException: Decoding failed at
> org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:85)
> at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:70)
> at
> org.apache.kerby.kerberos.kerb.server.request.KdcRequest.kdcFindFast(
> KdcRequest.java:213)
> at
> org.apache.kerby.kerberos.kerb.server.request.
> KdcRequest.process(KdcRequest.java:170)
> at
> org.apache.kerby.kerberos.kerb.server.KdcHandler.
> handleMessage(KdcHandler.java:116)
> at
> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.
> handleMessage(DefaultKdcHandler.java:67)
> at
> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.run(
> DefaultKdcHandler.java:52)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1145)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: java.io.IO

Re: [Kerby] TGS req failing with "Unexpected item context"

[Marc de Lignie]

Dear all,

My bad, it seems I made a separate issue for this, which might add more 
details to DIRKRB-614 and might help you in finding the decode error:


https://issues.apache.org/jira/browse/DIRKRB-631

The workaround I mentioned is there, in the comments.

Cheers,   Marc


Op 06-06-17 om 21:02 schreef Marc de Lignie:

Pratjush,

I just posted a temporary workaround as a comment below:

https://issues.apache.org/jira/browse/DIRKRB-614

Cheers,Marc


Kai wrote:

It seems so and we need to fix it. However, I don't see any obvious 
cause for it. Hope we can
get to this sooner (should be next week) after some deadline is 
caught. Sorry for the late.


Regards,
Kai

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
Sent: Monday, June 05, 2017 12:04 AM
To: kerby@directory.apache.org
Subject: Re: [Kerby] TGS req failing with "Unexpected item context"

Looks like you're running into this known issue:

https://issues.apache.org/jira/browse/DIRKRB-614

Colm.

On Sat, Jun 3, 2017 at 8:09 PM, pratyush parimal 
<pratyush.pari...@gmail.com

wrote:



Hi everyone,

I'm writing a simple Java program that stands up a KDC using the 
SimpleKdcServer class, and I'm trying to use it for AS & TGS 
operations. Relevant code is below:


kdc = new SimpleKdcServer();
kdc.setKdcHost("kdc.example.com");
kdc.setKdcPort(60088);
kdc.setKdcRealm("EXAMPLE.COM");

kdc.setAllowUdp(false);
kdc.setWorkDir(keytabFile.getParentFile());

kdc.init();

kdc.createPrincipal("u...@example.com", "u1pwd"); 
kdc.createPrincipal("myservice/kdc.example@example.com",

"myservicepwd");

kdc.start();

I use kinit to fetch the TGT for my principal "u1" and that's 
successful.

However, the subsequent TGS req from my client program fails with the
error:

GSSAPI continuation error: Unknown code krcM 137

. I debugged through the source code for Kerby and saw that the full 
exception was not getting thrown because of a (e instanceof
KdcRecoverableException) check. When I print the stacktrace via a 
debugger, I see the following (apologies for the huge stack trace):


[pool-1-thread-1] INFO
org.apache.kerby.kerberos.kerb.server.request.KdcRequest - Found fast 
padata and starting to process it.
org.apache.kerby.kerberos.kerb.KrbException: Decoding failed at 
org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:85)

at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:70)
at
org.apache.kerby.kerberos.kerb.server.request.KdcRequest.kdcFindFast(
KdcRequest.java:213)
at
org.apache.kerby.kerberos.kerb.server.request.
KdcRequest.process(KdcRequest.java:170)
at
org.apache.kerby.kerberos.kerb.server.KdcHandler.
handleMessage(KdcHandler.java:116)
at
org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.
handleMessage(DefaultKdcHandler.java:67)
at
org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.run(
DefaultKdcHandler.java:52)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(
ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(
ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.IOException: Unexpected item context [0] 
[tag=0xA0, off=0, len=3+198], expecting 0x30 at 
org.apache.kerby.asn1.type.Asn1Encodeable.decode(

Asn1Encodeable.java:219)
at org.apache.kerby.asn1.type.Asn1Encodeable.decode(
Asn1Encodeable.java:207)
at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:83)
... 9 more
org.apache.kerby.kerberos.kerb.KrbException: Decoding failed at 
org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:85)

at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:70)
at
org.apache.kerby.kerberos.kerb.server.request.KdcRequest.kdcFindFast(
KdcRequest.java:213)
at
org.apache.kerby.kerberos.kerb.server.request.
KdcRequest.process(KdcRequest.java:170)
at
org.apache.kerby.kerberos.kerb.server.KdcHandler.
handleMessage(KdcHandler.java:116)
at
org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.
handleMessage(DefaultKdcHandler.java:67)
at
org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.run(
DefaultKdcHandler.java:52)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(
ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(
ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.IOException: Unexpected item context [0] 
[tag=0xA0, off=0, len=3+198], expecting 0x30 at 
org.apache.kerby.asn1.type.Asn1Encodeable.decode(

Asn1Encodeable.java:219)
at org.apache.kerby.asn1.type.Asn1Encodeable.decode(
Asn1Encodeable.java:207)
at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:83)
... 9 more

The client program (and also kinit) were using the krb5.conf that was 
auto-generated by the SimpleKdcServer in the workdir, and looked like 
the following (I just replaced localhost with the FQDN of my machine):


[libdefaults]
 

RE: [Kerby] TGS req failing with "Unexpected item context"

[Marc de Lignie]

Pratjush,

I just posted a temporary workaround as a comment below:

https://issues.apache.org/jira/browse/DIRKRB-614

Cheers,Marc


Kai wrote:

It seems so and we need to fix it. However, I don't see any obvious cause for 
it. Hope we can
get to this sooner (should be next week) after some deadline is caught. Sorry 
for the late.

Regards,
Kai

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
Sent: Monday, June 05, 2017 12:04 AM
To: kerby@directory.apache.org
Subject: Re: [Kerby] TGS req failing with "Unexpected item context"

Looks like you're running into this known issue:

https://issues.apache.org/jira/browse/DIRKRB-614

Colm.

On Sat, Jun 3, 2017 at 8:09 PM, pratyush parimal <pratyush.pari...@gmail.com

wrote:



Hi everyone,

I'm writing a simple Java program that stands up a KDC using the 
SimpleKdcServer class, and I'm trying to use it for AS & TGS 
operations. Relevant code is below:


kdc = new SimpleKdcServer();
kdc.setKdcHost("kdc.example.com");
kdc.setKdcPort(60088);
kdc.setKdcRealm("EXAMPLE.COM");

kdc.setAllowUdp(false);
kdc.setWorkDir(keytabFile.getParentFile());

kdc.init();

kdc.createPrincipal("u...@example.com", "u1pwd"); 
kdc.createPrincipal("myservice/kdc.example@example.com",

"myservicepwd");

kdc.start();

I use kinit to fetch the TGT for my principal "u1" and that's successful.
However, the subsequent TGS req from my client program fails with the
error:

GSSAPI continuation error: Unknown code krcM 137

. I debugged through the source code for Kerby and saw that the full 
exception was not getting thrown because of a (e instanceof
KdcRecoverableException) check. When I print the stacktrace via a 
debugger, I see the following (apologies for the huge stack trace):


[pool-1-thread-1] INFO
org.apache.kerby.kerberos.kerb.server.request.KdcRequest - Found fast 
padata and starting to process it.
org.apache.kerby.kerberos.kerb.KrbException: Decoding failed at 
org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:85)

at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:70)
at
org.apache.kerby.kerberos.kerb.server.request.KdcRequest.kdcFindFast(
KdcRequest.java:213)
at
org.apache.kerby.kerberos.kerb.server.request.
KdcRequest.process(KdcRequest.java:170)
at
org.apache.kerby.kerberos.kerb.server.KdcHandler.
handleMessage(KdcHandler.java:116)
at
org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.
handleMessage(DefaultKdcHandler.java:67)
at
org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.run(
DefaultKdcHandler.java:52)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(
ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(
ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.IOException: Unexpected item context [0] [tag=0xA0, 
off=0, len=3+198], expecting 0x30 at 
org.apache.kerby.asn1.type.Asn1Encodeable.decode(

Asn1Encodeable.java:219)
at org.apache.kerby.asn1.type.Asn1Encodeable.decode(
Asn1Encodeable.java:207)
at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:83)
... 9 more
org.apache.kerby.kerberos.kerb.KrbException: Decoding failed at 
org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:85)

at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:70)
at
org.apache.kerby.kerberos.kerb.server.request.KdcRequest.kdcFindFast(
KdcRequest.java:213)
at
org.apache.kerby.kerberos.kerb.server.request.
KdcRequest.process(KdcRequest.java:170)
at
org.apache.kerby.kerberos.kerb.server.KdcHandler.
handleMessage(KdcHandler.java:116)
at
org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.
handleMessage(DefaultKdcHandler.java:67)
at
org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.run(
DefaultKdcHandler.java:52)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(
ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(
ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.IOException: Unexpected item context [0] [tag=0xA0, 
off=0, len=3+198], expecting 0x30 at 
org.apache.kerby.asn1.type.Asn1Encodeable.decode(

Asn1Encodeable.java:219)
at org.apache.kerby.asn1.type.Asn1Encodeable.decode(
Asn1Encodeable.java:207)
at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:83)
... 9 more

The client program (and also kinit) were using the krb5.conf that was 
auto-generated by the SimpleKdcServer in the workdir, and looked like 
the following (I just replaced localhost with the FQDN of my machine):


[libdefaults]
kdc_realm = EXAMPLE.COM
default_realm = EXAMPLE.COM
udp_preference_limit = 1
kdc_tcp_port = 60088
#_KDC_UDP_PORT_

[realms]
EXAMPLE.COM = {
kdc = kdc.example.com:60088
}

I had also enabled KRB5_TRACE on my client program that was making the 
TGS req, and it shows the following:



[1588796] 1

RE: [Kerby] TGS req failing with "Unexpected item context"

[Zheng, Kai]

It seems so and we need to fix it. However, I don't see any obvious cause for 
it. Hope we can get to this sooner (should be next week) after some deadline is 
caught. Sorry for the late.

Regards,
Kai

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Monday, June 05, 2017 12:04 AM
To: kerby@directory.apache.org
Subject: Re: [Kerby] TGS req failing with "Unexpected item context"

Looks like you're running into this known issue:

https://issues.apache.org/jira/browse/DIRKRB-614

Colm.

On Sat, Jun 3, 2017 at 8:09 PM, pratyush parimal <pratyush.pari...@gmail.com
> wrote:

> Hi everyone,
>
> I'm writing a simple Java program that stands up a KDC using the 
> SimpleKdcServer class, and I'm trying to use it for AS & TGS 
> operations. Relevant code is below:
>
> kdc = new SimpleKdcServer();
> kdc.setKdcHost("kdc.example.com");
> kdc.setKdcPort(60088);
> kdc.setKdcRealm("EXAMPLE.COM");
>
> kdc.setAllowUdp(false);
> kdc.setWorkDir(keytabFile.getParentFile());
>
> kdc.init();
>
> kdc.createPrincipal("u...@example.com", "u1pwd"); 
> kdc.createPrincipal("myservice/kdc.example@example.com",
> "myservicepwd");
>
> kdc.start();
>
> I use kinit to fetch the TGT for my principal "u1" and that's successful.
> However, the subsequent TGS req from my client program fails with the
> error:
>
> GSSAPI continuation error: Unknown code krcM 137
>
> . I debugged through the source code for Kerby and saw that the full 
> exception was not getting thrown because of a (e instanceof
> KdcRecoverableException) check. When I print the stacktrace via a 
> debugger, I see the following (apologies for the huge stack trace):
>
> [pool-1-thread-1] INFO
> org.apache.kerby.kerberos.kerb.server.request.KdcRequest - Found fast 
> padata and starting to process it.
> org.apache.kerby.kerberos.kerb.KrbException: Decoding failed at 
> org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:85)
> at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:70)
> at
> org.apache.kerby.kerberos.kerb.server.request.KdcRequest.kdcFindFast(
> KdcRequest.java:213)
> at
> org.apache.kerby.kerberos.kerb.server.request.
> KdcRequest.process(KdcRequest.java:170)
> at
> org.apache.kerby.kerberos.kerb.server.KdcHandler.
> handleMessage(KdcHandler.java:116)
> at
> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.
> handleMessage(DefaultKdcHandler.java:67)
> at
> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.run(
> DefaultKdcHandler.java:52)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1145)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: java.io.IOException: Unexpected item context [0] [tag=0xA0, 
> off=0, len=3+198], expecting 0x30 at 
> org.apache.kerby.asn1.type.Asn1Encodeable.decode(
> Asn1Encodeable.java:219)
> at org.apache.kerby.asn1.type.Asn1Encodeable.decode(
> Asn1Encodeable.java:207)
> at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:83)
> ... 9 more
> org.apache.kerby.kerberos.kerb.KrbException: Decoding failed at 
> org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:85)
> at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:70)
> at
> org.apache.kerby.kerberos.kerb.server.request.KdcRequest.kdcFindFast(
> KdcRequest.java:213)
> at
> org.apache.kerby.kerberos.kerb.server.request.
> KdcRequest.process(KdcRequest.java:170)
> at
> org.apache.kerby.kerberos.kerb.server.KdcHandler.
> handleMessage(KdcHandler.java:116)
> at
> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.
> handleMessage(DefaultKdcHandler.java:67)
> at
> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.run(
> DefaultKdcHandler.java:52)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1145)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: java.io.IOException: Unexpected item context [0] [tag=0xA0, 
> off=0, len=3+198], expecting 0x30 at 
> org.apache.kerby.asn1.type.Asn1Encodeable.decode(
> Asn1Encodeable.java:219)
> at org.apache.kerby.asn1.type.Asn1Encodeable.decode(
> Asn1Encodeable.java:207)
> at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:83)
> ... 9 more
>
> The client program (and also kinit) were using the krb5.conf that was 
> auto-generated by the SimpleKdcServer in the workdir, and looked like 
> the following (I just replaced loca

Re: [Kerby] TGS req failing with "Unexpected item context"

[Colm O hEigeartaigh]

Looks like you're running into this known issue:

https://issues.apache.org/jira/browse/DIRKRB-614

Colm.

