Re: MIT Kerberos compatibility

2017-06-19 Thread Colm O hEigeartaigh
Hi Kai,

No I don't think so, that was the last networking issue that I had iirc.

Colm.

On Mon, Jun 19, 2017 at 10:25 AM, Zheng, Kai <kai.zh...@intel.com> wrote:

> This sounds great. IIRC, you have another TCP/UDP network related issue to
> be fixed yet? Maybe we fix it as well to justify a new minor release.
>
> Regards,
> Kai
>
> -Original Message-
> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> Sent: Monday, June 19, 2017 4:45 PM
> To: kerby@directory.apache.org
> Subject: Re: MIT Kerberos compatibility
>
> Yes, it works perfectly, thanks Jiajia for the fix! I'll resolve the JIRA.
>
> Colm.
>
> On Mon, Jun 19, 2017 at 6:09 AM, Li, Jiajia <jiajia...@intel.com> wrote:
>
> > Hi Colm,
> > Thanks for providing the way to reproduce the error, and I have the fix
> in
> > trunk code, can you take some time to check it?
> >
> > Commit log:
> > commit 106299efb7aa3001da89ae821eb43285c544bab7
> > Author: plusplusjiajia <jiajia...@intel.com>
> > Date:   Mon Jun 19 13:07:04 2017 +0800
> >
> > Fix DIRKRB-629:ICMP Port Unreachable error message with GSS + default
> > transport.
> >
> >
> > Thanks
> > Jiajia
> >
> > -----Original Message-
> > From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> > Sent: Monday, May 8, 2017 6:19 PM
> > To: kerby@directory.apache.org
> > Subject: Re: MIT Kerberos compatibility
> >
> > OK I have created a JIRA and attached a patch that you have to apply to
> the
> > Apache WSS4J project to reproduce the error. If you uncomment the line
> that
> > uses Netty then the tests all work perfectly. The tests appear to work
> fine
> > when run in isolation, it's only when you run a few of them after one
> > another that you can see the failures.
> >
> > Please let me know if you have any difficulty in reproducing, thanks!
> >
> > Colm.
> >
> > On Mon, May 8, 2017 at 11:08 AM, Zheng, Kai <kai.zh...@intel.com> wrote:
> >
> > > Hi Colm,
> > >
> > > Sure, please do it. Could you review my change and see how it would
> cause
> > > the new failures? Any difference between the failed GSS tests and the
> > Kerby
> > > GSS tests?
> > >
> > > Regards,
> > > Kai
> > >
> > > -Original Message-
> > > From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> > > Sent: Monday, May 08, 2017 5:42 PM
> > > To: Zheng, Kai <kai.zh...@intel.com>
> > > Cc: kerby@directory.apache.org
> > > Subject: Re: MIT Kerberos compatibility
> > >
> > > Hi Kai,
> > >
> > > Your changes fixed the error message I was seeing. However, I now see
> > > another problem when I run a few GSS client tests in a row:
> > >
> > > >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
> > > >>> KrbAsReq creating message
> > > >>> KrbKdcReq send: kdc=localhost UDP:42665, timeout=3, number of
> > > retries =3, #bytes=245
> > > >>> KDCCommunication: kdc=localhost UDP:42665, timeout=3,Attempt
> =1,
> > > #bytes=245
> > > SocketTimeOutException with attempt: 1
> > > >>> KDCCommunication: kdc=localhost UDP:42665, timeout=3,Attempt
> =2,
> > > #bytes=245
> > > >>> KrbKdcReq send: error trying localhost:42665
> > > java.net.PortUnreachableException: ICMP Port Unreachable
> > >
> > > Do you want me to create a JIRA + attach a test-case?
> > >
> > > Colm.
> > >
> > > On Sat, May 6, 2017 at 2:01 AM, Zheng, Kai <kai.zh...@intel.com>
> wrote:
> > >
> > > > I haven't repeated the issue but revisited the codes again and made
> > > > improvements. Would you check it out? Thanks!
> > > >
> > > > Sent from iPhone
> > > >
> > > > > 在 2017年5月6日,上午6:28,Zheng, Kai <kai.zh...@intel.com> 写道:
> > > > >
> > > > > Thanks colm for the clarification and it sounds an issue we need to
> > > > address. I will investigate it soon.
> > > > >
> > > > > Sent from iPhone
> > > > >
> > > > >> 在 2017年5月6日,上午2:14,Colm O hEigeartaigh <cohei...@apache.org> 写道:
> > > > >>
> > > > >> Hi Kai,
> > > > >>
> > > > >> If I enable UDP with the default Transport, I can get a ticket
> fine
> > > > using
> > > > >> kinit. H

RE: MIT Kerberos compatibility

2017-06-19 Thread Zheng, Kai
This sounds great. IIRC, you have another TCP/UDP network related issue to be 
fixed yet? Maybe we fix it as well to justify a new minor release.

Regards,
Kai

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Monday, June 19, 2017 4:45 PM
To: kerby@directory.apache.org
Subject: Re: MIT Kerberos compatibility

Yes, it works perfectly, thanks Jiajia for the fix! I'll resolve the JIRA.

Colm.

On Mon, Jun 19, 2017 at 6:09 AM, Li, Jiajia <jiajia...@intel.com> wrote:

> Hi Colm,
> Thanks for providing the way to reproduce the error, and I have the fix in
> trunk code, can you take some time to check it?
>
> Commit log:
> commit 106299efb7aa3001da89ae821eb43285c544bab7
> Author: plusplusjiajia <jiajia...@intel.com>
> Date:   Mon Jun 19 13:07:04 2017 +0800
>
> Fix DIRKRB-629:ICMP Port Unreachable error message with GSS + default
> transport.
>
>
> Thanks
> Jiajia
>
> -Original Message-
> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> Sent: Monday, May 8, 2017 6:19 PM
> To: kerby@directory.apache.org
> Subject: Re: MIT Kerberos compatibility
>
> OK I have created a JIRA and attached a patch that you have to apply to the
> Apache WSS4J project to reproduce the error. If you uncomment the line that
> uses Netty then the tests all work perfectly. The tests appear to work fine
> when run in isolation, it's only when you run a few of them after one
> another that you can see the failures.
>
> Please let me know if you have any difficulty in reproducing, thanks!
>
> Colm.
>
> On Mon, May 8, 2017 at 11:08 AM, Zheng, Kai <kai.zh...@intel.com> wrote:
>
> > Hi Colm,
> >
> > Sure, please do it. Could you review my change and see how it would cause
> > the new failures? Any difference between the failed GSS tests and the
> Kerby
> > GSS tests?
> >
> > Regards,
> > Kai
> >
> > -Original Message-
> > From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> > Sent: Monday, May 08, 2017 5:42 PM
> > To: Zheng, Kai <kai.zh...@intel.com>
> > Cc: kerby@directory.apache.org
> > Subject: Re: MIT Kerberos compatibility
> >
> > Hi Kai,
> >
> > Your changes fixed the error message I was seeing. However, I now see
> > another problem when I run a few GSS client tests in a row:
> >
> > >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
> > >>> KrbAsReq creating message
> > >>> KrbKdcReq send: kdc=localhost UDP:42665, timeout=3, number of
> > retries =3, #bytes=245
> > >>> KDCCommunication: kdc=localhost UDP:42665, timeout=3,Attempt =1,
> > #bytes=245
> > SocketTimeOutException with attempt: 1
> > >>> KDCCommunication: kdc=localhost UDP:42665, timeout=3,Attempt =2,
> > #bytes=245
> > >>> KrbKdcReq send: error trying localhost:42665
> > java.net.PortUnreachableException: ICMP Port Unreachable
> >
> > Do you want me to create a JIRA + attach a test-case?
> >
> > Colm.
> >
> > On Sat, May 6, 2017 at 2:01 AM, Zheng, Kai <kai.zh...@intel.com> wrote:
> >
> > > I haven't repeated the issue but revisited the codes again and made
> > > improvements. Would you check it out? Thanks!
> > >
> > > Sent from iPhone
> > >
> > > > 在 2017年5月6日,上午6:28,Zheng, Kai <kai.zh...@intel.com> 写道:
> > > >
> > > > Thanks colm for the clarification and it sounds an issue we need to
> > > address. I will investigate it soon.
> > > >
> > > > Sent from iPhone
> > > >
> > > >> 在 2017年5月6日,上午2:14,Colm O hEigeartaigh <cohei...@apache.org> 写道:
> > > >>
> > > >> Hi Kai,
> > > >>
> > > >> If I enable UDP with the default Transport, I can get a ticket fine
> > > using
> > > >> kinit. However then the following error pops up in the window I'm
> > > running
> > > >> Kerby in (as a test):
> > > >>
> > > >> Exception in thread "Thread-1" java.lang.RuntimeException: Error
> > > >> occured while checking udp connections
> > > >>   at
> > > >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(
> > > KdcNetwork.java:105)
> > > >>   at
> > > >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.
> > > access$000(KdcNetwork.java:39)
> > > >>   at
> > > >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork$1.
> > > run(KdcNetwork.java:75)
> &g

Re: MIT Kerberos compatibility

2017-06-19 Thread Colm O hEigeartaigh
Yes, it works perfectly, thanks Jiajia for the fix! I'll resolve the JIRA.

Colm.

On Mon, Jun 19, 2017 at 6:09 AM, Li, Jiajia <jiajia...@intel.com> wrote:

> Hi Colm,
> Thanks for providing the way to reproduce the error, and I have the fix in
> trunk code, can you take some time to check it?
>
> Commit log:
> commit 106299efb7aa3001da89ae821eb43285c544bab7
> Author: plusplusjiajia <jiajia...@intel.com>
> Date:   Mon Jun 19 13:07:04 2017 +0800
>
> Fix DIRKRB-629:ICMP Port Unreachable error message with GSS + default
> transport.
>
>
> Thanks
> Jiajia
>
> -Original Message-
> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> Sent: Monday, May 8, 2017 6:19 PM
> To: kerby@directory.apache.org
> Subject: Re: MIT Kerberos compatibility
>
> OK I have created a JIRA and attached a patch that you have to apply to the
> Apache WSS4J project to reproduce the error. If you uncomment the line that
> uses Netty then the tests all work perfectly. The tests appear to work fine
> when run in isolation, it's only when you run a few of them after one
> another that you can see the failures.
>
> Please let me know if you have any difficulty in reproducing, thanks!
>
> Colm.
>
> On Mon, May 8, 2017 at 11:08 AM, Zheng, Kai <kai.zh...@intel.com> wrote:
>
> > Hi Colm,
> >
> > Sure, please do it. Could you review my change and see how it would cause
> > the new failures? Any difference between the failed GSS tests and the
> Kerby
> > GSS tests?
> >
> > Regards,
> > Kai
> >
> > -Original Message-
> > From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> > Sent: Monday, May 08, 2017 5:42 PM
> > To: Zheng, Kai <kai.zh...@intel.com>
> > Cc: kerby@directory.apache.org
> > Subject: Re: MIT Kerberos compatibility
> >
> > Hi Kai,
> >
> > Your changes fixed the error message I was seeing. However, I now see
> > another problem when I run a few GSS client tests in a row:
> >
> > >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
> > >>> KrbAsReq creating message
> > >>> KrbKdcReq send: kdc=localhost UDP:42665, timeout=3, number of
> > retries =3, #bytes=245
> > >>> KDCCommunication: kdc=localhost UDP:42665, timeout=3,Attempt =1,
> > #bytes=245
> > SocketTimeOutException with attempt: 1
> > >>> KDCCommunication: kdc=localhost UDP:42665, timeout=3,Attempt =2,
> > #bytes=245
> > >>> KrbKdcReq send: error trying localhost:42665
> > java.net.PortUnreachableException: ICMP Port Unreachable
> >
> > Do you want me to create a JIRA + attach a test-case?
> >
> > Colm.
> >
> > On Sat, May 6, 2017 at 2:01 AM, Zheng, Kai <kai.zh...@intel.com> wrote:
> >
> > > I haven't repeated the issue but revisited the codes again and made
> > > improvements. Would you check it out? Thanks!
> > >
> > > Sent from iPhone
> > >
> > > > 在 2017年5月6日,上午6:28,Zheng, Kai <kai.zh...@intel.com> 写道:
> > > >
> > > > Thanks colm for the clarification and it sounds an issue we need to
> > > address. I will investigate it soon.
> > > >
> > > > Sent from iPhone
> > > >
> > > >> 在 2017年5月6日,上午2:14,Colm O hEigeartaigh <cohei...@apache.org> 写道:
> > > >>
> > > >> Hi Kai,
> > > >>
> > > >> If I enable UDP with the default Transport, I can get a ticket fine
> > > using
> > > >> kinit. However then the following error pops up in the window I'm
> > > running
> > > >> Kerby in (as a test):
> > > >>
> > > >> Exception in thread "Thread-1" java.lang.RuntimeException: Error
> > > >> occured while checking udp connections
> > > >>   at
> > > >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(
> > > KdcNetwork.java:105)
> > > >>   at
> > > >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.
> > > access$000(KdcNetwork.java:39)
> > > >>   at
> > > >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork$1.
> > > run(KdcNetwork.java:75)
> > > >>   at java.lang.Thread.run(Thread.java:748)
> > > >> Caused by: java.nio.channels.ClosedChannelException
> > > >>   at
> > > >> sun.nio.ch.DatagramChannelImpl.ensureOpen(
> > DatagramChannelImpl.java:320)
> > > >>   at sun.nio.ch.DatagramChannelImpl.receive(
> &

RE: MIT Kerberos compatibility

2017-06-18 Thread Li, Jiajia
Hi Colm,
Thanks for providing the way to reproduce the error, and I have the fix in 
trunk code, can you take some time to check it?

Commit log:
commit 106299efb7aa3001da89ae821eb43285c544bab7
Author: plusplusjiajia <jiajia...@intel.com>
Date:   Mon Jun 19 13:07:04 2017 +0800

Fix DIRKRB-629:ICMP Port Unreachable error message with GSS + default 
transport.


Thanks
Jiajia

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Monday, May 8, 2017 6:19 PM
To: kerby@directory.apache.org
Subject: Re: MIT Kerberos compatibility

OK I have created a JIRA and attached a patch that you have to apply to the
Apache WSS4J project to reproduce the error. If you uncomment the line that
uses Netty then the tests all work perfectly. The tests appear to work fine
when run in isolation, it's only when you run a few of them after one
another that you can see the failures.

Please let me know if you have any difficulty in reproducing, thanks!

Colm.

On Mon, May 8, 2017 at 11:08 AM, Zheng, Kai <kai.zh...@intel.com> wrote:

> Hi Colm,
>
> Sure, please do it. Could you review my change and see how it would cause
> the new failures? Any difference between the failed GSS tests and the Kerby
> GSS tests?
>
> Regards,
> Kai
>
> -Original Message-
> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> Sent: Monday, May 08, 2017 5:42 PM
> To: Zheng, Kai <kai.zh...@intel.com>
> Cc: kerby@directory.apache.org
> Subject: Re: MIT Kerberos compatibility
>
> Hi Kai,
>
> Your changes fixed the error message I was seeing. However, I now see
> another problem when I run a few GSS client tests in a row:
>
> >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
> >>> KrbAsReq creating message
> >>> KrbKdcReq send: kdc=localhost UDP:42665, timeout=3, number of
> retries =3, #bytes=245
> >>> KDCCommunication: kdc=localhost UDP:42665, timeout=3,Attempt =1,
> #bytes=245
> SocketTimeOutException with attempt: 1
> >>> KDCCommunication: kdc=localhost UDP:42665, timeout=3,Attempt =2,
> #bytes=245
> >>> KrbKdcReq send: error trying localhost:42665
> java.net.PortUnreachableException: ICMP Port Unreachable
>
> Do you want me to create a JIRA + attach a test-case?
>
> Colm.
>
> On Sat, May 6, 2017 at 2:01 AM, Zheng, Kai <kai.zh...@intel.com> wrote:
>
> > I haven't repeated the issue but revisited the codes again and made
> > improvements. Would you check it out? Thanks!
> >
> > Sent from iPhone
> >
> > > 在 2017年5月6日,上午6:28,Zheng, Kai <kai.zh...@intel.com> 写道:
> > >
> > > Thanks colm for the clarification and it sounds an issue we need to
> > address. I will investigate it soon.
> > >
> > > Sent from iPhone
> > >
> > >> 在 2017年5月6日,上午2:14,Colm O hEigeartaigh <cohei...@apache.org> 写道:
> > >>
> > >> Hi Kai,
> > >>
> > >> If I enable UDP with the default Transport, I can get a ticket fine
> > using
> > >> kinit. However then the following error pops up in the window I'm
> > running
> > >> Kerby in (as a test):
> > >>
> > >> Exception in thread "Thread-1" java.lang.RuntimeException: Error
> > >> occured while checking udp connections
> > >>   at
> > >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(
> > KdcNetwork.java:105)
> > >>   at
> > >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.
> > access$000(KdcNetwork.java:39)
> > >>   at
> > >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork$1.
> > run(KdcNetwork.java:75)
> > >>   at java.lang.Thread.run(Thread.java:748)
> > >> Caused by: java.nio.channels.ClosedChannelException
> > >>   at
> > >> sun.nio.ch.DatagramChannelImpl.ensureOpen(
> DatagramChannelImpl.java:320)
> > >>   at sun.nio.ch.DatagramChannelImpl.receive(
> > DatagramChannelImpl.java:331)
> > >>   at
> > >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.
> > checkUdpMessage(KdcNetwork.java:132)
> > >>   at
> > >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(
> > KdcNetwork.java:101)
> > >>
> > >> Colm.
> > >>
> > >>
> > >>> On Fri, May 5, 2017 at 5:56 PM, Zheng, Kai <kai.zh...@intel.com>
> > wrote:
> > >>>
> > >>> Colm, did you see udp problem now instead? I'm a little confused.
> > >>> Udp
> > is
> > >>> sure supported but may not be enabled by def

Re: MIT Kerberos compatibility

2017-05-08 Thread Marc de Lignie
ankye's credential cache contains 
the service ticket for test-service?


Cheers,Marc


Op 04-05-17 om 14:55 schreef Li, Jiajia:

Hi Marc,
I try to run your test(through applying your patch in the trunk) , I 
think it's success now.  Could you take some time to check about it?

