I'll look into it. Thanks! Do you have a patch? :-)
--Max > On Aug 9, 2023, at 3:30 AM, Osipov, Michael (SMD IT IN) > <michael.osi...@siemens.com> wrote: > > Folks, Max, > > consider the following code snippet configured with the Krb5LoginModule: >> LoginContext lc = new LoginContext(loginEntryName); >> lc.login(); > > then a LoginException is thrown with the following stacktrace: >> 2023-08-01T00:09:31.601 SCHWERWIEGEND [https-openssl-apr-8444-exec-5417] >> net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.getPrincipal Exception >> acquiring directory server connection >> javax.naming.NamingException: null (29) [Root exception is >> javax.security.auth.login.LoginException: null (29)] >> at >> net.sf.michaelo.dirctxsrc.DirContextSource.getGssApiDirContext(DirContextSource.java:625) >> at >> net.sf.michaelo.dirctxsrc.DirContextSource.getDirContext(DirContextSource.java:685) >> at >> net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.open(ActiveDirectoryRealm.java:572) >> at >> net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.acquire(ActiveDirectoryRealm.java:506) >> at >> net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.getPrincipal(ActiveDirectoryRealm.java:432) >> at >> net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.getPrincipal(ActiveDirectoryRealm.java:461) >> at >> net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.getPrincipal(ActiveDirectoryRealm.java:426) >> at >> org.apache.catalina.realm.RealmBase.authenticate(RealmBase.java:497) >> at >> net.sf.michaelo.tomcat.authenticator.SpnegoAuthenticator.doAuthenticate(SpnegoAuthenticator.java:163) >> at >> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:564) >> ... >> at java.lang.Thread.run(Thread.java:750) >> Caused by: javax.security.auth.login.LoginException: null (29) >> at >> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:810) >> at >> com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617) >> at sun.reflect.GeneratedMethodAccessor10719.invoke(Unknown Source) >> at >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:498) >> at >> javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) >> at >> javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) >> at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) >> at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) >> at java.security.AccessController.doPrivileged(Native Method) >> at >> javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) >> at javax.security.auth.login.LoginContext.login(LoginContext.java:587) >> at >> net.sf.michaelo.dirctxsrc.DirContextSource.getGssApiDirContext(DirContextSource.java:574) >> ... 23 more >> Caused by: KrbException: null (29) >> at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76) >> at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:335) >> at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:488) >> at >> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:782) >> ... 35 more >> Caused by: KrbException: Identifier doesn't match expected value (906) >> at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140) >> at sun.security.krb5.internal.ASRep.init(ASRep.java:64) >> at sun.security.krb5.internal.ASRep.<init>(ASRep.java:59) >> at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60) >> ... 38 more > > I am trying to obtain a TGT to authenticate thorugh SASL GSSAPI to Active > Directory via LDAP. This happened to me now repeatedly in the last couple of > days around midnight. Looking up error code 29 says KDC_ERR_SVC_UNAVAILABLE, > obviously the AD DC server is maintenance mode. What bugs me is that > KDC_ERR_SVC_UNAVAILABLE(29) is documented in Krb5.java, has an error message > and KrbException.java does use it, but no error message is mapped to the code. > > Request: Maybe someone (Max?) log an improvement request with JBS to > add missing error codes 26--28, 51 from [1] and > > public static final int KRB_AP_ERR_NOREALM = 62; > > public static final int KRB_AP_ERR_GEN_CRED = 63; > > look incorrect. Plus the mapping in errMsgList for those. > > Note: Tried with OpenJDK 8. > > Best regards, > > Michael > > [1] https://www.rfc-editor.org/rfc/rfc4120#section-7.5.9