On Sat, Jun 3, 2017 at 8:09 PM, pratyush parimal  wrote:

> Hi everyone,
>
> I'm writing a simple Java program that stands up a KDC using
> the SimpleKdcServer class, and I'm trying to use it for AS & TGS
> operations. Relevant code is below:
>
> kdc = new SimpleKdcServer();
> kdc.setKdcHost("kdc.example.com");
> kdc.setKdcPort(60088);
> kdc.setKdcRealm("EXAMPLE.COM");
>
> kdc.setAllowUdp(false);
> kdc.setWorkDir(keytabFile.getParentFile());
>
> kdc.init();
>
> kdc.createPrincipal("u...@example.com", "u1pwd");
> kdc.createPrincipal("myservice/kdc.example@example.com",
> "myservicepwd");
>
> kdc.start();
>
> I use kinit to fetch the TGT for my principal "u1" and that's successful.
> However, the subsequent TGS req from my client program fails with the
> error:
>
> GSSAPI continuation error: Unknown code krcM 137
>
> . I debugged through the source code for Kerby and saw that the full
> exception was not getting thrown because of a (e instanceof
> KdcRecoverableException) check. When I print the stacktrace via a debugger,
> I see the following (apologies for the huge stack trace):
>
> [pool-1-thread-1] INFO
> org.apache.kerby.kerberos.kerb.server.request.KdcRequest - Found fast
> padata and starting to process it.
> org.apache.kerby.kerberos.kerb.KrbException: Decoding failed
> at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:85)
> at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:70)
> at
> org.apache.kerby.kerberos.kerb.server.request.KdcRequest.kdcFindFast(
> KdcRequest.java:213)
> at
> org.apache.kerby.kerberos.kerb.server.request.
> KdcRequest.process(KdcRequest.java:170)
> at
> org.apache.kerby.kerberos.kerb.server.KdcHandler.
> handleMessage(KdcHandler.java:116)
> at
> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.
> handleMessage(DefaultKdcHandler.java:67)
> at
> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.run(
> DefaultKdcHandler.java:52)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1145)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: java.io.IOException: Unexpected item context [0] [tag=0xA0,
> off=0, len=3+198], expecting 0x30
> at org.apache.kerby.asn1.type.Asn1Encodeable.decode(
> Asn1Encodeable.java:219)
> at org.apache.kerby.asn1.type.Asn1Encodeable.decode(
> Asn1Encodeable.java:207)
> at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:83)
> ... 9 more
> org.apache.kerby.kerberos.kerb.KrbException: Decoding failed
> at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:85)
> at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:70)
> at
> org.apache.kerby.kerberos.kerb.server.request.KdcRequest.kdcFindFast(
> KdcRequest.java:213)
> at
> org.apache.kerby.kerberos.kerb.server.request.
> KdcRequest.process(KdcRequest.java:170)
> at
> org.apache.kerby.kerberos.kerb.server.KdcHandler.
> handleMessage(KdcHandler.java:116)
> at
> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.
> handleMessage(DefaultKdcHandler.java:67)
> at
> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.run(
> DefaultKdcHandler.java:52)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1145)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: java.io.IOException: Unexpected item context [0] [tag=0xA0,
> off=0, len=3+198], expecting 0x30
> at org.apache.kerby.asn1.type.Asn1Encodeable.decode(
> Asn1Encodeable.java:219)
> at org.apache.kerby.asn1.type.Asn1Encodeable.decode(
> Asn1Encodeable.java:207)
> at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:83)
> ... 9 more
>
> The client program (and also kinit) were using the krb5.conf that was
> auto-generated by the SimpleKdcServer in the workdir, and looked like the
> following (I just replaced localhost with the FQDN of my machine):
>
> [libdefaults]
> kdc_realm = EXAMPLE.COM
> default_realm = EXAMPLE.COM
> udp_preference_limit = 1
> kdc_tcp_port = 60088
> #_KDC_UDP_PORT_
>
> [realms]
> EXAMPLE.COM = {
> kdc = kdc.example.com:60088
> }
>
> I had also enabled KRB5_TRACE on my client program that was making the TGS
> req, and it shows the following:
>
>
> [1588796] 1496515969.488037: ccselect can't find appropriate cache for
> server principal myservice/kdc.example.com@
> [1588796] 1496515969.488112: Getting credentials u...@example.com ->
> myservice/kdc.example.com@ using ccache FILE:/tmp/krb5cc_20474
> [1588796] 1496515969.488170: Retrieving u...@example.com ->
> myservice/kdc.example.com@ from FILE:/tmp/krb5cc_20474 with result:
> -1765328243/Matching credential not found (filename: /tmp/krb5cc_20474)
>