Here is the log:

directory-kerby git:(trunk) ✗ . 
kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/MitIssueTest.sh

kerberos.authGSSClientInit successful
2017-05-04T20:44:06 set-error: -1765328234: entypes not supported
2017-05-04T20:44:06 set-error: -1765328243: Did not find credential 
for krb5_ccache_conf_data/realm-config@X-CACHECONF: in cache 
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
2017-05-04T20:44:06 set-error: -1765328243: Did not find credential 
for test-service/localh...@test.com in cache 
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
2017-05-04T20:44:06 set-error: -1765328243: Did not find credential 
for 
krb5_ccache_conf_data/negative-cache/test-service\134/localhost\1...@test.com@X-CACHECONF: 
in cache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
2017-05-04T20:44:06 set-error: -1765328243: Did not find credential 
for krb5_ccache_conf_data/lkdc-hostname@X-CACHECONF: in cache 
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
2017-05-04T20:44:06 set-error: -1765328243: Did not find credential 
for krb5_ccache_conf_data/sitename@X-CACHECONF: in cache 
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
2017-05-04T20:44:06 set-error: -1765328243: Did not find credential 
for test-service/localh...@test.com in cache 
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
des-cbc-md5-deprecated not supported
2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
des-cbc-md4-deprecated not supported
2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
des-cbc-crc-deprecated not supported
2017-05-04T20:44:06 Trying to find service kdc for realm TEST.COM 
flags 0

2017-05-04T20:44:06 configuration file for realm TEST.COM found
2017-05-04T20:44:06 submissing new requests to new host
2017-05-04T20:44:06 host_create: setting hostname localhost
2017-05-04T20:44:06 connecting to host: udp ::1:52534 (localhost) 
tid: 0001

2017-05-04T20:44:06 host_create: setting hostname localhost
2017-05-04T20:44:06 Queuing host in future (in 3s), its the 2 
address on the same name: udp 127.0.0.1:52534 (localhost) tid: 0002
2017-05-04T20:44:06 writing packet: udp ::1:52534 (localhost) tid: 
0001
2017-05-04T20:44:06 reading packet: udp ::1:52534 (localhost) tid: 
0001
2017-05-04T20:44:06 host completed: udp ::1:52534 (localhost) tid: 
0001
2017-05-04T20:44:06 krb5_sendto_context TEST.COM done: 0 hosts 1 
packets 1 wc: 0.048927 nr: 0.000932 kh: 0.000814 tid: 0002

2017-05-04T20:44:06 tkt: extract key 17/763641F3
2017-05-04T20:44:06 set-error: -1765328353: Decrypt integrity check 
failed for checksum type hmac-sha1-96-aes128, key type 
aes128-cts-hmac-sha1-96

2017-05-04T20:44:06 tkt: extract key 17/3084A95C
2017-05-04T20:44:06 krb5_get_credentials_with_flags: TEST.COM wc: 
0.050317
2017-05-04T20:44:06 set-error: -1765328243: Did not find credential 
for krb5_ccache_conf_data/realm-config@X-CACHECONF: in cache 
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
2017-05-04T20:44:06 set-error: -1765328243: Did not find credential 
for 
krb5_ccache_conf_data/time-offset/test-service\134/localhost\1...@test.com@X-CACHECONF: 
in cache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc

2017-05-04T20:44:06 Setting up PFS for auth context
2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
des-cbc-md5-deprecated not supported
2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
des-cbc-md4-deprecated not supported
2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
des-cbc-crc-deprecated not supported

First kerberos.authGSSClientStep successful

Thanks
Jiajia

-Original Message-
From: Zheng, Kai [mailto:kai.zh...@intel.com]
Sent: Wednesday, May 3, 2017 7:29 PM
To: kerby@directory.apache.org
Subject: RE: MIT Kerberos compatibility

Hi Marc,

In case you're not aware of this, please check out the latest fix 
made by Jiajia. We thought your case may be different, but would be 
good to have a check before we can repeat/fix your case. Thanks.

https://issues.apache.org/jira/browse/DIRKRB-625

Regards,
Kai

-Original Message-
From: Marc de Lignie [mailto:m.c.delig...@xs4all.nl]
Sent: Sunday, April 30, 2017 7:45 PM
To: kerby@directory.apache.org
Subject: Re: MIT Kerberos compatibility

Hi Kai,

The terminal output below is for the latest MIT Kerberos 1.15.1 
(locally built on Ubuntu Xenial). Before that, I also tested with 
the default Xenial MIT Kerberos packages (1.13.2), with the same 
result. I did not try earlier MIT Kerberos versions.


Marc

Op 29-04-17 om 21:42 schreef Marc de Lignie:

Hi Kai,

Thanks for the response. I prepared a minimal config that 

RE: MIT Kerberos compatibility

2017-05-08 Thread Christopher Lamb
Hi Marc

On the topic of python and kerberos, have you tried python gssapi?

The code snippet below works for me against a FreeIPA client, KDC and
Service Principal, whereas the equivalent Java GSS-API does not (yet),
which made me look at kerb-client

#!/usr/bin/python3.5

import gssapi
from io import BytesIO

server_name = 'HTTP/app-srv.acme@acme.com'
service_name = gssapi.Name(server_name)

client_ctx = gssapi.SecurityContext(name=service_name, usage='initiate')
initial_client_token = client_ctx.step()


Cheers

Chris



From:   "Zheng, Kai" <kai.zh...@intel.com>
To: "kerby@directory.apache.org" <kerby@directory.apache.org>
Date:   08/05/2017 12:58
Subject:    RE: MIT Kerberos compatibility



Hi Marc,

Thanks for your patience. It looks to me there is some issue in Kerby with
Heimdal compatibility. Note we haven't supported Heimdal yet. So far, Kerby
is tested and can support these clients:
1. Oracle Java;
2. Kerby client;
3. MIT client.

Both compatibility tests with MS AD and Heimdal haven't been done yet. For
Heimdal, I thought we can get back to this later (hope soon, a week later).
We're pretty busy with urgent things, sorry.

Regards,
Kai

-Original Message-
From: Marc de Lignie [mailto:m.c.delig...@xs4all.nl]
Sent: Sunday, May 07, 2017 10:13 PM
To: kerby@directory.apache.org
Subject: Re: MIT Kerberos compatibility

Hi Jiajia and Kai,

Puzzled by the fact that the Mit Kerberos over python service ticket
request works on Jiajia's system but not on mine. I attempted to request
the service ticket with Mit Kerberos's kinit tool and  it worked.

This means that my issue probably lies in the kerberos python wrapper
around the Mit Kerberos shared libs (or in the way how I use it). I tried
both with the Debian python-kerberos package,
https://pypi.python.org/pypi/kerberos and with
https://pypi.python.org/pypi/pykerberos/1.1.14, neither of which got the
ticket. This still makes me curious where Mac-OS gets its python kerberos
package from :-)

Here, the kinit shell commands to reproduce my test.

cd $PROJECTROOT
WORKDIR=kerby-kerb/kerb-kdc-test/target/tmp
export KRB5_CONFIG=$WORKDIR/krb5.conf
export KRB5CCNAME=$WORKDIR/test-tkt.cc
export KRB5_TRACE=/dev/stdout

$ kinit -S test-service/localhost
[3141] 1494161999.566468: Getting initial credentials for dran...@test.com
[3141] 1494161999.566835: Setting initial creds service to
test-service/localhost [3141] 1494161999.566952: Sending request (168
bytes) to TEST.COM [3141] 1494161999.566997: Resolving hostname localhost
[3141] 1494161999.567467: Sending initial UDP request to dgram
127.0.0.1:45527
[3141] 1494161999.573494: Received answer (555 bytes) from dgram
127.0.0.1:45527
[3141] 1494161999.576791: Response was not from master KDC [3141]
1494161999.576822: Salt derived from principal: TEST.COMdrankye [3141]
1494161999.576824: Getting AS key, salt "TEST.COMdrankye", params ""
Password for dran...@test.com:
[3141] 1494162015.450071: AS key obtained from gak_fct: aes128-cts/0548
[3141] 1494162015.450101: Decrypted AS reply; session key is:
aes128-cts/4EFE
[3141] 1494162015.450103: FAST negotiation: unavailable [3141]
1494162015.450112: Initializing
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc with default princ
dran...@test.com [3141] 1494162015.450305: Storing dran...@test.com ->
test-service/localh...@test.com in
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc

$ klist
Ticket cache: FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
Default principal: dran...@test.com

Valid starting ExpiresService principal
07-05-17 14:59:59  08-05-17 14:59:59 test-service/localh...@test.com
 renew until 08-05-17 14:59:59

What is also notable here is that the TestKdc only produces one log
message:

[nioEventLoopGroup-5-1] INFO
org.apache.kerby.kerberos.kerb.server.request.AsRequest - AS_REQ ISSUE:
authtime 1494164956766,dran...@test.com for test-service/localh...@test.com

while in the error situation from python it produces (and not the AS_REQ
line):

[nioEventLoopGroup-5-1] INFO
org.apache.kerby.kerberos.kerb.server.request.KdcRequest - Found fast
padata and starting to process it.
[nioEventLoopGroup-5-1] INFO
org.apache.kerby.kerberos.kerb.server.request.KdcRequest - Found fast
padata and starting to process it.

Note also that kinit requires to give the password while in the python
testcase it is attempted to use the tgt from the credential cache.

Maybe it also useful to restate my target: I want to authenticate a python
client towards a service using GSSAPI with SASL (the service being
gremlin-server from the Apache Tinkerpop project). So I want to get the
service ticket using GSSAPI and an existing tgt from the credential cache.

Any additional hints are welcome, good luck with the Kerby GA release.

Marc

Op 05-05-17 om 22:12 schreef Marc de Lignie:
> Hi Jiajia,
>
> Thanks for the netty config option. This indeed helped to get rid of

RE: MIT Kerberos compatibility

2017-05-08 Thread Zheng, Kai
Hi Marc,

Thanks for your patience. It looks to me there is some issue in Kerby with 
Heimdal compatibility. Note we haven't supported Heimdal yet. So far, Kerby is 
tested and can support these clients:
1. Oracle Java;
2. Kerby client;
3. MIT client.

Both compatibility tests with MS AD and Heimdal haven't been done yet. For 
Heimdal, I thought we can get back to this later (hope soon, a week later). 
We're pretty busy with urgent things, sorry.

Regards,
Kai

-Original Message-
From: Marc de Lignie [mailto:m.c.delig...@xs4all.nl] 
Sent: Sunday, May 07, 2017 10:13 PM
To: kerby@directory.apache.org
Subject: Re: MIT Kerberos compatibility

Hi Jiajia and Kai,

Puzzled by the fact that the Mit Kerberos over python service ticket request 
works on Jiajia's system but not on mine. I attempted to request the service 
ticket with Mit Kerberos's kinit tool and  it worked.

This means that my issue probably lies in the kerberos python wrapper around 
the Mit Kerberos shared libs (or in the way how I use it). I tried both with 
the Debian python-kerberos package, https://pypi.python.org/pypi/kerberos and 
with https://pypi.python.org/pypi/pykerberos/1.1.14, neither of which got the 
ticket. This still makes me curious where Mac-OS gets its python kerberos 
package from :-)

Here, the kinit shell commands to reproduce my test.

cd $PROJECTROOT
WORKDIR=kerby-kerb/kerb-kdc-test/target/tmp
export KRB5_CONFIG=$WORKDIR/krb5.conf
export KRB5CCNAME=$WORKDIR/test-tkt.cc
export KRB5_TRACE=/dev/stdout

$ kinit -S test-service/localhost
[3141] 1494161999.566468: Getting initial credentials for dran...@test.com 
[3141] 1494161999.566835: Setting initial creds service to 
test-service/localhost [3141] 1494161999.566952: Sending request (168 bytes) to 
TEST.COM [3141] 1494161999.566997: Resolving hostname localhost [3141] 
1494161999.567467: Sending initial UDP request to dgram
127.0.0.1:45527
[3141] 1494161999.573494: Received answer (555 bytes) from dgram
127.0.0.1:45527
[3141] 1494161999.576791: Response was not from master KDC [3141] 
1494161999.576822: Salt derived from principal: TEST.COMdrankye [3141] 
1494161999.576824: Getting AS key, salt "TEST.COMdrankye", params ""
Password for dran...@test.com:
[3141] 1494162015.450071: AS key obtained from gak_fct: aes128-cts/0548 [3141] 
1494162015.450101: Decrypted AS reply; session key is: 
aes128-cts/4EFE
[3141] 1494162015.450103: FAST negotiation: unavailable [3141] 
1494162015.450112: Initializing 
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc with default princ 
dran...@test.com [3141] 1494162015.450305: Storing dran...@test.com -> 
test-service/localh...@test.com in 
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc

$ klist
Ticket cache: FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
Default principal: dran...@test.com

Valid starting ExpiresService principal
07-05-17 14:59:59  08-05-17 14:59:59 test-service/localh...@test.com
 renew until 08-05-17 14:59:59

What is also notable here is that the TestKdc only produces one log message:

[nioEventLoopGroup-5-1] INFO
org.apache.kerby.kerberos.kerb.server.request.AsRequest - AS_REQ ISSUE: 
authtime 1494164956766,dran...@test.com for test-service/localh...@test.com

while in the error situation from python it produces (and not the AS_REQ
line):

[nioEventLoopGroup-5-1] INFO
org.apache.kerby.kerberos.kerb.server.request.KdcRequest - Found fast padata 
and starting to process it.
[nioEventLoopGroup-5-1] INFO
org.apache.kerby.kerberos.kerb.server.request.KdcRequest - Found fast padata 
and starting to process it.

Note also that kinit requires to give the password while in the python testcase 
it is attempted to use the tgt from the credential cache.

Maybe it also useful to restate my target: I want to authenticate a python 
client towards a service using GSSAPI with SASL (the service being 
gremlin-server from the Apache Tinkerpop project). So I want to get the service 
ticket using GSSAPI and an existing tgt from the credential cache.

Any additional hints are welcome, good luck with the Kerby GA release.

Marc

Op 05-05-17 om 22:12 schreef Marc de Lignie:
> Hi Jiajia,
>
> Thanks for the netty config option. This indeed helped to get rid of 
> the udp errors, but did not help in getting the service ticket (final 
> error message remains the same).
>
> I also noticed that I get the same error from the python console 
> whether I specify the right service name or some service name for 
> which no service principal exists in the TestKdc.
>
> I did not succeed in getting mvn tst to print the debug logging of the 
> various kdc classes involved.
>
> Did you check with klist whether drankye's credential cache contains 
> the service ticket for test-service?
>
> Cheers,Marc
>
>
> Op 04-05-17 om 14:55 schreef Li, Jiajia:
>> Hi Marc,
>> I try to run your test(through applying your patch in 

RE: MIT Kerberos compatibility

2017-05-08 Thread Zheng, Kai
Thanks Colm for the confirm!

Regards,
Kai

From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
Sent: Monday, May 08, 2017 6:36 PM
To: Zheng, Kai <kai.zh...@intel.com>
Cc: kerby@directory.apache.org
Subject: Re: MIT Kerberos compatibility

Hi Kai,
No I think it wasn't caused by recent changes. It's fine to target it for the 
next release. I will call another vote for 1.0.0 as soon as we get the go ahead 
from Emmanuel.
Colm.

On Mon, May 8, 2017 at 11:32 AM, Zheng, Kai 
<kai.zh...@intel.com<mailto:kai.zh...@intel.com>> wrote:
Hi Colm,

Did you aware it's caused by any recent changes? It looks to me not. How serve 
is it? It appears in some case in the WSS4J tests. We have work around, using 
the Netty one. I'd suggest we target it for next minor release, like 1.1.0 or 
1.0.1 so we have enough bandwidth to investigate and improve the default 
transport. We probably shouldn't introduce more changes to get the release out. 
Note please prefer to use the TCP transport over the UDP one, in today's world.

Regards,
Kai

-Original Message-
From: Colm O hEigeartaigh 
[mailto:cohei...@apache.org<mailto:cohei...@apache.org>]
Sent: Monday, May 08, 2017 6:19 PM
To: kerby@directory.apache.org<mailto:kerby@directory.apache.org>
Subject: Re: MIT Kerberos compatibility
OK I have created a JIRA and attached a patch that you have to apply to the
Apache WSS4J project to reproduce the error. If you uncomment the line that
uses Netty then the tests all work perfectly. The tests appear to work fine
when run in isolation, it's only when you run a few of them after one
another that you can see the failures.

Please let me know if you have any difficulty in reproducing, thanks!

Colm.

On Mon, May 8, 2017 at 11:08 AM, Zheng, Kai 
<kai.zh...@intel.com<mailto:kai.zh...@intel.com>> wrote:

> Hi Colm,
>
> Sure, please do it. Could you review my change and see how it would cause
> the new failures? Any difference between the failed GSS tests and the Kerby
> GSS tests?
>
> Regards,
> Kai
>
> -Original Message-
> From: Colm O hEigeartaigh 
> [mailto:cohei...@apache.org<mailto:cohei...@apache.org>]
> Sent: Monday, May 08, 2017 5:42 PM
> To: Zheng, Kai <kai.zh...@intel.com<mailto:kai.zh...@intel.com>>
> Cc: kerby@directory.apache.org<mailto:kerby@directory.apache.org>
> Subject: Re: MIT Kerberos compatibility
>
> Hi Kai,
>
> Your changes fixed the error message I was seeing. However, I now see
> another problem when I run a few GSS client tests in a row:
>
> >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
> >>> KrbAsReq creating message
> >>> KrbKdcReq send: kdc=localhost UDP:42665, timeout=3, number of
> retries =3, #bytes=245
> >>> KDCCommunication: kdc=localhost UDP:42665, timeout=3,Attempt =1,
> #bytes=245
> SocketTimeOutException with attempt: 1
> >>> KDCCommunication: kdc=localhost UDP:42665, timeout=3,Attempt =2,
> #bytes=245
> >>> KrbKdcReq send: error trying localhost:42665
> java.net<http://java.net>.PortUnreachableException: ICMP Port Unreachable
>
> Do you want me to create a JIRA + attach a test-case?
>
> Colm.
>
> On Sat, May 6, 2017 at 2:01 AM, Zheng, Kai 
> <kai.zh...@intel.com<mailto:kai.zh...@intel.com>> wrote:
>
> > I haven't repeated the issue but revisited the codes again and made
> > improvements. Would you check it out? Thanks!
> >
> > Sent from iPhone
> >
> > > 在 2017年5月6日,上午6:28,Zheng, Kai 
> > > <kai.zh...@intel.com<mailto:kai.zh...@intel.com>> 写道:
> > >
> > > Thanks colm for the clarification and it sounds an issue we need to
> > address. I will investigate it soon.
> > >
> > > Sent from iPhone
> > >
> > >> 在 2017年5月6日,上午2:14,Colm O hEigeartaigh 
> > >> <cohei...@apache.org<mailto:cohei...@apache.org>> 写道:
> > >>
> > >> Hi Kai,
> > >>
> > >> If I enable UDP with the default Transport, I can get a ticket fine
> > using
> > >> kinit. However then the following error pops up in the window I'm
> > running
> > >> Kerby in (as a test):
> > >>
> > >> Exception in thread "Thread-1" java.lang.RuntimeException: Error
> > >> occured while checking udp connections
> > >>   at
> > >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(
> > KdcNetwork.java:105)
> > >>   at
> > >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.
> > access$000(KdcNetwork.java:39)
> > >>   at
> > >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork$1.
> > run(KdcNe

Re: MIT Kerberos compatibility

2017-05-08 Thread Colm O hEigeartaigh
Hi Kai,

No I think it wasn't caused by recent changes. It's fine to target it for
the next release. I will call another vote for 1.0.0 as soon as we get the
go ahead from Emmanuel.

Colm.

