Nothing at hand, at the moment. I was first waiting for you to confirm
the issue. I think two distinct PRs are necessary here with two JBS issues?
M
On 2023-09-20 20:06, Wei-Jun Wang wrote:
I'll look into it. Thanks!
Do you have a patch? :-)
--Max
On Aug 9, 2023, at 3:30 AM, Osipov, Michael (SMD IT IN)
<michael.osi...@siemens.com> wrote:
Folks, Max,
consider the following code snippet configured with the Krb5LoginModule:
LoginContext lc = new LoginContext(loginEntryName);
lc.login();
then a LoginException is thrown with the following stacktrace:
2023-08-01T00:09:31.601 SCHWERWIEGEND [https-openssl-apr-8444-exec-5417]
net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.getPrincipal Exception
acquiring directory server connection
javax.naming.NamingException: null (29) [Root exception is
javax.security.auth.login.LoginException: null (29)]
at
net.sf.michaelo.dirctxsrc.DirContextSource.getGssApiDirContext(DirContextSource.java:625)
at
net.sf.michaelo.dirctxsrc.DirContextSource.getDirContext(DirContextSource.java:685)
at
net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.open(ActiveDirectoryRealm.java:572)
at
net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.acquire(ActiveDirectoryRealm.java:506)
at
net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.getPrincipal(ActiveDirectoryRealm.java:432)
at
net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.getPrincipal(ActiveDirectoryRealm.java:461)
at
net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.getPrincipal(ActiveDirectoryRealm.java:426)
at org.apache.catalina.realm.RealmBase.authenticate(RealmBase.java:497)
at
net.sf.michaelo.tomcat.authenticator.SpnegoAuthenticator.doAuthenticate(SpnegoAuthenticator.java:163)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:564)
...
at java.lang.Thread.run(Thread.java:750)
Caused by: javax.security.auth.login.LoginException: null (29)
at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:810)
at
com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
at sun.reflect.GeneratedMethodAccessor10719.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
at
javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at
javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at
net.sf.michaelo.dirctxsrc.DirContextSource.getGssApiDirContext(DirContextSource.java:574)
... 23 more
Caused by: KrbException: null (29)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:335)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:488)
at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:782)
... 35 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
at sun.security.krb5.internal.ASRep.init(ASRep.java:64)
at sun.security.krb5.internal.ASRep.<init>(ASRep.java:59)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
... 38 more
I am trying to obtain a TGT to authenticate thorugh SASL GSSAPI to Active
Directory via LDAP. This happened to me now repeatedly in the last couple of
days around midnight. Looking up error code 29 says KDC_ERR_SVC_UNAVAILABLE,
obviously the AD DC server is maintenance mode. What bugs me is that
KDC_ERR_SVC_UNAVAILABLE(29) is documented in Krb5.java, has an error message
and KrbException.java does use it, but no error message is mapped to the code.
Request: Maybe someone (Max?) log an improvement request with JBS to
add missing error codes 26--28, 51 from [1] and
public static final int KRB_AP_ERR_NOREALM = 62;
public static final int KRB_AP_ERR_GEN_CRED = 63;
look incorrect. Plus the mapping in errMsgList for those.
Note: Tried with OpenJDK 8.
Best regards,
Michael
[1] https://www.rfc-editor.org/rfc/rfc4120#section-7.5.9
