I'd fix it in one commit. https://bugs.openjdk.org/browse/JDK-8316771 filed.
Thanks, Max > On Sep 22, 2023, at 10:35 AM, Osipov, Michael (IN IT IN) > <michael.osi...@siemens.com> wrote: > > Nothing at hand, at the moment. I was first waiting for you to confirm the > issue. I think two distinct PRs are necessary here with two JBS issues? > > M > > On 2023-09-20 20:06, Wei-Jun Wang wrote: >> I'll look into it. Thanks! >> Do you have a patch? :-) >> --Max >>> On Aug 9, 2023, at 3:30 AM, Osipov, Michael (SMD IT IN) >>> <michael.osi...@siemens.com> wrote: >>> >>> Folks, Max, >>> >>> consider the following code snippet configured with the Krb5LoginModule: >>>> LoginContext lc = new LoginContext(loginEntryName); >>>> lc.login(); >>> >>> then a LoginException is thrown with the following stacktrace: >>>> 2023-08-01T00:09:31.601 SCHWERWIEGEND [https-openssl-apr-8444-exec-5417] >>>> net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.getPrincipal Exception >>>> acquiring directory server connection >>>> javax.naming.NamingException: null (29) [Root exception is >>>> javax.security.auth.login.LoginException: null (29)] >>>> at >>>> net.sf.michaelo.dirctxsrc.DirContextSource.getGssApiDirContext(DirContextSource.java:625) >>>> at >>>> net.sf.michaelo.dirctxsrc.DirContextSource.getDirContext(DirContextSource.java:685) >>>> at >>>> net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.open(ActiveDirectoryRealm.java:572) >>>> at >>>> net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.acquire(ActiveDirectoryRealm.java:506) >>>> at >>>> net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.getPrincipal(ActiveDirectoryRealm.java:432) >>>> at >>>> net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.getPrincipal(ActiveDirectoryRealm.java:461) >>>> at >>>> net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.getPrincipal(ActiveDirectoryRealm.java:426) >>>> at >>>> org.apache.catalina.realm.RealmBase.authenticate(RealmBase.java:497) >>>> at >>>> net.sf.michaelo.tomcat.authenticator.SpnegoAuthenticator.doAuthenticate(SpnegoAuthenticator.java:163) >>>> at >>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:564) >>>> ... >>>> at java.lang.Thread.run(Thread.java:750) >>>> Caused by: javax.security.auth.login.LoginException: null (29) >>>> at >>>> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:810) >>>> at >>>> com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617) >>>> at sun.reflect.GeneratedMethodAccessor10719.invoke(Unknown Source) >>>> at >>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>>> at java.lang.reflect.Method.invoke(Method.java:498) >>>> at >>>> javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) >>>> at >>>> javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) >>>> at >>>> javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) >>>> at >>>> javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) >>>> at java.security.AccessController.doPrivileged(Native Method) >>>> at >>>> javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) >>>> at >>>> javax.security.auth.login.LoginContext.login(LoginContext.java:587) >>>> at >>>> net.sf.michaelo.dirctxsrc.DirContextSource.getGssApiDirContext(DirContextSource.java:574) >>>> ... 23 more >>>> Caused by: KrbException: null (29) >>>> at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76) >>>> at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:335) >>>> at >>>> sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:488) >>>> at >>>> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:782) >>>> ... 35 more >>>> Caused by: KrbException: Identifier doesn't match expected value (906) >>>> at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140) >>>> at sun.security.krb5.internal.ASRep.init(ASRep.java:64) >>>> at sun.security.krb5.internal.ASRep.<init>(ASRep.java:59) >>>> at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60) >>>> ... 38 more >>> >>> I am trying to obtain a TGT to authenticate thorugh SASL GSSAPI to Active >>> Directory via LDAP. This happened to me now repeatedly in the last couple >>> of days around midnight. Looking up error code 29 says >>> KDC_ERR_SVC_UNAVAILABLE, obviously the AD DC server is maintenance mode. >>> What bugs me is that KDC_ERR_SVC_UNAVAILABLE(29) is documented in >>> Krb5.java, has an error message and KrbException.java does use it, but no >>> error message is mapped to the code. >>> >>> Request: Maybe someone (Max?) log an improvement request with JBS to >>> add missing error codes 26--28, 51 from [1] and >>>> public static final int KRB_AP_ERR_NOREALM = 62; >>>> public static final int KRB_AP_ERR_GEN_CRED = 63; >>> >>> look incorrect. Plus the mapping in errMsgList for those. >>> >>> Note: Tried with OpenJDK 8. >>> >>> Best regards, >>> >>> Michael >>> >>> [1] >>> https://urldefense.com/v3/__https://www.rfc-editor.org/rfc/rfc4120*section-7.5.9__;Iw!!ACWV5N9M2RV99hQ!NAnnEyD5OZ3aXFClFAbzuSz344ZIBcwaUSH0iXe_005rJuCa-xP9-BARuknsTOZNP-MFJSjAiIMQm8mI7AyLsisF4Mg$