On Mon, May 8, 2017 at 11:32 AM, Zheng, Kai <kai.zh...@intel.com> wrote:

> Hi Colm,
>
> Did you aware it's caused by any recent changes? It looks to me not. How
> serve is it? It appears in some case in the WSS4J tests. We have work
> around, using the Netty one. I'd suggest we target it for next minor
> release, like 1.1.0 or 1.0.1 so we have enough bandwidth to investigate and
> improve the default transport. We probably shouldn't introduce more changes
> to get the release out. Note please prefer to use the TCP transport over
> the UDP one, in today's world.
>
> Regards,
> Kai
>
> -Original Message-
> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> Sent: Monday, May 08, 2017 6:19 PM
> To: kerby@directory.apache.org
> Subject: Re: MIT Kerberos compatibility
>
> OK I have created a JIRA and attached a patch that you have to apply to the
> Apache WSS4J project to reproduce the error. If you uncomment the line that
> uses Netty then the tests all work perfectly. The tests appear to work fine
> when run in isolation, it's only when you run a few of them after one
> another that you can see the failures.
>
> Please let me know if you have any difficulty in reproducing, thanks!
>
> Colm.
>
> On Mon, May 8, 2017 at 11:08 AM, Zheng, Kai <kai.zh...@intel.com> wrote:
>
> > Hi Colm,
> >
> > Sure, please do it. Could you review my change and see how it would cause
> > the new failures? Any difference between the failed GSS tests and the
> Kerby
> > GSS tests?
> >
> > Regards,
> > Kai
> >
> > -Original Message-
> > From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> > Sent: Monday, May 08, 2017 5:42 PM
> > To: Zheng, Kai <kai.zh...@intel.com>
> > Cc: kerby@directory.apache.org
> > Subject: Re: MIT Kerberos compatibility
> >
> > Hi Kai,
> >
> > Your changes fixed the error message I was seeing. However, I now see
> > another problem when I run a few GSS client tests in a row:
> >
> > >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
> > >>> KrbAsReq creating message
> > >>> KrbKdcReq send: kdc=localhost UDP:42665, timeout=3, number of
> > retries =3, #bytes=245
> > >>> KDCCommunication: kdc=localhost UDP:42665, timeout=3,Attempt =1,
> > #bytes=245
> > SocketTimeOutException with attempt: 1
> > >>> KDCCommunication: kdc=localhost UDP:42665, timeout=3,Attempt =2,
> > #bytes=245
> > >>> KrbKdcReq send: error trying localhost:42665
> > java.net.PortUnreachableException: ICMP Port Unreachable
> >
> > Do you want me to create a JIRA + attach a test-case?
> >
> > Colm.
> >
> > On Sat, May 6, 2017 at 2:01 AM, Zheng, Kai <kai.zh...@intel.com> wrote:
> >
> > > I haven't repeated the issue but revisited the codes again and made
> > > improvements. Would you check it out? Thanks!
> > >
> > > Sent from iPhone
> > >
> > > > 在 2017年5月6日,上午6:28,Zheng, Kai <kai.zh...@intel.com> 写道:
> > > >
> > > > Thanks colm for the clarification and it sounds an issue we need to
> > > address. I will investigate it soon.
> > > >
> > > > Sent from iPhone
> > > >
> > > >> 在 2017年5月6日,上午2:14,Colm O hEigeartaigh <cohei...@apache.org> 写道:
> > > >>
> > > >> Hi Kai,
> > > >>
> > > >> If I enable UDP with the default Transport, I can get a ticket fine
> > > using
> > > >> kinit. However then the following error pops up in the window I'm
> > > running
> > > >> Kerby in (as a test):
> > > >>
> > > >> Exception in thread "Thread-1" java.lang.RuntimeException: Error
> > > >> occured while checking udp connections
> > > >>   at
> > > >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(
> > > KdcNetwork.java:105)
> > > >>   at
> > > >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.
> > > access$000(KdcNetwork.java:39)
> > > >>   at
> > > >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork$1.
> > > run(KdcNetwork.java:75)
> > > >>   at java.lang.Thread.run(Thread.java:748)
> > > >> Caused by: java.nio.channels.ClosedChannelException
> > &

RE: MIT Kerberos compatibility

2017-05-08 Thread Zheng, Kai
Hi Colm,

Did you aware it's caused by any recent changes? It looks to me not. How serve 
is it? It appears in some case in the WSS4J tests. We have work around, using 
the Netty one. I'd suggest we target it for next minor release, like 1.1.0 or 
1.0.1 so we have enough bandwidth to investigate and improve the default 
transport. We probably shouldn't introduce more changes to get the release out. 
Note please prefer to use the TCP transport over the UDP one, in today's world. 

Regards,
Kai

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Monday, May 08, 2017 6:19 PM
To: kerby@directory.apache.org
Subject: Re: MIT Kerberos compatibility

OK I have created a JIRA and attached a patch that you have to apply to the
Apache WSS4J project to reproduce the error. If you uncomment the line that
uses Netty then the tests all work perfectly. The tests appear to work fine
when run in isolation, it's only when you run a few of them after one
another that you can see the failures.

Please let me know if you have any difficulty in reproducing, thanks!

Colm.

On Mon, May 8, 2017 at 11:08 AM, Zheng, Kai <kai.zh...@intel.com> wrote:

> Hi Colm,
>
> Sure, please do it. Could you review my change and see how it would cause
> the new failures? Any difference between the failed GSS tests and the Kerby
> GSS tests?
>
> Regards,
> Kai
>
> -Original Message-
> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> Sent: Monday, May 08, 2017 5:42 PM
> To: Zheng, Kai <kai.zh...@intel.com>
> Cc: kerby@directory.apache.org
> Subject: Re: MIT Kerberos compatibility
>
> Hi Kai,
>
> Your changes fixed the error message I was seeing. However, I now see
> another problem when I run a few GSS client tests in a row:
>
> >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
> >>> KrbAsReq creating message
> >>> KrbKdcReq send: kdc=localhost UDP:42665, timeout=3, number of
> retries =3, #bytes=245
> >>> KDCCommunication: kdc=localhost UDP:42665, timeout=3,Attempt =1,
> #bytes=245
> SocketTimeOutException with attempt: 1
> >>> KDCCommunication: kdc=localhost UDP:42665, timeout=3,Attempt =2,
> #bytes=245
> >>> KrbKdcReq send: error trying localhost:42665
> java.net.PortUnreachableException: ICMP Port Unreachable
>
> Do you want me to create a JIRA + attach a test-case?
>
> Colm.
>
> On Sat, May 6, 2017 at 2:01 AM, Zheng, Kai <kai.zh...@intel.com> wrote:
>
> > I haven't repeated the issue but revisited the codes again and made
> > improvements. Would you check it out? Thanks!
> >
> > Sent from iPhone
> >
> > > 在 2017年5月6日,上午6:28,Zheng, Kai <kai.zh...@intel.com> 写道:
> > >
> > > Thanks colm for the clarification and it sounds an issue we need to
> > address. I will investigate it soon.
> > >
> > > Sent from iPhone
> > >
> > >> 在 2017年5月6日,上午2:14,Colm O hEigeartaigh <cohei...@apache.org> 写道:
> > >>
> > >> Hi Kai,
> > >>
> > >> If I enable UDP with the default Transport, I can get a ticket fine
> > using
> > >> kinit. However then the following error pops up in the window I'm
> > running
> > >> Kerby in (as a test):
> > >>
> > >> Exception in thread "Thread-1" java.lang.RuntimeException: Error
> > >> occured while checking udp connections
> > >>   at
> > >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(
> > KdcNetwork.java:105)
> > >>   at
> > >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.
> > access$000(KdcNetwork.java:39)
> > >>   at
> > >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork$1.
> > run(KdcNetwork.java:75)
> > >>   at java.lang.Thread.run(Thread.java:748)
> > >> Caused by: java.nio.channels.ClosedChannelException
> > >>   at
> > >> sun.nio.ch.DatagramChannelImpl.ensureOpen(
> DatagramChannelImpl.java:320)
> > >>   at sun.nio.ch.DatagramChannelImpl.receive(
> > DatagramChannelImpl.java:331)
> > >>   at
> > >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.
> > checkUdpMessage(KdcNetwork.java:132)
> > >>   at
> > >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(
> > KdcNetwork.java:101)
> > >>
> > >> Colm.
> > >>
> > >>
> > >>> On Fri, May 5, 2017 at 5:56 PM, Zheng, Kai <kai.zh...@intel.com>
> > wrote:
> > >>>
> > >>> Colm, did you see udp problem now instead? I'm a

Re: MIT Kerberos compatibility

2017-05-08 Thread Colm O hEigeartaigh
OK I have created a JIRA and attached a patch that you have to apply to the
Apache WSS4J project to reproduce the error. If you uncomment the line that
uses Netty then the tests all work perfectly. The tests appear to work fine
when run in isolation, it's only when you run a few of them after one
another that you can see the failures.

Please let me know if you have any difficulty in reproducing, thanks!

Colm.

On Mon, May 8, 2017 at 11:08 AM, Zheng, Kai <kai.zh...@intel.com> wrote:

> Hi Colm,
>
> Sure, please do it. Could you review my change and see how it would cause
> the new failures? Any difference between the failed GSS tests and the Kerby
> GSS tests?
>
> Regards,
> Kai
>
> -Original Message-
> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> Sent: Monday, May 08, 2017 5:42 PM
> To: Zheng, Kai <kai.zh...@intel.com>
> Cc: kerby@directory.apache.org
> Subject: Re: MIT Kerberos compatibility
>
> Hi Kai,
>
> Your changes fixed the error message I was seeing. However, I now see
> another problem when I run a few GSS client tests in a row:
>
> >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
> >>> KrbAsReq creating message
> >>> KrbKdcReq send: kdc=localhost UDP:42665, timeout=3, number of
> retries =3, #bytes=245
> >>> KDCCommunication: kdc=localhost UDP:42665, timeout=3,Attempt =1,
> #bytes=245
> SocketTimeOutException with attempt: 1
> >>> KDCCommunication: kdc=localhost UDP:42665, timeout=3,Attempt =2,
> #bytes=245
> >>> KrbKdcReq send: error trying localhost:42665
> java.net.PortUnreachableException: ICMP Port Unreachable
>
> Do you want me to create a JIRA + attach a test-case?
>
> Colm.
>
> On Sat, May 6, 2017 at 2:01 AM, Zheng, Kai <kai.zh...@intel.com> wrote:
>
> > I haven't repeated the issue but revisited the codes again and made
> > improvements. Would you check it out? Thanks!
> >
> > Sent from iPhone
> >
> > > 在 2017年5月6日,上午6:28,Zheng, Kai <kai.zh...@intel.com> 写道:
> > >
> > > Thanks colm for the clarification and it sounds an issue we need to
> > address. I will investigate it soon.
> > >
> > > Sent from iPhone
> > >
> > >> 在 2017年5月6日,上午2:14,Colm O hEigeartaigh <cohei...@apache.org> 写道:
> > >>
> > >> Hi Kai,
> > >>
> > >> If I enable UDP with the default Transport, I can get a ticket fine
> > using
> > >> kinit. However then the following error pops up in the window I'm
> > running
> > >> Kerby in (as a test):
> > >>
> > >> Exception in thread "Thread-1" java.lang.RuntimeException: Error
> > >> occured while checking udp connections
> > >>   at
> > >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(
> > KdcNetwork.java:105)
> > >>   at
> > >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.
> > access$000(KdcNetwork.java:39)
> > >>   at
> > >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork$1.
> > run(KdcNetwork.java:75)
> > >>   at java.lang.Thread.run(Thread.java:748)
> > >> Caused by: java.nio.channels.ClosedChannelException
> > >>   at
> > >> sun.nio.ch.DatagramChannelImpl.ensureOpen(
> DatagramChannelImpl.java:320)
> > >>   at sun.nio.ch.DatagramChannelImpl.receive(
> > DatagramChannelImpl.java:331)
> > >>   at
> > >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.
> > checkUdpMessage(KdcNetwork.java:132)
> > >>   at
> > >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(
> > KdcNetwork.java:101)
> > >>
> > >> Colm.
> > >>
> > >>
> > >>> On Fri, May 5, 2017 at 5:56 PM, Zheng, Kai <kai.zh...@intel.com>
> > wrote:
> > >>>
> > >>> Colm, did you see udp problem now instead? I'm a little confused.
> > >>> Udp
> > is
> > >>> sure supported but may not be enabled by default, which should be
> > >>> okay, imo. Thanks.
> > >>>
> > >>> Sent from iPhone
> > >>>
> > >>>> 在 2017年5月6日,上午12:02,Colm O hEigeartaigh <cohei...@apache.org> 写道:
> > >>>>
> > >>>> That's probably it. Why does the default transport not support
> > >>>> UDP in
> > >>> Kerby?
> > >>>>
> > >>>> Colm.
> > >>>>
> > >>>>> On Fri, May 5, 2017 at 

RE: MIT Kerberos compatibility

2017-05-08 Thread Zheng, Kai
Hi Colm,

Sure, please do it. Could you review my change and see how it would cause the 
new failures? Any difference between the failed GSS tests and the Kerby GSS 
tests?

Regards,
Kai

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Monday, May 08, 2017 5:42 PM
To: Zheng, Kai <kai.zh...@intel.com>
Cc: kerby@directory.apache.org
Subject: Re: MIT Kerberos compatibility

Hi Kai,

Your changes fixed the error message I was seeing. However, I now see another 
problem when I run a few GSS client tests in a row:

>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=localhost UDP:42665, timeout=3, number of
retries =3, #bytes=245
>>> KDCCommunication: kdc=localhost UDP:42665, timeout=3,Attempt =1,
#bytes=245
SocketTimeOutException with attempt: 1
>>> KDCCommunication: kdc=localhost UDP:42665, timeout=3,Attempt =2,
#bytes=245
>>> KrbKdcReq send: error trying localhost:42665
java.net.PortUnreachableException: ICMP Port Unreachable

Do you want me to create a JIRA + attach a test-case?

Colm.

On Sat, May 6, 2017 at 2:01 AM, Zheng, Kai <kai.zh...@intel.com> wrote:

> I haven't repeated the issue but revisited the codes again and made 
> improvements. Would you check it out? Thanks!
>
> Sent from iPhone
>
> > 在 2017年5月6日,上午6:28,Zheng, Kai <kai.zh...@intel.com> 写道:
> >
> > Thanks colm for the clarification and it sounds an issue we need to
> address. I will investigate it soon.
> >
> > Sent from iPhone
> >
> >> 在 2017年5月6日,上午2:14,Colm O hEigeartaigh <cohei...@apache.org> 写道:
> >>
> >> Hi Kai,
> >>
> >> If I enable UDP with the default Transport, I can get a ticket fine
> using
> >> kinit. However then the following error pops up in the window I'm
> running
> >> Kerby in (as a test):
> >>
> >> Exception in thread "Thread-1" java.lang.RuntimeException: Error 
> >> occured while checking udp connections
> >>   at
> >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(
> KdcNetwork.java:105)
> >>   at
> >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.
> access$000(KdcNetwork.java:39)
> >>   at
> >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork$1.
> run(KdcNetwork.java:75)
> >>   at java.lang.Thread.run(Thread.java:748)
> >> Caused by: java.nio.channels.ClosedChannelException
> >>   at
> >> sun.nio.ch.DatagramChannelImpl.ensureOpen(DatagramChannelImpl.java:320)
> >>   at sun.nio.ch.DatagramChannelImpl.receive(
> DatagramChannelImpl.java:331)
> >>   at
> >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.
> checkUdpMessage(KdcNetwork.java:132)
> >>   at
> >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(
> KdcNetwork.java:101)
> >>
> >> Colm.
> >>
> >>
> >>> On Fri, May 5, 2017 at 5:56 PM, Zheng, Kai <kai.zh...@intel.com>
> wrote:
> >>>
> >>> Colm, did you see udp problem now instead? I'm a little confused. 
> >>> Udp
> is
> >>> sure supported but may not be enabled by default, which should be 
> >>> okay, imo. Thanks.
> >>>
> >>> Sent from iPhone
> >>>
> >>>> 在 2017年5月6日,上午12:02,Colm O hEigeartaigh <cohei...@apache.org> 写道:
> >>>>
> >>>> That's probably it. Why does the default transport not support 
> >>>> UDP in
> >>> Kerby?
> >>>>
> >>>> Colm.
> >>>>
> >>>>> On Fri, May 5, 2017 at 4:54 PM, Li, Jiajia <jiajia...@intel.com>
> wrote:
> >>>>>
> >>>>> Are you sure add kdc_allow_udp = false in kdc.conf?
> >>>>>
> >>>>> Thanks
> >>>>> Jiajia
> >>>>>
> >>>>> -Original Message-
> >>>>> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> >>>>> Sent: Friday, May 5, 2017 11:41 PM
> >>>>> To: Li, Jiajia <jiajia...@intel.com>
> >>>>> Cc: kerby@directory.apache.org; Zheng, Kai 
> >>>>> <kai.zh...@intel.com>;
> >>> mailto:
> >>>>> m.c.delig...@xs4all.nl <m.c.delig...@xs4all.nl>
> >>>>> Subject: Re: MIT Kerberos compatibility
> >>>>>
> >>>>> Sorry, it was my error, UDP was actually enabled there. But why 
> >>>>> am I
> >>> still
> >&

Re: MIT Kerberos compatibility

2017-05-08 Thread Colm O hEigeartaigh
Hi Kai,

Your changes fixed the error message I was seeing. However, I now see
another problem when I run a few GSS client tests in a row:

>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=localhost UDP:42665, timeout=3, number of
retries =3, #bytes=245
>>> KDCCommunication: kdc=localhost UDP:42665, timeout=3,Attempt =1,
#bytes=245
SocketTimeOutException with attempt: 1
>>> KDCCommunication: kdc=localhost UDP:42665, timeout=3,Attempt =2,
#bytes=245
>>> KrbKdcReq send: error trying localhost:42665
java.net.PortUnreachableException: ICMP Port Unreachable

Do you want me to create a JIRA + attach a test-case?

Colm.

On Sat, May 6, 2017 at 2:01 AM, Zheng, Kai <kai.zh...@intel.com> wrote:

> I haven't repeated the issue but revisited the codes again and made
> improvements. Would you check it out? Thanks!
>
> Sent from iPhone
>
> > 在 2017年5月6日,上午6:28,Zheng, Kai <kai.zh...@intel.com> 写道:
> >
> > Thanks colm for the clarification and it sounds an issue we need to
> address. I will investigate it soon.
> >
> > Sent from iPhone
> >
> >> 在 2017年5月6日,上午2:14,Colm O hEigeartaigh <cohei...@apache.org> 写道:
> >>
> >> Hi Kai,
> >>
> >> If I enable UDP with the default Transport, I can get a ticket fine
> using
> >> kinit. However then the following error pops up in the window I'm
> running
> >> Kerby in (as a test):
> >>
> >> Exception in thread "Thread-1" java.lang.RuntimeException: Error occured
> >> while checking udp connections
> >>   at
> >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(
> KdcNetwork.java:105)
> >>   at
> >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.
> access$000(KdcNetwork.java:39)
> >>   at
> >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork$1.
> run(KdcNetwork.java:75)
> >>   at java.lang.Thread.run(Thread.java:748)
> >> Caused by: java.nio.channels.ClosedChannelException
> >>   at
> >> sun.nio.ch.DatagramChannelImpl.ensureOpen(DatagramChannelImpl.java:320)
> >>   at sun.nio.ch.DatagramChannelImpl.receive(
> DatagramChannelImpl.java:331)
> >>   at
> >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.
> checkUdpMessage(KdcNetwork.java:132)
> >>   at
> >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(
> KdcNetwork.java:101)
> >>
> >> Colm.
> >>
> >>
> >>> On Fri, May 5, 2017 at 5:56 PM, Zheng, Kai <kai.zh...@intel.com>
> wrote:
> >>>
> >>> Colm, did you see udp problem now instead? I'm a little confused. Udp
> is
> >>> sure supported but may not be enabled by default, which should be okay,
> >>> imo. Thanks.
> >>>
> >>> Sent from iPhone
> >>>
> >>>> 在 2017年5月6日,上午12:02,Colm O hEigeartaigh <cohei...@apache.org> 写道:
> >>>>
> >>>> That's probably it. Why does the default transport not support UDP in
> >>> Kerby?
> >>>>
> >>>> Colm.
> >>>>
> >>>>> On Fri, May 5, 2017 at 4:54 PM, Li, Jiajia <jiajia...@intel.com>
> wrote:
> >>>>>
> >>>>> Are you sure add kdc_allow_udp = false in kdc.conf?
> >>>>>
> >>>>> Thanks
> >>>>> Jiajia
> >>>>>
> >>>>> -Original Message-
> >>>>> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> >>>>> Sent: Friday, May 5, 2017 11:41 PM
> >>>>> To: Li, Jiajia <jiajia...@intel.com>
> >>>>> Cc: kerby@directory.apache.org; Zheng, Kai <kai.zh...@intel.com>;
> >>> mailto:
> >>>>> m.c.delig...@xs4all.nl <m.c.delig...@xs4all.nl>
> >>>>> Subject: Re: MIT Kerberos compatibility
> >>>>>
> >>>>> Sorry, it was my error, UDP was actually enabled there. But why am I
> >>> still
> >>>>> seeing that error message?
> >>>>>
> >>>>> Colm.
> >>>>>
> >>>>>> On Fri, May 5, 2017 at 4:39 PM, Li, Jiajia <jiajia...@intel.com>
> >>> wrote:
> >>>>>>
> >>>>>> Hi Colm,
> >>>>>> I also test the Kerby KDC with kerby kint and MIT kinit, and only
> >>>>>> listen the tcp port(disable udp), both got ticket successfully. But
>

