directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zheng, Kai" <kai.zh...@intel.com>
Subject RE: MIT Kerberos compatibility
Date Mon, 08 May 2017 10:39:02 GMT
Thanks Colm for the confirm!

Regards,
Kai

From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
Sent: Monday, May 08, 2017 6:36 PM
To: Zheng, Kai <kai.zheng@intel.com>
Cc: kerby@directory.apache.org
Subject: Re: MIT Kerberos compatibility

Hi Kai,
No I think it wasn't caused by recent changes. It's fine to target it for the next release. I will call another vote for 1.0.0 as soon as we get the go ahead from Emmanuel.
Colm.

On Mon, May 8, 2017 at 11:32 AM, Zheng, Kai <kai.zheng@intel.com<mailto:kai.zheng@intel.com>> wrote:
Hi Colm,

Did you aware it's caused by any recent changes? It looks to me not. How serve is it? It appears in some case in the WSS4J tests. We have work around, using the Netty one. I'd suggest we target it for next minor release, like 1.1.0 or 1.0.1 so we have enough bandwidth to investigate and improve the default transport. We probably shouldn't introduce more changes to get the release out. Note please prefer to use the TCP transport over the UDP one, in today's world.

Regards,
Kai

-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:coheigea@apache.org>]
Sent: Monday, May 08, 2017 6:19 PM
To: kerby@directory.apache.org<mailto:kerby@directory.apache.org>
Subject: Re: MIT Kerberos compatibility
OK I have created a JIRA and attached a patch that you have to apply to the
Apache WSS4J project to reproduce the error. If you uncomment the line that
uses Netty then the tests all work perfectly. The tests appear to work fine
when run in isolation, it's only when you run a few of them after one
another that you can see the failures.

Please let me know if you have any difficulty in reproducing, thanks!

Colm.

On Mon, May 8, 2017 at 11:08 AM, Zheng, Kai <kai.zheng@intel.com<mailto:kai.zheng@intel.com>> wrote:

> Hi Colm,
>
> Sure, please do it. Could you review my change and see how it would cause
> the new failures? Any difference between the failed GSS tests and the Kerby
> GSS tests?
>
> Regards,
> Kai
>
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:coheigea@apache.org>]
> Sent: Monday, May 08, 2017 5:42 PM
> To: Zheng, Kai <kai.zheng@intel.com<mailto:kai.zheng@intel.com>>
> Cc: kerby@directory.apache.org<mailto:kerby@directory.apache.org>
> Subject: Re: MIT Kerberos compatibility
>
> Hi Kai,
>
> Your changes fixed the error message I was seeing. However, I now see
> another problem when I run a few GSS client tests in a row:
>
> >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
> >>> KrbAsReq creating message
> >>> KrbKdcReq send: kdc=localhost UDP:42665, timeout=30000, number of
> retries =3, #bytes=245
> >>> KDCCommunication: kdc=localhost UDP:42665, timeout=30000,Attempt =1,
> #bytes=245
> SocketTimeOutException with attempt: 1
> >>> KDCCommunication: kdc=localhost UDP:42665, timeout=30000,Attempt =2,
> #bytes=245
> >>> KrbKdcReq send: error trying localhost:42665
> java.net<http://java.net>.PortUnreachableException: ICMP Port Unreachable
>
> Do you want me to create a JIRA + attach a test-case?
>
> Colm.
>
> On Sat, May 6, 2017 at 2:01 AM, Zheng, Kai <kai.zheng@intel.com<mailto:kai.zheng@intel.com>> wrote:
>
> > I haven't repeated the issue but revisited the codes again and made
> > improvements. Would you check it out? Thanks!
> >
> > Sent from iPhone
> >
> > > 在 2017年5月6日,上午6:28,Zheng, Kai <kai.zheng@intel.com<mailto:kai.zheng@intel.com>> 写道:
> > >
> > > Thanks colm for the clarification and it sounds an issue we need to
> > address. I will investigate it soon.
> > >
> > > Sent from iPhone
> > >
> > >> 在 2017年5月6日,上午2:14,Colm O hEigeartaigh <coheigea@apache.org<mailto:coheigea@apache.org>> 写道:
> > >>
> > >> Hi Kai,
> > >>
> > >> If I enable UDP with the default Transport, I can get a ticket fine
> > using
> > >> kinit. However then the following error pops up in the window I'm
> > running
> > >> Kerby in (as a test):
> > >>
> > >> Exception in thread "Thread-1" java.lang.RuntimeException: Error
> > >> occured while checking udp connections
> > >>   at
> > >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(
> > KdcNetwork.java:105)
> > >>   at
> > >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.
> > access$000(KdcNetwork.java:39)
> > >>   at
> > >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork$1.
> > run(KdcNetwork.java:75)
> > >>   at java.lang.Thread.run(Thread.java:748)
> > >> Caused by: java.nio.channels.ClosedChannelException
> > >>   at
> > >> sun.nio.ch<http://sun.nio.ch>.DatagramChannelImpl.ensureOpen(
> DatagramChannelImpl.java:320)
> > >>   at sun.nio.ch<http://sun.nio.ch>.DatagramChannelImpl.receive(
> > DatagramChannelImpl.java:331)
> > >>   at
> > >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.
> > checkUdpMessage(KdcNetwork.java:132)
> > >>   at
> > >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(
> > KdcNetwork.java:101)
> > >>
> > >> Colm.
> > >>
> > >>
> > >>> On Fri, May 5, 2017 at 5:56 PM, Zheng, Kai <kai.zheng@intel.com<mailto:kai.zheng@intel.com>>
> > wrote:
> > >>>
> > >>> Colm, did you see udp problem now instead? I'm a little confused.
> > >>> Udp
> > is
> > >>> sure supported but may not be enabled by default, which should be
> > >>> okay, imo. Thanks.
> > >>>
> > >>> Sent from iPhone
> > >>>
> > >>>> 在 2017年5月6日,上午12:02,Colm O hEigeartaigh <coheigea@apache.org<mailto:coheigea@apache.org>> 写道:
> > >>>>
> > >>>> That's probably it. Why does the default transport not support
> > >>>> UDP in
> > >>> Kerby?
> > >>>>
> > >>>> Colm.
> > >>>>
> > >>>>> On Fri, May 5, 2017 at 4:54 PM, