Return-Path: <dev-return-54998-archive-asf-public=cust-asf.ponee.io@directory.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 70775200BD1
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Mon, 28 Nov 2016 10:54:00 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id 6F43C160B06; Mon, 28 Nov 2016 09:54:00 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id B6F38160B0D
	for <archive-asf-public@cust-asf.ponee.io>; Mon, 28 Nov 2016 10:53:59 +0100 (CET)
Received: (qmail 41993 invoked by uid 500); 28 Nov 2016 09:53:58 -0000
Mailing-List: contact dev-help@directory.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@directory.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@directory.apache.org>
List-Post: <mailto:dev@directory.apache.org>
List-Id: <dev.directory.apache.org>
Reply-To: "Apache Directory Developers List" <dev@directory.apache.org>
Delivered-To: mailing list dev@directory.apache.org
Received: (qmail 41953 invoked by uid 99); 28 Nov 2016 09:53:58 -0000
Received: from arcas.apache.org (HELO arcas) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 28 Nov 2016 09:53:58 +0000
Received: from arcas.apache.org (localhost [127.0.0.1])
	by arcas (Postfix) with ESMTP id 5846E2C03DD
	for <dev@directory.apache.org>; Mon, 28 Nov 2016 09:53:58 +0000 (UTC)
Date: Mon, 28 Nov 2016 09:53:58 +0000 (UTC)
From: "Kai Zheng (JIRA)" <jira@apache.org>
To: dev@directory.apache.org
Message-ID: <JIRA.13023524.1480182650000.376159.1480326838358@Atlassian.JIRA>
In-Reply-To: <JIRA.13023524.1480182650000@Atlassian.JIRA>
References: <JIRA.13023524.1480182650000@Atlassian.JIRA> <JIRA.13023524.1480182650617@arcas>
Subject: [jira] [Commented] (DIRKRB-614) Kerby (simplekdc) fails to handle
 unknown PADATA
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Mon, 28 Nov 2016 09:54:00 -0000


    [ https://issues.apache.org/jira/browse/DIRKRB-614?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15701485#comment-15701485 ] 

Kai Zheng commented on DIRKRB-614:
----------------------------------

If the PADATA is unexpectedly there then the sad thing is it's hard for Kerby to ignore it, as Kerby strictly follows the asn.1 definition in its common asn.1 underlying framework. Before to have a fix, maybe you could work around this by disabling the preauth check?

> Kerby (simplekdc) fails to handle unknown PADATA 
> -------------------------------------------------
>
>                 Key: DIRKRB-614
>                 URL: https://issues.apache.org/jira/browse/DIRKRB-614
>             Project: Directory Kerberos
>          Issue Type: Bug
>    Affects Versions: 1.0.0-RC2
>         Environment: SimpleKDC 
>            Reporter: Bolke de Bruin
>         Attachments: kerb.pcap, kerb_heimdal.pcapng
>
>
> I am using simplekdc wrapped in an application to allow CI for Apache Airflow.
> While testing I found out that on my development system (OS X - Heimdal with MIT Shim) everything worked fine, but when moving over to the CI (MIT) system it stopped working with the following error.
> {code}
> 2016-11-26 17:08:51,974 ERROR [pool-1-thread-3] impl.DefaultKdcHandler: Error occured while processing request:
> org.apache.kerby.kerberos.kerb.KrbException: Decoding failed
> 	at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:85)
> 	at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:70)
> 	at org.apache.kerby.kerberos.kerb.server.request.KdcRequest.kdcFindFast(KdcRequest.java:208)
> 	at org.apache.kerby.kerberos.kerb.server.request.KdcRequest.process(KdcRequest.java:168)
> 	at org.apache.kerby.kerberos.kerb.server.KdcHandler.handleMessage(KdcHandler.java:115)
> 	at org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.handleMessage(DefaultKdcHandler.java:67)
> 	at org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.run(DefaultKdcHandler.java:52)
> 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> 	at java.lang.Thread.run(Thread.java:745)
> Caused by: java.io.IOException: Unexpected item context [0] [tag=0xA0, off=0, len=3+198], expecting 0x30
> 	at org.apache.kerby.asn1.type.Asn1Encodeable.decode(Asn1Encodeable.java:210)
> 	at org.apache.kerby.asn1.type.Asn1Encodeable.decode(Asn1Encodeable.java:197)
> 	at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:83)
> 	... 9 more
> {code}
> Digging in with Wireshark showed that the MIT libraries are sending extra PAData which makes Kerby not respond (Wireshark records this as "Unknown 136"). This behavior can be replicated by using "kvno". 
> Heimdal on OSX does not send this and gets a response.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)