Re: MIT Kerberos compatibility

2017-05-07 Thread Marc de Lignie
Did not find credential 
for 
krb5_ccache_conf_data/negative-cache/test-service\134/localhost\1...@test.com@X-CACHECONF: 
in cache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
2017-05-04T20:44:06 set-error: -1765328243: Did not find credential 
for krb5_ccache_conf_data/lkdc-hostname@X-CACHECONF: in cache 
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
2017-05-04T20:44:06 set-error: -1765328243: Did not find credential 
for krb5_ccache_conf_data/sitename@X-CACHECONF: in cache 
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
2017-05-04T20:44:06 set-error: -1765328243: Did not find credential 
for test-service/localh...@test.com in cache 
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
des-cbc-md5-deprecated not supported
2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
des-cbc-md4-deprecated not supported
2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
des-cbc-crc-deprecated not supported
2017-05-04T20:44:06 Trying to find service kdc for realm TEST.COM 
flags 0

2017-05-04T20:44:06 configuration file for realm TEST.COM found
2017-05-04T20:44:06 submissing new requests to new host
2017-05-04T20:44:06 host_create: setting hostname localhost
2017-05-04T20:44:06 connecting to host: udp ::1:52534 (localhost) 
tid: 0001

2017-05-04T20:44:06 host_create: setting hostname localhost
2017-05-04T20:44:06 Queuing host in future (in 3s), its the 2 address 
on the same name: udp 127.0.0.1:52534 (localhost) tid: 0002
2017-05-04T20:44:06 writing packet: udp ::1:52534 (localhost) tid: 
0001
2017-05-04T20:44:06 reading packet: udp ::1:52534 (localhost) tid: 
0001
2017-05-04T20:44:06 host completed: udp ::1:52534 (localhost) tid: 
0001
2017-05-04T20:44:06 krb5_sendto_context TEST.COM done: 0 hosts 1 
packets 1 wc: 0.048927 nr: 0.000932 kh: 0.000814 tid: 0002

2017-05-04T20:44:06 tkt: extract key 17/763641F3
2017-05-04T20:44:06 set-error: -1765328353: Decrypt integrity check 
failed for checksum type hmac-sha1-96-aes128, key type 
aes128-cts-hmac-sha1-96

2017-05-04T20:44:06 tkt: extract key 17/3084A95C
2017-05-04T20:44:06 krb5_get_credentials_with_flags: TEST.COM wc: 
0.050317
2017-05-04T20:44:06 set-error: -1765328243: Did not find credential 
for krb5_ccache_conf_data/realm-config@X-CACHECONF: in cache 
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
2017-05-04T20:44:06 set-error: -1765328243: Did not find credential 
for 
krb5_ccache_conf_data/time-offset/test-service\134/localhost\1...@test.com@X-CACHECONF: 
in cache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc

2017-05-04T20:44:06 Setting up PFS for auth context
2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
des-cbc-md5-deprecated not supported
2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
des-cbc-md4-deprecated not supported
2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
des-cbc-crc-deprecated not supported

First kerberos.authGSSClientStep successful

Thanks
Jiajia

-Original Message-
From: Zheng, Kai [mailto:kai.zh...@intel.com]
Sent: Wednesday, May 3, 2017 7:29 PM
To: kerby@directory.apache.org
Subject: RE: MIT Kerberos compatibility

Hi Marc,

In case you're not aware of this, please check out the latest fix 
made by Jiajia. We thought your case may be different, but would be 
good to have a check before we can repeat/fix your case. Thanks.

https://issues.apache.org/jira/browse/DIRKRB-625

Regards,
Kai

-Original Message-
From: Marc de Lignie [mailto:m.c.delig...@xs4all.nl]
Sent: Sunday, April 30, 2017 7:45 PM
To: kerby@directory.apache.org
Subject: Re: MIT Kerberos compatibility

Hi Kai,

The terminal output below is for the latest MIT Kerberos 1.15.1 
(locally built on Ubuntu Xenial). Before that, I also tested with the 
default Xenial MIT Kerberos packages (1.13.2), with the same result. 
I did not try earlier MIT Kerberos versions.


Marc

Op 29-04-17 om 21:42 schreef Marc de Lignie:

Hi Kai,

Thanks for the response. I prepared a minimal config that reproduces
my problem.

You can fetch the branch/commit from:
https://github.com/vtslab/directory-kerby/commits/MitIssue

This is relative to RC2, but I also tried this on trunk for my actual
project.

This config produces the debug and error messages below.

1. For the terminal with the bash + python script $ klist Ticket
cache: FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
Default principal: dran...@test.com

Valid starting ExpiresService principal
29-04-17 21:07:39  30-04-17 05:07:39  krbtgt/test@test.com
 renew until 29-04-17 21:07:39

$ .
kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/
server/MitIssueTest.sh [15538] 1493491231.917606: Retrieving
dran...@test.com from FILE:/etc/krb5/user/1000/client.keytab (vno 0,
enctype 0) with result:
2/Key table file '/etc/krb5/user/1000/client.keytab' not found [15538]
1493491231.917827: Retrieving dran...@test.com from
FILE:/etc/krb5/

Re: MIT Kerberos compatibility

2017-05-06 Thread Marc de Lignie

Hi Jiajia,

Thanks for the netty config option. This indeed helped to get rid of the 
udp errors, but did not help in getting the service ticket (final error 
message remains the same).


I also noticed that I get the same error from the python console whether 
I specify the right service name or some service name for which no 
service principal exists in the TestKdc.


I did not succeed in getting mvn tst to print the debug logging of the 
various kdc classes involved.


Did you check with klist whether drankye's credential cache contains the 
service ticket for test-service?


Cheers,Marc


Op 04-05-17 om 14:55 schreef Li, Jiajia:

Hi Marc,
I try to run your test(through applying your patch in the trunk) , I think it's 
success now.  Could you take some time to check about it?
Here is the log:

directory-kerby git:(trunk) ✗ . 
kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/MitIssueTest.sh
kerberos.authGSSClientInit successful
2017-05-04T20:44:06 set-error: -1765328234: entypes not supported
2017-05-04T20:44:06 set-error: -1765328243: Did not find credential for 
krb5_ccache_conf_data/realm-config@X-CACHECONF: in cache 
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
2017-05-04T20:44:06 set-error: -1765328243: Did not find credential for 
test-service/localh...@test.com in cache 
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
2017-05-04T20:44:06 set-error: -1765328243: Did not find credential for 
krb5_ccache_conf_data/negative-cache/test-service\134/localhost\1...@test.com@X-CACHECONF:
 in cache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
2017-05-04T20:44:06 set-error: -1765328243: Did not find credential for 
krb5_ccache_conf_data/lkdc-hostname@X-CACHECONF: in cache 
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
2017-05-04T20:44:06 set-error: -1765328243: Did not find credential for 
krb5_ccache_conf_data/sitename@X-CACHECONF: in cache 
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
2017-05-04T20:44:06 set-error: -1765328243: Did not find credential for 
test-service/localh...@test.com in cache 
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
des-cbc-md5-deprecated not supported
2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
des-cbc-md4-deprecated not supported
2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
des-cbc-crc-deprecated not supported
2017-05-04T20:44:06 Trying to find service kdc for realm TEST.COM flags 0
2017-05-04T20:44:06 configuration file for realm TEST.COM found
2017-05-04T20:44:06 submissing new requests to new host
2017-05-04T20:44:06 host_create: setting hostname localhost
2017-05-04T20:44:06 connecting to host: udp ::1:52534 (localhost) tid: 0001
2017-05-04T20:44:06 host_create: setting hostname localhost
2017-05-04T20:44:06 Queuing host in future (in 3s), its the 2 address on the 
same name: udp 127.0.0.1:52534 (localhost) tid: 0002
2017-05-04T20:44:06 writing packet: udp ::1:52534 (localhost) tid: 0001
2017-05-04T20:44:06 reading packet: udp ::1:52534 (localhost) tid: 0001
2017-05-04T20:44:06 host completed: udp ::1:52534 (localhost) tid: 0001
2017-05-04T20:44:06 krb5_sendto_context TEST.COM done: 0 hosts 1 packets 1 wc: 
0.048927 nr: 0.000932 kh: 0.000814 tid: 0002
2017-05-04T20:44:06 tkt: extract key 17/763641F3
2017-05-04T20:44:06 set-error: -1765328353: Decrypt integrity check failed for 
checksum type hmac-sha1-96-aes128, key type aes128-cts-hmac-sha1-96
2017-05-04T20:44:06 tkt: extract key 17/3084A95C
2017-05-04T20:44:06 krb5_get_credentials_with_flags: TEST.COM wc: 0.050317
2017-05-04T20:44:06 set-error: -1765328243: Did not find credential for 
krb5_ccache_conf_data/realm-config@X-CACHECONF: in cache 
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
2017-05-04T20:44:06 set-error: -1765328243: Did not find credential for 
krb5_ccache_conf_data/time-offset/test-service\134/localhost\1...@test.com@X-CACHECONF:
 in cache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
2017-05-04T20:44:06 Setting up PFS for auth context
2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
des-cbc-md5-deprecated not supported
2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
des-cbc-md4-deprecated not supported
2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
des-cbc-crc-deprecated not supported
First kerberos.authGSSClientStep successful

Thanks
Jiajia

-Original Message-
From: Zheng, Kai [mailto:kai.zh...@intel.com]
Sent: Wednesday, May 3, 2017 7:29 PM
To: kerby@directory.apache.org
Subject: RE: MIT Kerberos compatibility

Hi Marc,

In case you're not aware of this, please check out the latest fix made by 
Jiajia. We thought your case may be different, but would be good to have a 
check before we can repeat/fix your case. Thanks.
https://issues.apache.org/jira/browse/DIRKRB-625

Regards,
Kai

-Original Message-
From: Marc de Lignie [mailto:m.c.delig

RE: MIT Kerberos compatibility

2017-05-05 Thread Li, Jiajia
I have tested the new improvement committed by Kai, without exceptions and 
errors in my side.

Thanks
Jiajia

-Original Message-
From: Zheng, Kai [mailto:kai.zh...@intel.com] 
Sent: Saturday, May 6, 2017 9:01 AM
To: kerby@directory.apache.org; cohei...@apache.org
Subject: Re: MIT Kerberos compatibility

I haven't repeated the issue but revisited the codes again and made 
improvements. Would you check it out? Thanks!

Sent from iPhone

> 在 2017年5月6日,上午6:28,Zheng, Kai <kai.zh...@intel.com> 写道:
> 
> Thanks colm for the clarification and it sounds an issue we need to address. 
> I will investigate it soon.
> 
> Sent from iPhone
> 
>> 在 2017年5月6日,上午2:14,Colm O hEigeartaigh <cohei...@apache.org> 写道:
>> 
>> Hi Kai,
>> 
>> If I enable UDP with the default Transport, I can get a ticket fine 
>> using kinit. However then the following error pops up in the window 
>> I'm running Kerby in (as a test):
>> 
>> Exception in thread "Thread-1" java.lang.RuntimeException: Error 
>> occured while checking udp connections
>>   at
>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(KdcNetwork.java:105)
>>   at
>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.access$000(KdcNetwork.java:39)
>>   at
>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork$1.run(KdcNetwork.java:75)
>>   at java.lang.Thread.run(Thread.java:748)
>> Caused by: java.nio.channels.ClosedChannelException
>>   at
>> sun.nio.ch.DatagramChannelImpl.ensureOpen(DatagramChannelImpl.java:320)
>>   at sun.nio.ch.DatagramChannelImpl.receive(DatagramChannelImpl.java:331)
>>   at
>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.checkUdpMessage(KdcNetwork.java:132)
>>   at
>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(KdcNetwork.ja
>> va:101)
>> 
>> Colm.
>> 
>> 
>>> On Fri, May 5, 2017 at 5:56 PM, Zheng, Kai <kai.zh...@intel.com> wrote:
>>> 
>>> Colm, did you see udp problem now instead? I'm a little confused. 
>>> Udp is sure supported but may not be enabled by default, which 
>>> should be okay, imo. Thanks.
>>> 
>>> Sent from iPhone
>>> 
>>>> 在 2017年5月6日,上午12:02,Colm O hEigeartaigh <cohei...@apache.org> 写道:
>>>> 
>>>> That's probably it. Why does the default transport not support UDP 
>>>> in
>>> Kerby?
>>>> 
>>>> Colm.
>>>> 
>>>>> On Fri, May 5, 2017 at 4:54 PM, Li, Jiajia <jiajia...@intel.com> wrote:
>>>>> 
>>>>> Are you sure add kdc_allow_udp = false in kdc.conf?
>>>>> 
>>>>> Thanks
>>>>> Jiajia
>>>>> 
>>>>> -Original Message-
>>>>> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
>>>>> Sent: Friday, May 5, 2017 11:41 PM
>>>>> To: Li, Jiajia <jiajia...@intel.com>
>>>>> Cc: kerby@directory.apache.org; Zheng, Kai <kai.zh...@intel.com>;
>>> mailto:
>>>>> m.c.delig...@xs4all.nl <m.c.delig...@xs4all.nl>
>>>>> Subject: Re: MIT Kerberos compatibility
>>>>> 
>>>>> Sorry, it was my error, UDP was actually enabled there. But why am 
>>>>> I
>>> still
>>>>> seeing that error message?
>>>>> 
>>>>> Colm.
>>>>> 
>>>>>> On Fri, May 5, 2017 at 4:39 PM, Li, Jiajia <jiajia...@intel.com>
>>> wrote:
>>>>>> 
>>>>>> Hi Colm,
>>>>>> I also test the Kerby KDC with kerby kint and MIT kinit, and only 
>>>>>> listen the tcp port(disable udp), both got ticket successfully. 
>>>>>> But I don't get the error message. Both krb.conf and kdc.conf 
>>>>>> should set udp to be false, udp is enabled in default.
>>>>>> 
>>>>>> Thanks
>>>>>> Jiajia
>>>>>> 
>>>>>> -Original Message-
>>>>>> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
>>>>>> Sent: Friday, May 5, 2017 11:34 PM
>>>>>> To: kerby@directory.apache.org
>>>>>> Cc: Zheng, Kai <kai.zh...@intel.com>; 
>>>>>> mailto:m.c.delig...@xs4all.nl < m.c.delig...@xs4all.nl>
>>>>>> Subject: Re: MIT Kerberos compatibility
>>>>>> 
>>>>>> Hi Jiajia,
>>>>>> 
>>>>>> If UDP is disabled and we don't use Netty, I can get a token 

RE: MIT Kerberos compatibility

2017-05-05 Thread Li, Jiajia
I think it contains the service ticket for test-service. Here is the log:
klist
Credentials cache: FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
Principal: dran...@test.com
2017-05-06T07:59:44 set-error: -1765328243: Did not find credential for 
krb5_ccache_conf_data/FriendlyName@X-CACHECONF: in cache 
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc

  IssuedExpires   Principal
May  6 07:57:58 2017  May  6 17:57:45 2017  krbtgt/test@test.com
May  6 07:59:40 2017  May  7 07:59:40 2017  test-service/localh...@test.com

Thanks
Jiajia
-Original Message-
From: Marc de Lignie [mailto:m.c.delig...@xs4all.nl] 
Sent: Saturday, May 6, 2017 4:13 AM
To: Li, Jiajia <jiajia...@intel.com>
Cc: kerby@directory.apache.org
Subject: Re: MIT Kerberos compatibility

Hi Jiajia,

Thanks for the netty config option. This indeed helped to get rid of the udp 
errors, but did not help in getting the service ticket (final error message 
remains the same).

I also noticed that I get the same error from the python console whether I 
specify the right service name or some service name for which no service 
principal exists in the TestKdc.

I did not succeed in getting mvn tst to print the debug logging of the various 
kdc classes involved.

Did you check with klist whether drankye's credential cache contains the 
service ticket for test-service?

Cheers,Marc


Op 04-05-17 om 14:55 schreef Li, Jiajia:
> Hi Marc,
> I try to run your test(through applying your patch in the trunk) , I think 
> it's success now.  Could you take some time to check about it?
> Here is the log:
>
> directory-kerby git:(trunk) ✗ . 
> kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/
> server/MitIssueTest.sh
> kerberos.authGSSClientInit successful
> 2017-05-04T20:44:06 set-error: -1765328234: entypes not supported
> 2017-05-04T20:44:06 set-error: -1765328243: Did not find credential 
> for krb5_ccache_conf_data/realm-config@X-CACHECONF: in cache 
> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> 2017-05-04T20:44:06 set-error: -1765328243: Did not find credential 
> for test-service/localh...@test.com in cache 
> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> 2017-05-04T20:44:06 set-error: -1765328243: Did not find credential 
> for 
> krb5_ccache_conf_data/negative-cache/test-service\134/localhost\134@TE
> ST.COM@X-CACHECONF: in cache 
> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> 2017-05-04T20:44:06 set-error: -1765328243: Did not find credential 
> for krb5_ccache_conf_data/lkdc-hostname@X-CACHECONF: in cache 
> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> 2017-05-04T20:44:06 set-error: -1765328243: Did not find credential 
> for krb5_ccache_conf_data/sitename@X-CACHECONF: in cache 
> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> 2017-05-04T20:44:06 set-error: -1765328243: Did not find credential 
> for test-service/localh...@test.com in cache 
> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> 2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
> des-cbc-md5-deprecated not supported
> 2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
> des-cbc-md4-deprecated not supported
> 2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
> des-cbc-crc-deprecated not supported
> 2017-05-04T20:44:06 Trying to find service kdc for realm TEST.COM 
> flags 0
> 2017-05-04T20:44:06 configuration file for realm TEST.COM found
> 2017-05-04T20:44:06 submissing new requests to new host
> 2017-05-04T20:44:06 host_create: setting hostname localhost
> 2017-05-04T20:44:06 connecting to host: udp ::1:52534 (localhost) tid: 
> 0001
> 2017-05-04T20:44:06 host_create: setting hostname localhost
> 2017-05-04T20:44:06 Queuing host in future (in 3s), its the 2 address 
> on the same name: udp 127.0.0.1:52534 (localhost) tid: 0002
> 2017-05-04T20:44:06 writing packet: udp ::1:52534 (localhost) tid: 
> 0001
> 2017-05-04T20:44:06 reading packet: udp ::1:52534 (localhost) tid: 
> 0001
> 2017-05-04T20:44:06 host completed: udp ::1:52534 (localhost) tid: 
> 0001
> 2017-05-04T20:44:06 krb5_sendto_context TEST.COM done: 0 hosts 1 
> packets 1 wc: 0.048927 nr: 0.000932 kh: 0.000814 tid: 0002
> 2017-05-04T20:44:06 tkt: extract key 17/763641F3
> 2017-05-04T20:44:06 set-error: -1765328353: Decrypt integrity check 
> failed for checksum type hmac-sha1-96-aes128, key type 
> aes128-cts-hmac-sha1-96
> 2017-05-04T20:44:06 tkt: extract key 17/3084A95C
> 2017-05-04T20:44:06 krb5_get_credentials_with_flags: TEST.COM wc: 
> 0.050317
> 2017-05-04T20:44:06 set-error: -1765328243: Did not find credential 
> for krb5_ccache_conf_data/realm-config@X-CACHECONF: in cache 
> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> 2017-05-

Re: MIT Kerberos compatibility

2017-05-05 Thread Zheng, Kai
Thanks colm for the clarification and it sounds an issue we need to address. I 
will investigate it soon.

Sent from iPhone

> 在 2017年5月6日,上午2:14,Colm O hEigeartaigh <cohei...@apache.org> 写道:
> 
> Hi Kai,
> 
> If I enable UDP with the default Transport, I can get a ticket fine using
> kinit. However then the following error pops up in the window I'm running
> Kerby in (as a test):
> 
> Exception in thread "Thread-1" java.lang.RuntimeException: Error occured
> while checking udp connections
>at
> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(KdcNetwork.java:105)
>at
> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.access$000(KdcNetwork.java:39)
>at
> org.apache.kerby.kerberos.kerb.transport.KdcNetwork$1.run(KdcNetwork.java:75)
>at java.lang.Thread.run(Thread.java:748)
> Caused by: java.nio.channels.ClosedChannelException
>at
> sun.nio.ch.DatagramChannelImpl.ensureOpen(DatagramChannelImpl.java:320)
>at sun.nio.ch.DatagramChannelImpl.receive(DatagramChannelImpl.java:331)
>at
> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.checkUdpMessage(KdcNetwork.java:132)
>at
> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(KdcNetwork.java:101)
> 
> Colm.
> 
> 
>> On Fri, May 5, 2017 at 5:56 PM, Zheng, Kai <kai.zh...@intel.com> wrote:
>> 
>> Colm, did you see udp problem now instead? I'm a little confused. Udp is
>> sure supported but may not be enabled by default, which should be okay,
>> imo. Thanks.
>> 
>> Sent from iPhone
>> 
>>> 在 2017年5月6日,上午12:02,Colm O hEigeartaigh <cohei...@apache.org> 写道:
>>> 
>>> That's probably it. Why does the default transport not support UDP in
>> Kerby?
>>> 
>>> Colm.
>>> 
>>>> On Fri, May 5, 2017 at 4:54 PM, Li, Jiajia <jiajia...@intel.com> wrote:
>>>> 
>>>> Are you sure add kdc_allow_udp = false in kdc.conf?
>>>> 
>>>> Thanks
>>>> Jiajia
>>>> 
>>>> -Original Message-----
>>>> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
>>>> Sent: Friday, May 5, 2017 11:41 PM
>>>> To: Li, Jiajia <jiajia...@intel.com>
>>>> Cc: kerby@directory.apache.org; Zheng, Kai <kai.zh...@intel.com>;
>> mailto:
>>>> m.c.delig...@xs4all.nl <m.c.delig...@xs4all.nl>
>>>> Subject: Re: MIT Kerberos compatibility
>>>> 
>>>> Sorry, it was my error, UDP was actually enabled there. But why am I
>> still
>>>> seeing that error message?
>>>> 
>>>> Colm.
>>>> 
>>>>> On Fri, May 5, 2017 at 4:39 PM, Li, Jiajia <jiajia...@intel.com>
>> wrote:
>>>>> 
>>>>> Hi Colm,
>>>>> I also test the Kerby KDC with kerby kint and MIT kinit, and only
>>>>> listen the tcp port(disable udp), both got ticket successfully. But I
>>>>> don't get the error message. Both krb.conf and kdc.conf should set udp
>>>>> to be false, udp is enabled in default.
>>>>> 
>>>>> Thanks
>>>>> Jiajia
>>>>> 
>>>>> -Original Message-
>>>>> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
>>>>> Sent: Friday, May 5, 2017 11:34 PM
>>>>> To: kerby@directory.apache.org
>>>>> Cc: Zheng, Kai <kai.zh...@intel.com>; mailto:m.c.delig...@xs4all.nl <
>>>>> m.c.delig...@xs4all.nl>
>>>>> Subject: Re: MIT Kerberos compatibility
>>>>> 
>>>>> Hi Jiajia,
>>>>> 
>>>>> If UDP is disabled and we don't use Netty, I can get a token
>>>>> successfully via kinit. However I then see an error message in the
>> Kerby
>>>> console:
>>>>> 
>>>>> Exception in thread "Thread-1" java.lang.RuntimeException: Error
>>>>> occured while checking udp connections
>>>>>   at
>>>>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(
>>>>> KdcNetwork.java:105)
>>>>>   at
>>>>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.
>>>>> access$000(KdcNetwork.java:39)
>>>>>   at
>>>>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork$1.
>>>>> run(KdcNetwork.java:75)
>>>>>   at java.lang.Thread.run(Thread.java:748)
>>>>> Caused by: java.nio.channels.ClosedChannelException
>>>>>   at
>>>>> sun.nio.c

Re: MIT Kerberos compatibility

2017-05-05 Thread Colm O hEigeartaigh
Hi Kai,

If I enable UDP with the default Transport, I can get a ticket fine using
kinit. However then the following error pops up in the window I'm running
Kerby in (as a test):

Exception in thread "Thread-1" java.lang.RuntimeException: Error occured
while checking udp connections
at
org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(KdcNetwork.java:105)
at
org.apache.kerby.kerberos.kerb.transport.KdcNetwork.access$000(KdcNetwork.java:39)
at
org.apache.kerby.kerberos.kerb.transport.KdcNetwork$1.run(KdcNetwork.java:75)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.nio.channels.ClosedChannelException
at
sun.nio.ch.DatagramChannelImpl.ensureOpen(DatagramChannelImpl.java:320)
at sun.nio.ch.DatagramChannelImpl.receive(DatagramChannelImpl.java:331)
at
org.apache.kerby.kerberos.kerb.transport.KdcNetwork.checkUdpMessage(KdcNetwork.java:132)
at
org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(KdcNetwork.java:101)

Colm.


On Fri, May 5, 2017 at 5:56 PM, Zheng, Kai <kai.zh...@intel.com> wrote:

> Colm, did you see udp problem now instead? I'm a little confused. Udp is
> sure supported but may not be enabled by default, which should be okay,
> imo. Thanks.
>
> Sent from iPhone
>
> > 在 2017年5月6日,上午12:02,Colm O hEigeartaigh <cohei...@apache.org> 写道:
> >
> > That's probably it. Why does the default transport not support UDP in
> Kerby?
> >
> > Colm.
> >
> >> On Fri, May 5, 2017 at 4:54 PM, Li, Jiajia <jiajia...@intel.com> wrote:
> >>
> >> Are you sure add kdc_allow_udp = false in kdc.conf?
> >>
> >> Thanks
> >> Jiajia
> >>
> >> -Original Message-
> >> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> >> Sent: Friday, May 5, 2017 11:41 PM
> >> To: Li, Jiajia <jiajia...@intel.com>
> >> Cc: kerby@directory.apache.org; Zheng, Kai <kai.zh...@intel.com>;
> mailto:
> >> m.c.delig...@xs4all.nl <m.c.delig...@xs4all.nl>
> >> Subject: Re: MIT Kerberos compatibility
> >>
> >> Sorry, it was my error, UDP was actually enabled there. But why am I
> still
> >> seeing that error message?
> >>
> >> Colm.
> >>
> >>> On Fri, May 5, 2017 at 4:39 PM, Li, Jiajia <jiajia...@intel.com>
> wrote:
> >>>
> >>> Hi Colm,
> >>> I also test the Kerby KDC with kerby kint and MIT kinit, and only
> >>> listen the tcp port(disable udp), both got ticket successfully. But I
> >>> don't get the error message. Both krb.conf and kdc.conf should set udp
> >>> to be false, udp is enabled in default.
> >>>
> >>> Thanks
> >>> Jiajia
> >>>
> >>> -Original Message-
> >>> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> >>> Sent: Friday, May 5, 2017 11:34 PM
> >>> To: kerby@directory.apache.org
> >>> Cc: Zheng, Kai <kai.zh...@intel.com>; mailto:m.c.delig...@xs4all.nl <
> >>> m.c.delig...@xs4all.nl>
> >>> Subject: Re: MIT Kerberos compatibility
> >>>
> >>> Hi Jiajia,
> >>>
> >>> If UDP is disabled and we don't use Netty, I can get a token
> >>> successfully via kinit. However I then see an error message in the
> Kerby
> >> console:
> >>>
> >>> Exception in thread "Thread-1" java.lang.RuntimeException: Error
> >>> occured while checking udp connections
> >>>at
> >>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(
> >>> KdcNetwork.java:105)
> >>>at
> >>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.
> >>> access$000(KdcNetwork.java:39)
> >>>at
> >>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork$1.
> >>> run(KdcNetwork.java:75)
> >>>at java.lang.Thread.run(Thread.java:748)
> >>> Caused by: java.nio.channels.ClosedChannelException
> >>>at
> >>> sun.nio.ch.DatagramChannelImpl.ensureOpen(
> DatagramChannelImpl.java:320)
> >>>at sun.nio.ch.DatagramChannelImpl.receive(
> >>> DatagramChannelImpl.java:331)
> >>>at
> >>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.
> >>> checkUdpMessage(KdcNetwork.java:132)
> >>>at
> >>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(
> >>> KdcNetwork.java:101)
> >>>
> >>> I'm not sure why we are seeing UDP errors when it's disabled?
> >>>
> >>> Colm.
>

Re: MIT Kerberos compatibility

2017-05-05 Thread Zheng, Kai
Colm, did you see udp problem now instead? I'm a little confused. Udp is sure 
supported but may not be enabled by default, which should be okay, imo. Thanks.

Sent from iPhone

> 在 2017年5月6日,上午12:02,Colm O hEigeartaigh <cohei...@apache.org> 写道:
> 
> That's probably it. Why does the default transport not support UDP in Kerby?
> 
> Colm.
> 
>> On Fri, May 5, 2017 at 4:54 PM, Li, Jiajia <jiajia...@intel.com> wrote:
>> 
>> Are you sure add kdc_allow_udp = false in kdc.conf?
>> 
>> Thanks
>> Jiajia
>> 
>> -Original Message-
>> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
>> Sent: Friday, May 5, 2017 11:41 PM
>> To: Li, Jiajia <jiajia...@intel.com>
>> Cc: kerby@directory.apache.org; Zheng, Kai <kai.zh...@intel.com>; mailto:
>> m.c.delig...@xs4all.nl <m.c.delig...@xs4all.nl>
>> Subject: Re: MIT Kerberos compatibility
>> 
>> Sorry, it was my error, UDP was actually enabled there. But why am I still
>> seeing that error message?
>> 
>> Colm.
>> 
>>> On Fri, May 5, 2017 at 4:39 PM, Li, Jiajia <jiajia...@intel.com> wrote:
>>> 
>>> Hi Colm,
>>> I also test the Kerby KDC with kerby kint and MIT kinit, and only
>>> listen the tcp port(disable udp), both got ticket successfully. But I
>>> don't get the error message. Both krb.conf and kdc.conf should set udp
>>> to be false, udp is enabled in default.
>>> 
>>> Thanks
>>> Jiajia
>>> 
>>> -Original Message-----
>>> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
>>> Sent: Friday, May 5, 2017 11:34 PM
>>> To: kerby@directory.apache.org
>>> Cc: Zheng, Kai <kai.zh...@intel.com>; mailto:m.c.delig...@xs4all.nl <
>>> m.c.delig...@xs4all.nl>
>>> Subject: Re: MIT Kerberos compatibility
>>> 
>>> Hi Jiajia,
>>> 
>>> If UDP is disabled and we don't use Netty, I can get a token
>>> successfully via kinit. However I then see an error message in the Kerby
>> console:
>>> 
>>> Exception in thread "Thread-1" java.lang.RuntimeException: Error
>>> occured while checking udp connections
>>>at
>>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(
>>> KdcNetwork.java:105)
>>>at
>>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.
>>> access$000(KdcNetwork.java:39)
>>>at
>>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork$1.
>>> run(KdcNetwork.java:75)
>>>at java.lang.Thread.run(Thread.java:748)
>>> Caused by: java.nio.channels.ClosedChannelException
>>>at
>>> sun.nio.ch.DatagramChannelImpl.ensureOpen(DatagramChannelImpl.java:320)
>>>at sun.nio.ch.DatagramChannelImpl.receive(
>>> DatagramChannelImpl.java:331)
>>>at
>>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.
>>> checkUdpMessage(KdcNetwork.java:132)
>>>at
>>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(
>>> KdcNetwork.java:101)
>>> 
>>> I'm not sure why we are seeing UDP errors when it's disabled?
>>> 
>>> Colm.
>>> 
>>>> On Fri, May 5, 2017 at 3:57 PM, Li, Jiajia <jiajia...@intel.com> wrote:
>>>> 
>>>> Hi Colm,
>>>> The shell client can't connect to kdc if the UDP is disabled.
>>>> We don't use Netty in default.
>>>> What's your test-cases? The same as the Marc's?
>>>> 
>>>> Thanks
>>>> Jiajia
>>>> 
>>>> -Original Message-
>>>> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
>>>> Sent: Friday, May 5, 2017 10:09 PM
>>>> To: kerby@directory.apache.org
>>>> Cc: Zheng, Kai <kai.zh...@intel.com>; mailto:m.c.delig...@xs4all.nl
>>>> < m.c.delig...@xs4all.nl>
>>>> Subject: Re: MIT Kerberos compatibility
>>>> 
>>>> Hi Jiajia,
>>>> 
>>>> What are the issues if UDP is disabled and we don't use Netty? I
>>>> tried doing this with my own test-cases and it didn't work, so it
>>>> would be good to get this fixed soon.
>>>> 
>>>> Colm.
>>>> 
>>>> On Fri, May 5, 2017 at 2:46 PM, Li, Jiajia <jiajia...@intel.com>
>> wrote:
>>>> 
>>>>> Hi Marc,
>>>>>>>> - your KRB5 tracing looks quite different. What OS and
>>>>>>>> mit-kerber

Re: MIT Kerberos compatibility

2017-05-05 Thread Colm O hEigeartaigh
That's probably it. Why does the default transport not support UDP in Kerby?

Colm.

On Fri, May 5, 2017 at 4:54 PM, Li, Jiajia <jiajia...@intel.com> wrote:

> Are you sure add kdc_allow_udp = false in kdc.conf?
>
> Thanks
> Jiajia
>
> -Original Message-
> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> Sent: Friday, May 5, 2017 11:41 PM
> To: Li, Jiajia <jiajia...@intel.com>
> Cc: kerby@directory.apache.org; Zheng, Kai <kai.zh...@intel.com>; mailto:
> m.c.delig...@xs4all.nl <m.c.delig...@xs4all.nl>
> Subject: Re: MIT Kerberos compatibility
>
> Sorry, it was my error, UDP was actually enabled there. But why am I still
> seeing that error message?
>
> Colm.
>
> On Fri, May 5, 2017 at 4:39 PM, Li, Jiajia <jiajia...@intel.com> wrote:
>
> > Hi Colm,
> > I also test the Kerby KDC with kerby kint and MIT kinit, and only
> > listen the tcp port(disable udp), both got ticket successfully. But I
> > don't get the error message. Both krb.conf and kdc.conf should set udp
> > to be false, udp is enabled in default.
> >
> > Thanks
> > Jiajia
> >
> > -Original Message-
> > From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> > Sent: Friday, May 5, 2017 11:34 PM
> > To: kerby@directory.apache.org
> > Cc: Zheng, Kai <kai.zh...@intel.com>; mailto:m.c.delig...@xs4all.nl <
> > m.c.delig...@xs4all.nl>
> > Subject: Re: MIT Kerberos compatibility
> >
> > Hi Jiajia,
> >
> > If UDP is disabled and we don't use Netty, I can get a token
> > successfully via kinit. However I then see an error message in the Kerby
> console:
> >
> > Exception in thread "Thread-1" java.lang.RuntimeException: Error
> > occured while checking udp connections
> > at
> > org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(
> > KdcNetwork.java:105)
> > at
> > org.apache.kerby.kerberos.kerb.transport.KdcNetwork.
> > access$000(KdcNetwork.java:39)
> > at
> > org.apache.kerby.kerberos.kerb.transport.KdcNetwork$1.
> > run(KdcNetwork.java:75)
> > at java.lang.Thread.run(Thread.java:748)
> > Caused by: java.nio.channels.ClosedChannelException
> > at
> > sun.nio.ch.DatagramChannelImpl.ensureOpen(DatagramChannelImpl.java:320)
> > at sun.nio.ch.DatagramChannelImpl.receive(
> > DatagramChannelImpl.java:331)
> > at
> > org.apache.kerby.kerberos.kerb.transport.KdcNetwork.
> > checkUdpMessage(KdcNetwork.java:132)
> > at
> > org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(
> > KdcNetwork.java:101)
> >
> > I'm not sure why we are seeing UDP errors when it's disabled?
> >
> > Colm.
> >
> > On Fri, May 5, 2017 at 3:57 PM, Li, Jiajia <jiajia...@intel.com> wrote:
> >
> > > Hi Colm,
> > > The shell client can't connect to kdc if the UDP is disabled.
> > > We don't use Netty in default.
> > > What's your test-cases? The same as the Marc's?
> > >
> > > Thanks
> > > Jiajia
> > >
> > > -Original Message-
> > > From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> > > Sent: Friday, May 5, 2017 10:09 PM
> > > To: kerby@directory.apache.org
> > > Cc: Zheng, Kai <kai.zh...@intel.com>; mailto:m.c.delig...@xs4all.nl
> > > < m.c.delig...@xs4all.nl>
> > > Subject: Re: MIT Kerberos compatibility
> > >
> > > Hi Jiajia,
> > >
> > > What are the issues if UDP is disabled and we don't use Netty? I
> > > tried doing this with my own test-cases and it didn't work, so it
> > > would be good to get this fixed soon.
> > >
> > > Colm.
> > >
> > > On Fri, May 5, 2017 at 2:46 PM, Li, Jiajia <jiajia...@intel.com>
> wrote:
> > >
> > > > Hi Marc,
> > > > >>> - your KRB5 tracing looks quite different. What OS and
> > > > >>> mit-kerberos
> > > > version did you use?
> > > > I use mac os and the python version is 2.7.10
> > > >
> > > > >>>- your KRB5 tracing shows UDP comms between kerberos client and
> > > > >>>KDC,
> > > > despite the allowUDP = false setting
> > > > >>> in my test. I did this setting because I get different
> > > > >>> problems
> > > > without it, see the additional logs below. So,
> > > > >>>we must also be aware of networking problems at my side.
> > > > I enable the UDP and use netty n

RE: MIT Kerberos compatibility

2017-05-05 Thread Li, Jiajia
Are you sure add kdc_allow_udp = false in kdc.conf?

Thanks
Jiajia

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Friday, May 5, 2017 11:41 PM
To: Li, Jiajia <jiajia...@intel.com>
Cc: kerby@directory.apache.org; Zheng, Kai <kai.zh...@intel.com>; 
mailto:m.c.delig...@xs4all.nl <m.c.delig...@xs4all.nl>
Subject: Re: MIT Kerberos compatibility

Sorry, it was my error, UDP was actually enabled there. But why am I still 
seeing that error message?

Colm.

On Fri, May 5, 2017 at 4:39 PM, Li, Jiajia <jiajia...@intel.com> wrote:

> Hi Colm,
> I also test the Kerby KDC with kerby kint and MIT kinit, and only 
> listen the tcp port(disable udp), both got ticket successfully. But I 
> don't get the error message. Both krb.conf and kdc.conf should set udp 
> to be false, udp is enabled in default.
>
> Thanks
> Jiajia
>
> -Original Message-
> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> Sent: Friday, May 5, 2017 11:34 PM
> To: kerby@directory.apache.org
> Cc: Zheng, Kai <kai.zh...@intel.com>; mailto:m.c.delig...@xs4all.nl < 
> m.c.delig...@xs4all.nl>
> Subject: Re: MIT Kerberos compatibility
>
> Hi Jiajia,
>
> If UDP is disabled and we don't use Netty, I can get a token 
> successfully via kinit. However I then see an error message in the Kerby 
> console:
>
> Exception in thread "Thread-1" java.lang.RuntimeException: Error 
> occured while checking udp connections
> at
> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(
> KdcNetwork.java:105)
> at
> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.
> access$000(KdcNetwork.java:39)
> at
> org.apache.kerby.kerberos.kerb.transport.KdcNetwork$1.
> run(KdcNetwork.java:75)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: java.nio.channels.ClosedChannelException
> at
> sun.nio.ch.DatagramChannelImpl.ensureOpen(DatagramChannelImpl.java:320)
> at sun.nio.ch.DatagramChannelImpl.receive(
> DatagramChannelImpl.java:331)
> at
> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.
> checkUdpMessage(KdcNetwork.java:132)
> at
> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(
> KdcNetwork.java:101)
>
> I'm not sure why we are seeing UDP errors when it's disabled?
>
> Colm.
>
> On Fri, May 5, 2017 at 3:57 PM, Li, Jiajia <jiajia...@intel.com> wrote:
>
> > Hi Colm,
> > The shell client can't connect to kdc if the UDP is disabled.
> > We don't use Netty in default.
> > What's your test-cases? The same as the Marc's?
> >
> > Thanks
> > Jiajia
> >
> > -Original Message-
> > From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> > Sent: Friday, May 5, 2017 10:09 PM
> > To: kerby@directory.apache.org
> > Cc: Zheng, Kai <kai.zh...@intel.com>; mailto:m.c.delig...@xs4all.nl 
> > < m.c.delig...@xs4all.nl>
> > Subject: Re: MIT Kerberos compatibility
> >
> > Hi Jiajia,
> >
> > What are the issues if UDP is disabled and we don't use Netty? I 
> > tried doing this with my own test-cases and it didn't work, so it 
> > would be good to get this fixed soon.
> >
> > Colm.
> >
> > On Fri, May 5, 2017 at 2:46 PM, Li, Jiajia <jiajia...@intel.com> wrote:
> >
> > > Hi Marc,
> > > >>> - your KRB5 tracing looks quite different. What OS and 
> > > >>> mit-kerberos
> > > version did you use?
> > > I use mac os and the python version is 2.7.10
> > >
> > > >>>- your KRB5 tracing shows UDP comms between kerberos client and 
> > > >>>KDC,
> > > despite the allowUDP = false setting
> > > >>> in my test. I did this setting because I get different 
> > > >>> problems
> > > without it, see the additional logs below. So,
> > > >>>we must also be aware of networking problems at my side.
> > > I enable the UDP and use netty network, there are some issues if 
> > > UDP disabled, you can create a JIRA for this and we can fix this 
> > > issue in the next release version.
> > >
> > > The changes in my side as following:
> > >
> > > protected boolean allowUdp() {
> > > return true;
> > > }
> > > @Override
> > > protected void prepareKdc() throws KrbException {
> > > getKdcServer().setInnerKdcImpl(
> > > new NettyKdcServerImpl(getKdcServer().getKdcSetting()));
> > > super.prepareKdc();
> > > }
> > >
> > > Here is log of MitIssueTest:
> > > [INFO] Running org.a

Re: MIT Kerberos compatibility

2017-05-05 Thread Colm O hEigeartaigh
Sorry, it was my error, UDP was actually enabled there. But why am I still
seeing that error message?

Colm.

On Fri, May 5, 2017 at 4:39 PM, Li, Jiajia <jiajia...@intel.com> wrote:

> Hi Colm,
> I also test the Kerby KDC with kerby kint and MIT kinit, and only listen
> the tcp port(disable udp),
> both got ticket successfully. But I don't get the error message. Both
> krb.conf and kdc.conf should set udp to be false, udp is enabled in default.
>
> Thanks
> Jiajia
>
> -Original Message-
> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> Sent: Friday, May 5, 2017 11:34 PM
> To: kerby@directory.apache.org
> Cc: Zheng, Kai <kai.zh...@intel.com>; mailto:m.c.delig...@xs4all.nl <
> m.c.delig...@xs4all.nl>
> Subject: Re: MIT Kerberos compatibility
>
> Hi Jiajia,
>
> If UDP is disabled and we don't use Netty, I can get a token successfully
> via kinit. However I then see an error message in the Kerby console:
>
> Exception in thread "Thread-1" java.lang.RuntimeException: Error occured
> while checking udp connections
> at
> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(
> KdcNetwork.java:105)
> at
> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.
> access$000(KdcNetwork.java:39)
> at
> org.apache.kerby.kerberos.kerb.transport.KdcNetwork$1.
> run(KdcNetwork.java:75)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: java.nio.channels.ClosedChannelException
> at
> sun.nio.ch.DatagramChannelImpl.ensureOpen(DatagramChannelImpl.java:320)
> at sun.nio.ch.DatagramChannelImpl.receive(
> DatagramChannelImpl.java:331)
> at
> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.
> checkUdpMessage(KdcNetwork.java:132)
> at
> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(
> KdcNetwork.java:101)
>
> I'm not sure why we are seeing UDP errors when it's disabled?
>
> Colm.
>
> On Fri, May 5, 2017 at 3:57 PM, Li, Jiajia <jiajia...@intel.com> wrote:
>
> > Hi Colm,
> > The shell client can't connect to kdc if the UDP is disabled.
> > We don't use Netty in default.
> > What's your test-cases? The same as the Marc's?
> >
> > Thanks
> > Jiajia
> >
> > -Original Message-
> > From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> > Sent: Friday, May 5, 2017 10:09 PM
> > To: kerby@directory.apache.org
> > Cc: Zheng, Kai <kai.zh...@intel.com>; mailto:m.c.delig...@xs4all.nl <
> > m.c.delig...@xs4all.nl>
> > Subject: Re: MIT Kerberos compatibility
> >
> > Hi Jiajia,
> >
> > What are the issues if UDP is disabled and we don't use Netty? I tried
> > doing this with my own test-cases and it didn't work, so it would be
> > good to get this fixed soon.
> >
> > Colm.
> >
> > On Fri, May 5, 2017 at 2:46 PM, Li, Jiajia <jiajia...@intel.com> wrote:
> >
> > > Hi Marc,
> > > >>> - your KRB5 tracing looks quite different. What OS and
> > > >>> mit-kerberos
> > > version did you use?
> > > I use mac os and the python version is 2.7.10
> > >
> > > >>>- your KRB5 tracing shows UDP comms between kerberos client and
> > > >>>KDC,
> > > despite the allowUDP = false setting
> > > >>> in my test. I did this setting because I get different problems
> > > without it, see the additional logs below. So,
> > > >>>we must also be aware of networking problems at my side.
> > > I enable the UDP and use netty network, there are some issues if UDP
> > > disabled, you can create a JIRA for this and we can fix this issue
> > > in the next release version.
> > >
> > > The changes in my side as following:
> > >
> > > protected boolean allowUdp() {
> > > return true;
> > > }
> > > @Override
> > > protected void prepareKdc() throws KrbException {
> > > getKdcServer().setInnerKdcImpl(
> > > new NettyKdcServerImpl(getKdcServer().getKdcSetting()));
> > > super.prepareKdc();
> > > }
> > >
> > > Here is log of MitIssueTest:
> > > [INFO] Running org.apache.kerby.kerberos.kerb.server.MitIssueTest
> > > [nioEventLoopGroup-2-1] INFO io.netty.handler.logging.LoggingHandler
> > > -
> > > [id: 0x2634fe6b] REGISTERED
> > > [nioEventLoopGroup-2-1] INFO io.netty.handler.logging.LoggingHandler
> > > -
> > > [id: 0x2634fe6b] BIND(0.0.0.0/0.0.0.0:53957) [nioEventLoopGroup-2-1]
> > > INFO io.netty.handler.logging.LoggingHandler -
> > >

RE: MIT Kerberos compatibility

2017-05-05 Thread Li, Jiajia
Hi Colm,
I also test the Kerby KDC with kerby kint and MIT kinit, and only listen the 
tcp port(disable udp),
both got ticket successfully. But I don't get the error message. Both krb.conf 
and kdc.conf should set udp to be false, udp is enabled in default.

Thanks
Jiajia

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Friday, May 5, 2017 11:34 PM
To: kerby@directory.apache.org
Cc: Zheng, Kai <kai.zh...@intel.com>; mailto:m.c.delig...@xs4all.nl 
<m.c.delig...@xs4all.nl>
Subject: Re: MIT Kerberos compatibility

Hi Jiajia,

If UDP is disabled and we don't use Netty, I can get a token successfully via 
kinit. However I then see an error message in the Kerby console:

Exception in thread "Thread-1" java.lang.RuntimeException: Error occured while 
checking udp connections
at
org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(KdcNetwork.java:105)
at
org.apache.kerby.kerberos.kerb.transport.KdcNetwork.access$000(KdcNetwork.java:39)
at
org.apache.kerby.kerberos.kerb.transport.KdcNetwork$1.run(KdcNetwork.java:75)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.nio.channels.ClosedChannelException
at
sun.nio.ch.DatagramChannelImpl.ensureOpen(DatagramChannelImpl.java:320)
at sun.nio.ch.DatagramChannelImpl.receive(DatagramChannelImpl.java:331)
at
org.apache.kerby.kerberos.kerb.transport.KdcNetwork.checkUdpMessage(KdcNetwork.java:132)
at
org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(KdcNetwork.java:101)

I'm not sure why we are seeing UDP errors when it's disabled?

Colm.

On Fri, May 5, 2017 at 3:57 PM, Li, Jiajia <jiajia...@intel.com> wrote:

> Hi Colm,
> The shell client can't connect to kdc if the UDP is disabled.
> We don't use Netty in default.
> What's your test-cases? The same as the Marc's?
>
> Thanks
> Jiajia
>
> -Original Message-
> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> Sent: Friday, May 5, 2017 10:09 PM
> To: kerby@directory.apache.org
> Cc: Zheng, Kai <kai.zh...@intel.com>; mailto:m.c.delig...@xs4all.nl < 
> m.c.delig...@xs4all.nl>
> Subject: Re: MIT Kerberos compatibility
>
> Hi Jiajia,
>
> What are the issues if UDP is disabled and we don't use Netty? I tried 
> doing this with my own test-cases and it didn't work, so it would be 
> good to get this fixed soon.
>
> Colm.
>
> On Fri, May 5, 2017 at 2:46 PM, Li, Jiajia <jiajia...@intel.com> wrote:
>
> > Hi Marc,
> > >>> - your KRB5 tracing looks quite different. What OS and 
> > >>> mit-kerberos
> > version did you use?
> > I use mac os and the python version is 2.7.10
> >
> > >>>- your KRB5 tracing shows UDP comms between kerberos client and 
> > >>>KDC,
> > despite the allowUDP = false setting
> > >>> in my test. I did this setting because I get different problems
> > without it, see the additional logs below. So,
> > >>>we must also be aware of networking problems at my side.
> > I enable the UDP and use netty network, there are some issues if UDP 
> > disabled, you can create a JIRA for this and we can fix this issue 
> > in the next release version.
> >
> > The changes in my side as following:
> >
> > protected boolean allowUdp() {
> > return true;
> > }
> > @Override
> > protected void prepareKdc() throws KrbException {
> > getKdcServer().setInnerKdcImpl(
> > new NettyKdcServerImpl(getKdcServer().getKdcSetting()));
> > super.prepareKdc();
> > }
> >
> > Here is log of MitIssueTest:
> > [INFO] Running org.apache.kerby.kerberos.kerb.server.MitIssueTest
> > [nioEventLoopGroup-2-1] INFO io.netty.handler.logging.LoggingHandler 
> > -
> > [id: 0x2634fe6b] REGISTERED
> > [nioEventLoopGroup-2-1] INFO io.netty.handler.logging.LoggingHandler 
> > -
> > [id: 0x2634fe6b] BIND(0.0.0.0/0.0.0.0:53957) [nioEventLoopGroup-2-1] 
> > INFO io.netty.handler.logging.LoggingHandler -
> > [id: 0x2634fe6b, /0:0:0:0:0:0:0:0:53957] ACTIVE [main] INFO 
> > org.apache.kerby.kerberos.kdc.impl.NettyKdcServerImpl - Netty kdc 
> > server started.
> > [nioEventLoopGroup-2-1] INFO io.netty.handler.logging.LoggingHandler 
> > -
> > [id: 0x2634fe6b, /0:0:0:0:0:0:0:0:53957] RECEIVED: [id: 0xdac7228b, 
> > /
> > 127.0.0.1:53961 => /127.0.0.1:53957] [defaultEventExecutorGroup-4-1] 
> > INFO org.apache.kerby.kerberos.kerb.server.request.AsRequest
> > - AS_REQ ISSUE: authtime 1493991123792,dran...@test.com for krbtgt/ 
> > test@test.com [main] INFO 
> > org.apache.kerby.kerberos.kerb.client.impl.DefaultInternalKrbClient
> >

Re: MIT Kerberos compatibility

2017-05-05 Thread Zheng, Kai
I think we can check the tcp problem with our java client and mit client. If 
both work we still could proceed, otherwise we need fix soon. Note the python 
client looks like not an easy debug. Anyone familiar?

Sent from iPhone

> 在 2017年5月5日,下午10:09,Colm O hEigeartaigh <cohei...@apache.org> 写道:
> 
> Hi Jiajia,
> 
> What are the issues if UDP is disabled and we don't use Netty? I tried
> doing this with my own test-cases and it didn't work, so it would be good
> to get this fixed soon.
> 
> Colm.
> 
>> On Fri, May 5, 2017 at 2:46 PM, Li, Jiajia <jiajia...@intel.com> wrote:
>> 
>> Hi Marc,
>>>>> - your KRB5 tracing looks quite different. What OS and mit-kerberos
>> version did you use?
>> I use mac os and the python version is 2.7.10
>> 
>>>>> - your KRB5 tracing shows UDP comms between kerberos client and KDC,
>> despite the allowUDP = false setting
>>>>> in my test. I did this setting because I get different problems
>> without it, see the additional logs below. So,
>>>>> we must also be aware of networking problems at my side.
>> I enable the UDP and use netty network, there are some issues if UDP
>> disabled, you can create a JIRA for this and we can fix this issue in the
>> next release version.
>> 
>> The changes in my side as following:
>> 
>> protected boolean allowUdp() {
>>return true;
>> }
>> @Override
>> protected void prepareKdc() throws KrbException {
>>getKdcServer().setInnerKdcImpl(
>>new NettyKdcServerImpl(getKdcServer().getKdcSetting()));
>>super.prepareKdc();
>> }
>> 
>> Here is log of MitIssueTest:
>> [INFO] Running org.apache.kerby.kerberos.kerb.server.MitIssueTest
>> [nioEventLoopGroup-2-1] INFO io.netty.handler.logging.LoggingHandler -
>> [id: 0x2634fe6b] REGISTERED
>> [nioEventLoopGroup-2-1] INFO io.netty.handler.logging.LoggingHandler -
>> [id: 0x2634fe6b] BIND(0.0.0.0/0.0.0.0:53957)
>> [nioEventLoopGroup-2-1] INFO io.netty.handler.logging.LoggingHandler -
>> [id: 0x2634fe6b, /0:0:0:0:0:0:0:0:53957] ACTIVE
>> [main] INFO org.apache.kerby.kerberos.kdc.impl.NettyKdcServerImpl - Netty
>> kdc server started.
>> [nioEventLoopGroup-2-1] INFO io.netty.handler.logging.LoggingHandler -
>> [id: 0x2634fe6b, /0:0:0:0:0:0:0:0:53957] RECEIVED: [id: 0xdac7228b, /
>> 127.0.0.1:53961 => /127.0.0.1:53957]
>> [defaultEventExecutorGroup-4-1] INFO 
>> org.apache.kerby.kerberos.kerb.server.request.AsRequest
>> - AS_REQ ISSUE: authtime 1493991123792,dran...@test.com for krbtgt/
>> test@test.com
>> [main] INFO 
>> org.apache.kerby.kerberos.kerb.client.impl.DefaultInternalKrbClient
>> - Send to kdc success.
>> [main] INFO org.apache.kerby.kerberos.kerb.client.KrbClientBase - Storing
>> the tgt to the credential cache file.
>> [nioEventLoopGroup-5-1] INFO 
>> org.apache.kerby.kerberos.kerb.server.request.KdcRequest
>> - The preauth data is empty.
>> [nioEventLoopGroup-5-1] INFO org.apache.kerby.kerberos.kerb.server.KdcHandler
>> - KRB error occurred while processing request:Additional pre-authentication
>> required
>> [nioEventLoopGroup-5-1] INFO 
>> org.apache.kerby.kerberos.kerb.server.request.AsRequest
>> - AS_REQ ISSUE: authtime 1493991123859,test-service/localh...@test.com
>> for krbtgt/test@test.com
>> [nioEventLoopGroup-5-1] INFO 
>> org.apache.kerby.kerberos.kerb.server.request.TgsRequest
>> - TGS_REQ ISSUE: authtime 1493991142850,drankye for test-service/
>> localh...@test.com
>> 
>> Thanks
>> Jiajia
>> 
>> -Original Message-
>> From: Zheng, Kai
>> Sent: Friday, May 5, 2017 7:46 PM
>> To: kerby@directory.apache.org; Li, Jiajia <jiajia...@intel.com>
>> Subject: RE: MIT Kerberos compatibility
>> 
>> Hi Marc,
>> 
>> Looks like this is quite environment related, could you fire an issue for
>> this? I would suggest we target it to 1.1.0, which can be done in June.
>> 
>> Regards,
>> Kai
>> 
>> -Original Message-
>> From: Marc de Lignie [mailto:m.c.delig...@xs4all.nl]
>> Sent: Friday, May 05, 2017 4:44 PM
>> To: Li, Jiajia <jiajia...@intel.com>
>> Cc: kerby@directory.apache.org
>> Subject: Re: MIT Kerberos compatibility
>> 
>> Hi Jiajia,
>> 
>> Great to read that you made progress on this issue and to see a working
>> config at your side. Below, I list my progress below (with trunk merged
>> into my MitIssue branch), but I am afraid we are not done yet.
>> 
>> Things that stand out:
>> 
&g

Re: MIT Kerberos compatibility

2017-05-05 Thread Colm O hEigeartaigh
Hi Jiajia,

If UDP is disabled and we don't use Netty, I can get a token successfully
via kinit. However I then see an error message in the Kerby console:

Exception in thread "Thread-1" java.lang.RuntimeException: Error occured
while checking udp connections
at
org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(KdcNetwork.java:105)
at
org.apache.kerby.kerberos.kerb.transport.KdcNetwork.access$000(KdcNetwork.java:39)
at
org.apache.kerby.kerberos.kerb.transport.KdcNetwork$1.run(KdcNetwork.java:75)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.nio.channels.ClosedChannelException
at
sun.nio.ch.DatagramChannelImpl.ensureOpen(DatagramChannelImpl.java:320)
at sun.nio.ch.DatagramChannelImpl.receive(DatagramChannelImpl.java:331)
at
org.apache.kerby.kerberos.kerb.transport.KdcNetwork.checkUdpMessage(KdcNetwork.java:132)
at
org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(KdcNetwork.java:101)

I'm not sure why we are seeing UDP errors when it's disabled?

Colm.

On Fri, May 5, 2017 at 3:57 PM, Li, Jiajia <jiajia...@intel.com> wrote:

> Hi Colm,
> The shell client can't connect to kdc if the UDP is disabled.
> We don't use Netty in default.
> What's your test-cases? The same as the Marc's?
>
> Thanks
> Jiajia
>
> -Original Message-
> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> Sent: Friday, May 5, 2017 10:09 PM
> To: kerby@directory.apache.org
> Cc: Zheng, Kai <kai.zh...@intel.com>; mailto:m.c.delig...@xs4all.nl <
> m.c.delig...@xs4all.nl>
> Subject: Re: MIT Kerberos compatibility
>
> Hi Jiajia,
>
> What are the issues if UDP is disabled and we don't use Netty? I tried
> doing this with my own test-cases and it didn't work, so it would be good
> to get this fixed soon.
>
> Colm.
>
> On Fri, May 5, 2017 at 2:46 PM, Li, Jiajia <jiajia...@intel.com> wrote:
>
> > Hi Marc,
> > >>> - your KRB5 tracing looks quite different. What OS and
> > >>> mit-kerberos
> > version did you use?
> > I use mac os and the python version is 2.7.10
> >
> > >>>- your KRB5 tracing shows UDP comms between kerberos client and
> > >>>KDC,
> > despite the allowUDP = false setting
> > >>> in my test. I did this setting because I get different problems
> > without it, see the additional logs below. So,
> > >>>we must also be aware of networking problems at my side.
> > I enable the UDP and use netty network, there are some issues if UDP
> > disabled, you can create a JIRA for this and we can fix this issue in
> > the next release version.
> >
> > The changes in my side as following:
> >
> > protected boolean allowUdp() {
> > return true;
> > }
> > @Override
> > protected void prepareKdc() throws KrbException {
> > getKdcServer().setInnerKdcImpl(
> > new NettyKdcServerImpl(getKdcServer().getKdcSetting()));
> > super.prepareKdc();
> > }
> >
> > Here is log of MitIssueTest:
> > [INFO] Running org.apache.kerby.kerberos.kerb.server.MitIssueTest
> > [nioEventLoopGroup-2-1] INFO io.netty.handler.logging.LoggingHandler -
> > [id: 0x2634fe6b] REGISTERED
> > [nioEventLoopGroup-2-1] INFO io.netty.handler.logging.LoggingHandler -
> > [id: 0x2634fe6b] BIND(0.0.0.0/0.0.0.0:53957) [nioEventLoopGroup-2-1]
> > INFO io.netty.handler.logging.LoggingHandler -
> > [id: 0x2634fe6b, /0:0:0:0:0:0:0:0:53957] ACTIVE [main] INFO
> > org.apache.kerby.kerberos.kdc.impl.NettyKdcServerImpl - Netty kdc
> > server started.
> > [nioEventLoopGroup-2-1] INFO io.netty.handler.logging.LoggingHandler -
> > [id: 0x2634fe6b, /0:0:0:0:0:0:0:0:53957] RECEIVED: [id: 0xdac7228b, /
> > 127.0.0.1:53961 => /127.0.0.1:53957]
> > [defaultEventExecutorGroup-4-1] INFO
> > org.apache.kerby.kerberos.kerb.server.request.AsRequest
> > - AS_REQ ISSUE: authtime 1493991123792,dran...@test.com for krbtgt/
> > test@test.com [main] INFO
> > org.apache.kerby.kerberos.kerb.client.impl.DefaultInternalKrbClient
> > - Send to kdc success.
> > [main] INFO org.apache.kerby.kerberos.kerb.client.KrbClientBase -
> > Storing the tgt to the credential cache file.
> > [nioEventLoopGroup-5-1] INFO
> > org.apache.kerby.kerberos.kerb.server.request.KdcRequest
> > - The preauth data is empty.
> > [nioEventLoopGroup-5-1] INFO
> > org.apache.kerby.kerberos.kerb.server.KdcHandler
> > - KRB error occurred while processing request:Additional
> > pre-authentication required [nioEventLoopGroup-5-1] INFO
> > org.apache.kerby.kerberos.kerb.server.request.AsRequest
> > - AS_REQ ISSUE: authtime 1493991123859,test-service/loca

RE: MIT Kerberos compatibility

2017-05-05 Thread Li, Jiajia
Hi Colm,
The shell client can't connect to kdc if the UDP is disabled. 
We don't use Netty in default.
What's your test-cases? The same as the Marc's?

Thanks
Jiajia

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Friday, May 5, 2017 10:09 PM
To: kerby@directory.apache.org
Cc: Zheng, Kai <kai.zh...@intel.com>; mailto:m.c.delig...@xs4all.nl 
<m.c.delig...@xs4all.nl>
Subject: Re: MIT Kerberos compatibility

Hi Jiajia,

What are the issues if UDP is disabled and we don't use Netty? I tried doing 
this with my own test-cases and it didn't work, so it would be good to get this 
fixed soon.

Colm.

On Fri, May 5, 2017 at 2:46 PM, Li, Jiajia <jiajia...@intel.com> wrote:

> Hi Marc,
> >>> - your KRB5 tracing looks quite different. What OS and 
> >>> mit-kerberos
> version did you use?
> I use mac os and the python version is 2.7.10
>
> >>>- your KRB5 tracing shows UDP comms between kerberos client and 
> >>>KDC,
> despite the allowUDP = false setting
> >>> in my test. I did this setting because I get different problems
> without it, see the additional logs below. So,
> >>>we must also be aware of networking problems at my side.
> I enable the UDP and use netty network, there are some issues if UDP 
> disabled, you can create a JIRA for this and we can fix this issue in 
> the next release version.
>
> The changes in my side as following:
>
> protected boolean allowUdp() {
> return true;
> }
> @Override
> protected void prepareKdc() throws KrbException {
> getKdcServer().setInnerKdcImpl(
> new NettyKdcServerImpl(getKdcServer().getKdcSetting()));
> super.prepareKdc();
> }
>
> Here is log of MitIssueTest:
> [INFO] Running org.apache.kerby.kerberos.kerb.server.MitIssueTest
> [nioEventLoopGroup-2-1] INFO io.netty.handler.logging.LoggingHandler -
> [id: 0x2634fe6b] REGISTERED
> [nioEventLoopGroup-2-1] INFO io.netty.handler.logging.LoggingHandler -
> [id: 0x2634fe6b] BIND(0.0.0.0/0.0.0.0:53957) [nioEventLoopGroup-2-1] 
> INFO io.netty.handler.logging.LoggingHandler -
> [id: 0x2634fe6b, /0:0:0:0:0:0:0:0:53957] ACTIVE [main] INFO 
> org.apache.kerby.kerberos.kdc.impl.NettyKdcServerImpl - Netty kdc 
> server started.
> [nioEventLoopGroup-2-1] INFO io.netty.handler.logging.LoggingHandler -
> [id: 0x2634fe6b, /0:0:0:0:0:0:0:0:53957] RECEIVED: [id: 0xdac7228b, /
> 127.0.0.1:53961 => /127.0.0.1:53957]
> [defaultEventExecutorGroup-4-1] INFO 
> org.apache.kerby.kerberos.kerb.server.request.AsRequest
> - AS_REQ ISSUE: authtime 1493991123792,dran...@test.com for krbtgt/ 
> test@test.com [main] INFO 
> org.apache.kerby.kerberos.kerb.client.impl.DefaultInternalKrbClient
> - Send to kdc success.
> [main] INFO org.apache.kerby.kerberos.kerb.client.KrbClientBase - 
> Storing the tgt to the credential cache file.
> [nioEventLoopGroup-5-1] INFO 
> org.apache.kerby.kerberos.kerb.server.request.KdcRequest
> - The preauth data is empty.
> [nioEventLoopGroup-5-1] INFO 
> org.apache.kerby.kerberos.kerb.server.KdcHandler
> - KRB error occurred while processing request:Additional 
> pre-authentication required [nioEventLoopGroup-5-1] INFO 
> org.apache.kerby.kerberos.kerb.server.request.AsRequest
> - AS_REQ ISSUE: authtime 1493991123859,test-service/localh...@test.com
> for krbtgt/test@test.com
> [nioEventLoopGroup-5-1] INFO 
> org.apache.kerby.kerberos.kerb.server.request.TgsRequest
> - TGS_REQ ISSUE: authtime 1493991142850,drankye for test-service/ 
> localh...@test.com
>
> Thanks
> Jiajia
>
> -Original Message-
> From: Zheng, Kai
> Sent: Friday, May 5, 2017 7:46 PM
> To: kerby@directory.apache.org; Li, Jiajia <jiajia...@intel.com>
> Subject: RE: MIT Kerberos compatibility
>
> Hi Marc,
>
> Looks like this is quite environment related, could you fire an issue 
> for this? I would suggest we target it to 1.1.0, which can be done in June.
>
> Regards,
> Kai
>
> -Original Message-
> From: Marc de Lignie [mailto:m.c.delig...@xs4all.nl]
> Sent: Friday, May 05, 2017 4:44 PM
> To: Li, Jiajia <jiajia...@intel.com>
> Cc: kerby@directory.apache.org
> Subject: Re: MIT Kerberos compatibility
>
> Hi Jiajia,
>
> Great to read that you made progress on this issue and to see a 
> working config at your side. Below, I list my progress below (with 
> trunk merged into my MitIssue branch), but I am afraid we are not done yet.
>
> Things that stand out:
>
> - the kdc decoding error is solved, relative to the logs without your 
> patch
>
> - your KRB5 tracing looks quite different. What OS and mit-kerberos 
> version did you use?
>
> - your KRB5 tracing shows UDP comms between kerberos 

Re: MIT Kerberos compatibility

2017-05-05 Thread Colm O hEigeartaigh
Hi Jiajia,

What are the issues if UDP is disabled and we don't use Netty? I tried
doing this with my own test-cases and it didn't work, so it would be good
to get this fixed soon.

Colm.

On Fri, May 5, 2017 at 2:46 PM, Li, Jiajia <jiajia...@intel.com> wrote:

> Hi Marc,
> >>> - your KRB5 tracing looks quite different. What OS and mit-kerberos
> version did you use?
> I use mac os and the python version is 2.7.10
>
> >>>- your KRB5 tracing shows UDP comms between kerberos client and KDC,
> despite the allowUDP = false setting
> >>> in my test. I did this setting because I get different problems
> without it, see the additional logs below. So,
> >>>we must also be aware of networking problems at my side.
> I enable the UDP and use netty network, there are some issues if UDP
> disabled, you can create a JIRA for this and we can fix this issue in the
> next release version.
>
> The changes in my side as following:
>
> protected boolean allowUdp() {
> return true;
> }
> @Override
> protected void prepareKdc() throws KrbException {
> getKdcServer().setInnerKdcImpl(
> new NettyKdcServerImpl(getKdcServer().getKdcSetting()));
> super.prepareKdc();
> }
>
> Here is log of MitIssueTest:
> [INFO] Running org.apache.kerby.kerberos.kerb.server.MitIssueTest
> [nioEventLoopGroup-2-1] INFO io.netty.handler.logging.LoggingHandler -
> [id: 0x2634fe6b] REGISTERED
> [nioEventLoopGroup-2-1] INFO io.netty.handler.logging.LoggingHandler -
> [id: 0x2634fe6b] BIND(0.0.0.0/0.0.0.0:53957)
> [nioEventLoopGroup-2-1] INFO io.netty.handler.logging.LoggingHandler -
> [id: 0x2634fe6b, /0:0:0:0:0:0:0:0:53957] ACTIVE
> [main] INFO org.apache.kerby.kerberos.kdc.impl.NettyKdcServerImpl - Netty
> kdc server started.
> [nioEventLoopGroup-2-1] INFO io.netty.handler.logging.LoggingHandler -
> [id: 0x2634fe6b, /0:0:0:0:0:0:0:0:53957] RECEIVED: [id: 0xdac7228b, /
> 127.0.0.1:53961 => /127.0.0.1:53957]
> [defaultEventExecutorGroup-4-1] INFO 
> org.apache.kerby.kerberos.kerb.server.request.AsRequest
> - AS_REQ ISSUE: authtime 1493991123792,dran...@test.com for krbtgt/
> test@test.com
> [main] INFO 
> org.apache.kerby.kerberos.kerb.client.impl.DefaultInternalKrbClient
> - Send to kdc success.
> [main] INFO org.apache.kerby.kerberos.kerb.client.KrbClientBase - Storing
> the tgt to the credential cache file.
> [nioEventLoopGroup-5-1] INFO 
> org.apache.kerby.kerberos.kerb.server.request.KdcRequest
> - The preauth data is empty.
> [nioEventLoopGroup-5-1] INFO org.apache.kerby.kerberos.kerb.server.KdcHandler
> - KRB error occurred while processing request:Additional pre-authentication
> required
> [nioEventLoopGroup-5-1] INFO 
> org.apache.kerby.kerberos.kerb.server.request.AsRequest
> - AS_REQ ISSUE: authtime 1493991123859,test-service/localh...@test.com
> for krbtgt/test@test.com
> [nioEventLoopGroup-5-1] INFO 
> org.apache.kerby.kerberos.kerb.server.request.TgsRequest
> - TGS_REQ ISSUE: authtime 1493991142850,drankye for test-service/
> localh...@test.com
>
> Thanks
> Jiajia
>
> -Original Message-
> From: Zheng, Kai
> Sent: Friday, May 5, 2017 7:46 PM
> To: kerby@directory.apache.org; Li, Jiajia <jiajia...@intel.com>
> Subject: RE: MIT Kerberos compatibility
>
> Hi Marc,
>
> Looks like this is quite environment related, could you fire an issue for
> this? I would suggest we target it to 1.1.0, which can be done in June.
>
> Regards,
> Kai
>
> -Original Message-
> From: Marc de Lignie [mailto:m.c.delig...@xs4all.nl]
> Sent: Friday, May 05, 2017 4:44 PM
> To: Li, Jiajia <jiajia...@intel.com>
> Cc: kerby@directory.apache.org
> Subject: Re: MIT Kerberos compatibility
>
> Hi Jiajia,
>
> Great to read that you made progress on this issue and to see a working
> config at your side. Below, I list my progress below (with trunk merged
> into my MitIssue branch), but I am afraid we are not done yet.
>
> Things that stand out:
>
> - the kdc decoding error is solved, relative to the logs without your patch
>
> - your KRB5 tracing looks quite different. What OS and mit-kerberos
> version did you use?
>
> - your KRB5 tracing shows UDP comms between kerberos client and KDC,
> despite the allowUDP = false setting in my test. I did this setting because
> I get different problems without it, see the additional logs below. So, we
> must also be aware of networking problems at my side.
>
> - the "Response was not from master KDC" msg is not relevant; it
> disappears if you manually add master_kdc to the realms section of the
> krb5.conf
>
> I have no idea how to proceed from here, so that is why I just

RE: MIT Kerberos compatibility

2017-05-05 Thread Li, Jiajia
Hi Marc,
>>> - your KRB5 tracing looks quite different. What OS and mit-kerberos version 
>>> did you use?
I use mac os and the python version is 2.7.10

>>>- your KRB5 tracing shows UDP comms between kerberos client and KDC, despite 
>>>the allowUDP = false setting
>>> in my test. I did this setting because I get different problems without it, 
>>> see the additional logs below. So, 
>>>we must also be aware of networking problems at my side.
I enable the UDP and use netty network, there are some issues if UDP disabled, 
you can create a JIRA for this and we can fix this issue in the next release 
version.

The changes in my side as following:

protected boolean allowUdp() {
return true;
}
@Override
protected void prepareKdc() throws KrbException {
getKdcServer().setInnerKdcImpl(
new NettyKdcServerImpl(getKdcServer().getKdcSetting()));
super.prepareKdc();
}

Here is log of MitIssueTest:
[INFO] Running org.apache.kerby.kerberos.kerb.server.MitIssueTest
[nioEventLoopGroup-2-1] INFO io.netty.handler.logging.LoggingHandler - [id: 
0x2634fe6b] REGISTERED
[nioEventLoopGroup-2-1] INFO io.netty.handler.logging.LoggingHandler - [id: 
0x2634fe6b] BIND(0.0.0.0/0.0.0.0:53957)
[nioEventLoopGroup-2-1] INFO io.netty.handler.logging.LoggingHandler - [id: 
0x2634fe6b, /0:0:0:0:0:0:0:0:53957] ACTIVE
[main] INFO org.apache.kerby.kerberos.kdc.impl.NettyKdcServerImpl - Netty kdc 
server started.
[nioEventLoopGroup-2-1] INFO io.netty.handler.logging.LoggingHandler - [id: 
0x2634fe6b, /0:0:0:0:0:0:0:0:53957] RECEIVED: [id: 0xdac7228b, /127.0.0.1:53961 
=> /127.0.0.1:53957]
[defaultEventExecutorGroup-4-1] INFO 
org.apache.kerby.kerberos.kerb.server.request.AsRequest - AS_REQ ISSUE: 
authtime 1493991123792,dran...@test.com for krbtgt/test@test.com
[main] INFO org.apache.kerby.kerberos.kerb.client.impl.DefaultInternalKrbClient 
- Send to kdc success.
[main] INFO org.apache.kerby.kerberos.kerb.client.KrbClientBase - Storing the 
tgt to the credential cache file.
[nioEventLoopGroup-5-1] INFO 
org.apache.kerby.kerberos.kerb.server.request.KdcRequest - The preauth data is 
empty.
[nioEventLoopGroup-5-1] INFO org.apache.kerby.kerberos.kerb.server.KdcHandler - 
KRB error occurred while processing request:Additional pre-authentication 
required
[nioEventLoopGroup-5-1] INFO 
org.apache.kerby.kerberos.kerb.server.request.AsRequest - AS_REQ ISSUE: 
authtime 1493991123859,test-service/localh...@test.com for 
krbtgt/test@test.com
[nioEventLoopGroup-5-1] INFO 
org.apache.kerby.kerberos.kerb.server.request.TgsRequest - TGS_REQ ISSUE: 
authtime 1493991142850,drankye for test-service/localh...@test.com

Thanks
Jiajia

-Original Message-
From: Zheng, Kai 
Sent: Friday, May 5, 2017 7:46 PM
To: kerby@directory.apache.org; Li, Jiajia <jiajia...@intel.com>
Subject: RE: MIT Kerberos compatibility

Hi Marc,

Looks like this is quite environment related, could you fire an issue for this? 
I would suggest we target it to 1.1.0, which can be done in June.

Regards,
Kai

-Original Message-
From: Marc de Lignie [mailto:m.c.delig...@xs4all.nl]
Sent: Friday, May 05, 2017 4:44 PM
To: Li, Jiajia <jiajia...@intel.com>
Cc: kerby@directory.apache.org
Subject: Re: MIT Kerberos compatibility

Hi Jiajia,

Great to read that you made progress on this issue and to see a working config 
at your side. Below, I list my progress below (with trunk merged into my 
MitIssue branch), but I am afraid we are not done yet.

Things that stand out:

- the kdc decoding error is solved, relative to the logs without your patch

- your KRB5 tracing looks quite different. What OS and mit-kerberos version did 
you use?

- your KRB5 tracing shows UDP comms between kerberos client and KDC, despite 
the allowUDP = false setting in my test. I did this setting because I get 
different problems without it, see the additional logs below. So, we must also 
be aware of networking problems at my side.

- the "Response was not from master KDC" msg is not relevant; it disappears if 
you manually add master_kdc to the realms section of the krb5.conf

I have no idea how to proceed from here, so that is why I just document the 
status at my side and ask about your - apparently working - config.

Cheers,   Marc


KDC logging with allowUDP = false:

[INFO] Running org.apache.kerby.kerberos.kerb.server.MitIssueTest
[pool-1-thread-1] INFO
org.apache.kerby.kerberos.kerb.server.request.AsRequest - AS_REQ ISSUE: 
authtime 1493970789075,dran...@test.com for krbtgt/test@test.com [main] 
INFO org.apache.kerby.kerberos.kerb.client.impl.DefaultInternalKrbClient - Send 
to kdc success.
[main] INFO org.apache.kerby.kerberos.kerb.client.KrbClientBase - Storing the 
tgt to the credential cache file.
[pool-1-thread-1] INFO
org.apache.kerby.kerberos.kerb.server.request.KdcRequest - The preauth data is 
empty.
[pool-1-thread-1] INFO org.apache.kerby.kerberos.kerb.server.KdcHandl

RE: MIT Kerberos compatibility

2017-05-05 Thread Zheng, Kai
Hi Marc,

Looks like this is quite environment related, could you fire an issue for this? 
I would suggest we target it to 1.1.0, which can be done in June.

Regards,
Kai

-Original Message-
From: Marc de Lignie [mailto:m.c.delig...@xs4all.nl] 
Sent: Friday, May 05, 2017 4:44 PM
To: Li, Jiajia <jiajia...@intel.com>
Cc: kerby@directory.apache.org
Subject: Re: MIT Kerberos compatibility

Hi Jiajia,

Great to read that you made progress on this issue and to see a working config 
at your side. Below, I list my progress below (with trunk merged into my 
MitIssue branch), but I am afraid we are not done yet.

Things that stand out:

- the kdc decoding error is solved, relative to the logs without your patch

- your KRB5 tracing looks quite different. What OS and mit-kerberos version did 
you use?

- your KRB5 tracing shows UDP comms between kerberos client and KDC, despite 
the allowUDP = false setting in my test. I did this setting because I get 
different problems without it, see the additional logs below. So, we must also 
be aware of networking problems at my side.

- the "Response was not from master KDC" msg is not relevant; it disappears if 
you manually add master_kdc to the realms section of the krb5.conf

I have no idea how to proceed from here, so that is why I just document the 
status at my side and ask about your - apparently working - config.

Cheers,   Marc


KDC logging with allowUDP = false:

[INFO] Running org.apache.kerby.kerberos.kerb.server.MitIssueTest
[pool-1-thread-1] INFO
org.apache.kerby.kerberos.kerb.server.request.AsRequest - AS_REQ ISSUE: 
authtime 1493970789075,dran...@test.com for krbtgt/test@test.com [main] 
INFO org.apache.kerby.kerberos.kerb.client.impl.DefaultInternalKrbClient - Send 
to kdc success.
[main] INFO org.apache.kerby.kerberos.kerb.client.KrbClientBase - Storing the 
tgt to the credential cache file.
[pool-1-thread-1] INFO
org.apache.kerby.kerberos.kerb.server.request.KdcRequest - The preauth data is 
empty.
[pool-1-thread-1] INFO org.apache.kerby.kerberos.kerb.server.KdcHandler
- KRB error occurred while processing request:Additional pre-authentication 
required [pool-1-thread-1] INFO 
org.apache.kerby.kerberos.kerb.server.request.AsRequest - AS_REQ ISSUE: 
authtime 1493970789108,test-service/localh...@test.com for 
krbtgt/test@test.com [pool-1-thread-1] INFO 
org.apache.kerby.kerberos.kerb.server.request.KdcRequest - Found fast padata 
and starting to process it.
[pool-1-thread-1] INFO
org.apache.kerby.kerberos.kerb.server.request.KdcRequest - Found fast padata 
and starting to process it.

Python script KRB5 tracing (MIT Kerberos 1.13.2 of Ubuntu Xenial) with allowUDP 
= false:

$ . 
kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/MitIssueTest.sh
[25281] 1493970797.298753: Retrieving dran...@test.com from 
FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 
2/Key table file '/etc/krb5/user/1000/client.keytab' not found [25281] 
1493970797.298952: Retrieving dran...@test.com from 
FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 
2/Key table file '/etc/krb5/user/1000/client.keytab' not found [25281] 
1493970797.299106: Retrieving dran...@test.com from 
FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 
2/Key table file '/etc/krb5/user/1000/client.keytab' not found [25281] 
1493970797.299213: Retrieving dran...@test.com from 
FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 
2/Key table file '/etc/krb5/user/1000/client.keytab' not found [25281] 
1493970797.299323: Retrieving dran...@test.com from 
FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 
2/Key table file '/etc/krb5/user/1000/client.keytab' not found [25281] 
1493970797.299436: Retrieving dran...@test.com from 
FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 
2/Key table file '/etc/krb5/user/1000/client.keytab' not found [25281] 
1493970797.299545: Retrieving dran...@test.com from 
FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 
2/Key table file '/etc/krb5/user/1000/client.keytab' not found [25281] 
1493970797.299654: Retrieving dran...@test.com from 
FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 
2/Key table file '/etc/krb5/user/1000/client.keytab' not found 
kerberos.authGSSClientInit successful [25281] 1493970797.299922: Getting 
credentials dran...@test.com -> test-service/localhost@ using ccache 
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
[25281] 1493970797.299945: Retrieving dran...@test.com -> 
test-service/localhost@ from 
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc with result: 
-1765328243/Matching credential not found [25281] 1493970797.299959: Retrying 
dran...@test.com -> test-service/localh...@test.com with result: 
-1765328243/Matching credential not found [25281] 1493970797.299962: Server has 
referral realm; starting

Re: MIT Kerberos compatibility

2017-05-05 Thread Marc de Lignie
cache_conf_data/negative-cache/test-service\134/localhost\1...@test.com@X-CACHECONF:
 in cache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
2017-05-04T20:44:06 set-error: -1765328243: Did not find credential for 
krb5_ccache_conf_data/lkdc-hostname@X-CACHECONF: in cache 
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
2017-05-04T20:44:06 set-error: -1765328243: Did not find credential for 
krb5_ccache_conf_data/sitename@X-CACHECONF: in cache 
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
2017-05-04T20:44:06 set-error: -1765328243: Did not find credential for 
test-service/localh...@test.com in cache 
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
des-cbc-md5-deprecated not supported
2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
des-cbc-md4-deprecated not supported
2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
des-cbc-crc-deprecated not supported
2017-05-04T20:44:06 Trying to find service kdc for realm TEST.COM flags 0
2017-05-04T20:44:06 configuration file for realm TEST.COM found
2017-05-04T20:44:06 submissing new requests to new host
2017-05-04T20:44:06 host_create: setting hostname localhost
2017-05-04T20:44:06 connecting to host: udp ::1:52534 (localhost) tid: 0001
2017-05-04T20:44:06 host_create: setting hostname localhost
2017-05-04T20:44:06 Queuing host in future (in 3s), its the 2 address on the 
same name: udp 127.0.0.1:52534 (localhost) tid: 0002
2017-05-04T20:44:06 writing packet: udp ::1:52534 (localhost) tid: 0001
2017-05-04T20:44:06 reading packet: udp ::1:52534 (localhost) tid: 0001
2017-05-04T20:44:06 host completed: udp ::1:52534 (localhost) tid: 0001
2017-05-04T20:44:06 krb5_sendto_context TEST.COM done: 0 hosts 1 packets 1 wc: 
0.048927 nr: 0.000932 kh: 0.000814 tid: 0002
2017-05-04T20:44:06 tkt: extract key 17/763641F3
2017-05-04T20:44:06 set-error: -1765328353: Decrypt integrity check failed for 
checksum type hmac-sha1-96-aes128, key type aes128-cts-hmac-sha1-96
2017-05-04T20:44:06 tkt: extract key 17/3084A95C
2017-05-04T20:44:06 krb5_get_credentials_with_flags: TEST.COM wc: 0.050317
2017-05-04T20:44:06 set-error: -1765328243: Did not find credential for 
krb5_ccache_conf_data/realm-config@X-CACHECONF: in cache 
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
2017-05-04T20:44:06 set-error: -1765328243: Did not find credential for 
krb5_ccache_conf_data/time-offset/test-service\134/localhost\1...@test.com@X-CACHECONF:
 in cache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
2017-05-04T20:44:06 Setting up PFS for auth context
2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
des-cbc-md5-deprecated not supported
2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
des-cbc-md4-deprecated not supported
2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
des-cbc-crc-deprecated not supported
First kerberos.authGSSClientStep successful

Thanks
Jiajia

-Original Message-
From: Zheng, Kai [mailto:kai.zh...@intel.com]
Sent: Wednesday, May 3, 2017 7:29 PM
To: kerby@directory.apache.org
Subject: RE: MIT Kerberos compatibility

Hi Marc,

In case you're not aware of this, please check out the latest fix made by 
Jiajia. We thought your case may be different, but would be good to have a 
check before we can repeat/fix your case. Thanks.
https://issues.apache.org/jira/browse/DIRKRB-625

Regards,
Kai

-Original Message-
From: Marc de Lignie [mailto:m.c.delig...@xs4all.nl]
Sent: Sunday, April 30, 2017 7:45 PM
To: kerby@directory.apache.org
Subject: Re: MIT Kerberos compatibility

Hi Kai,

The terminal output below is for the latest MIT Kerberos 1.15.1 (locally built 
on Ubuntu Xenial). Before that, I also tested with the default Xenial MIT 
Kerberos packages (1.13.2), with the same result. I did not try earlier MIT 
Kerberos versions.

Marc

Op 29-04-17 om 21:42 schreef Marc de Lignie:

Hi Kai,

Thanks for the response. I prepared a minimal config that reproduces
my problem.

You can fetch the branch/commit from:
https://github.com/vtslab/directory-kerby/commits/MitIssue

This is relative to RC2, but I also tried this on trunk for my actual
project.

This config produces the debug and error messages below.

1. For the terminal with the bash + python script $ klist Ticket
cache: FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
Default principal: dran...@test.com

Valid starting ExpiresService principal
29-04-17 21:07:39  30-04-17 05:07:39  krbtgt/test@test.com
 renew until 29-04-17 21:07:39

$ .
kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/
server/MitIssueTest.sh [15538] 1493491231.917606: Retrieving
dran...@test.com from FILE:/etc/krb5/user/1000/client.keytab (vno 0,
enctype 0) with result:
2/Key table file '/etc/krb5/user/1000/client.keytab' not found [15538]
1493491231.917827: Retrieving dran...@test.com from
FILE:/etc/krb5/user/1000/client.keytab (vno 0, 

RE: MIT Kerberos compatibility

2017-05-04 Thread Li, Jiajia
Hi Marc,
I try to run your test(through applying your patch in the trunk) , I think it's 
success now.  Could you take some time to check about it?
Here is the log:

directory-kerby git:(trunk) ✗ . 
kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/MitIssueTest.sh
kerberos.authGSSClientInit successful
2017-05-04T20:44:06 set-error: -1765328234: entypes not supported
2017-05-04T20:44:06 set-error: -1765328243: Did not find credential for 
krb5_ccache_conf_data/realm-config@X-CACHECONF: in cache 
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
2017-05-04T20:44:06 set-error: -1765328243: Did not find credential for 
test-service/localh...@test.com in cache 
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
2017-05-04T20:44:06 set-error: -1765328243: Did not find credential for 
krb5_ccache_conf_data/negative-cache/test-service\134/localhost\1...@test.com@X-CACHECONF:
 in cache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
2017-05-04T20:44:06 set-error: -1765328243: Did not find credential for 
krb5_ccache_conf_data/lkdc-hostname@X-CACHECONF: in cache 
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
2017-05-04T20:44:06 set-error: -1765328243: Did not find credential for 
krb5_ccache_conf_data/sitename@X-CACHECONF: in cache 
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
2017-05-04T20:44:06 set-error: -1765328243: Did not find credential for 
test-service/localh...@test.com in cache 
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
des-cbc-md5-deprecated not supported
2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
des-cbc-md4-deprecated not supported
2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
des-cbc-crc-deprecated not supported
2017-05-04T20:44:06 Trying to find service kdc for realm TEST.COM flags 0
2017-05-04T20:44:06 configuration file for realm TEST.COM found
2017-05-04T20:44:06 submissing new requests to new host
2017-05-04T20:44:06 host_create: setting hostname localhost
2017-05-04T20:44:06 connecting to host: udp ::1:52534 (localhost) tid: 0001
2017-05-04T20:44:06 host_create: setting hostname localhost
2017-05-04T20:44:06 Queuing host in future (in 3s), its the 2 address on the 
same name: udp 127.0.0.1:52534 (localhost) tid: 0002
2017-05-04T20:44:06 writing packet: udp ::1:52534 (localhost) tid: 0001
2017-05-04T20:44:06 reading packet: udp ::1:52534 (localhost) tid: 0001
2017-05-04T20:44:06 host completed: udp ::1:52534 (localhost) tid: 0001
2017-05-04T20:44:06 krb5_sendto_context TEST.COM done: 0 hosts 1 packets 1 wc: 
0.048927 nr: 0.000932 kh: 0.000814 tid: 0002
2017-05-04T20:44:06 tkt: extract key 17/763641F3
2017-05-04T20:44:06 set-error: -1765328353: Decrypt integrity check failed for 
checksum type hmac-sha1-96-aes128, key type aes128-cts-hmac-sha1-96
2017-05-04T20:44:06 tkt: extract key 17/3084A95C
2017-05-04T20:44:06 krb5_get_credentials_with_flags: TEST.COM wc: 0.050317
2017-05-04T20:44:06 set-error: -1765328243: Did not find credential for 
krb5_ccache_conf_data/realm-config@X-CACHECONF: in cache 
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
2017-05-04T20:44:06 set-error: -1765328243: Did not find credential for 
krb5_ccache_conf_data/time-offset/test-service\134/localhost\1...@test.com@X-CACHECONF:
 in cache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
2017-05-04T20:44:06 Setting up PFS for auth context
2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
des-cbc-md5-deprecated not supported
2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
des-cbc-md4-deprecated not supported
2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
des-cbc-crc-deprecated not supported
First kerberos.authGSSClientStep successful

Thanks
Jiajia

-Original Message-
From: Zheng, Kai [mailto:kai.zh...@intel.com] 
Sent: Wednesday, May 3, 2017 7:29 PM
To: kerby@directory.apache.org
Subject: RE: MIT Kerberos compatibility

Hi Marc,

In case you're not aware of this, please check out the latest fix made by 
Jiajia. We thought your case may be different, but would be good to have a 
check before we can repeat/fix your case. Thanks.
https://issues.apache.org/jira/browse/DIRKRB-625

Regards,
Kai

-Original Message-
From: Marc de Lignie [mailto:m.c.delig...@xs4all.nl]
Sent: Sunday, April 30, 2017 7:45 PM
To: kerby@directory.apache.org
Subject: Re: MIT Kerberos compatibility

Hi Kai,

The terminal output below is for the latest MIT Kerberos 1.15.1 (locally built 
on Ubuntu Xenial). Before that, I also tested with the default Xenial MIT 
Kerberos packages (1.13.2), with the same result. I did not try earlier MIT 
Kerberos versions.

Marc

Op 29-04-17 om 21:42 schreef Marc de Lignie:
>
> Hi Kai,
>
> Thanks for the response. I prepared a minimal config that reproduces 
> my problem.
>
> You can fetch the branch/commit from:
> https://github.com/vtslab/director

RE: MIT Kerberos compatibility

2017-05-03 Thread Zheng, Kai
Hi Marc,

In case you're not aware of this, please check out the latest fix made by 
Jiajia. We thought your case may be different, but would be good to have a 
check before we can repeat/fix your case. Thanks.
https://issues.apache.org/jira/browse/DIRKRB-625

Regards,
Kai

-Original Message-
From: Marc de Lignie [mailto:m.c.delig...@xs4all.nl] 
Sent: Sunday, April 30, 2017 7:45 PM
To: kerby@directory.apache.org
Subject: Re: MIT Kerberos compatibility

Hi Kai,

The terminal output below is for the latest MIT Kerberos 1.15.1 (locally built 
on Ubuntu Xenial). Before that, I also tested with the default Xenial MIT 
Kerberos packages (1.13.2), with the same result. I did not try earlier MIT 
Kerberos versions.

Marc

Op 29-04-17 om 21:42 schreef Marc de Lignie:
>
> Hi Kai,
>
> Thanks for the response. I prepared a minimal config that reproduces 
> my problem.
>
> You can fetch the branch/commit from:
> https://github.com/vtslab/directory-kerby/commits/MitIssue
>
> This is relative to RC2, but I also tried this on trunk for my actual 
> project.
>
> This config produces the debug and error messages below.
>
> 1. For the terminal with the bash + python script $ klist Ticket 
> cache: FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> Default principal: dran...@test.com
>
> Valid starting ExpiresService principal
> 29-04-17 21:07:39  30-04-17 05:07:39  krbtgt/test@test.com
> renew until 29-04-17 21:07:39
>
> $ . 
> kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/
> server/MitIssueTest.sh [15538] 1493491231.917606: Retrieving 
> dran...@test.com from FILE:/etc/krb5/user/1000/client.keytab (vno 0, 
> enctype 0) with result:
> 2/Key table file '/etc/krb5/user/1000/client.keytab' not found [15538] 
> 1493491231.917827: Retrieving dran...@test.com from 
> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result:
> 2/Key table file '/etc/krb5/user/1000/client.keytab' not found 
> kerberos.authGSSClientInit successful [15538] 1493491231.918185: 
> Getting credentials dran...@test.com -> test-service/localhost@ using 
> ccache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> [15538] 1493491231.918210: Retrieving dran...@test.com -> 
> test-service/localhost@ from 
> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc with result:
> -1765328243/Matching credential not found (filename: 
> kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc)
> [15538] 1493491231.918226: Retrying dran...@test.com -> 
> test-service/localh...@test.com with result: -1765328243/Matching 
> credential not found (filename:
> kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc)
> [15538] 1493491231.918229: Server has referral realm; starting with 
> test-service/localh...@test.com [15538] 1493491231.918278: Retrieving 
> dran...@test.com -> krbtgt/test@test.com from 
> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc with result:
> 0/Success
> [15538] 1493491231.918281: Starting with TGT for client realm: 
> dran...@test.com -> krbtgt/test@test.com [15538] 
> 1493491231.918301: Requesting tickets for 
> test-service/localh...@test.com, referrals on [15538] 
> 1493491231.918326: Generated subkey for TGS request:
> aes128-cts/FA30
> [15538] 1493491231.918359: etypes requested in TGS request: 
> aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, 
> rc4-hmac, camellia128-cts, camellia256-cts [15538] 1493491231.918484: 
> Encoding request body and padata into FAST request [15538] 
> 1493491231.918541: Sending request (836 bytes) to TEST.COM [15538] 
> 1493491231.918597: Resolving hostname localhost [15538] 
> 1493491231.918703: Initiating TCP connection to stream
> 127.0.0.1:44292
> [15538] 1493491231.918777: Sending TCP request to stream 
> 127.0.0.1:44292 [15538] 1493491231.922803: TCP error receiving from 
> stream
> 127.0.0.1:44292: 104/Connection reset by peer [15538] 
> 1493491231.922812: Terminating TCP connection to stream
> 127.0.0.1:44292
> [15538] 1493491231.922858: Sending initial UDP request to dgram
> 127.0.0.1:44292
> ('First kerberos.authGSSClientStep not successful', 
> GSSError(('Unspecified GSS failure.  Minor code may provide more 
> information', 851968), ("Cannot contact any KDC for realm 'TEST.COM'",
> -1765328228)))
>
> 2. For the terminal that runs mvn clean test -Dtest=MitIssueTest 
> Running org.apache.kerby.kerberos.kerb.server.MitIssueTest
> 2017-04-29 21:07:39,182 DEBUG [main] backend.AbstractIdentityBackend: 
> initialize called
> 2017-04-29 21:07:39,195 DEBUG [main] backend.AbstractIdentityBackend: 
> getIdentity called, principalName = krbtgt/test@test.com
> 2017-04-29 21:07:39,195 DEBUG [main] backend.AbstractIdentityBackend: 
> getIdentity failed,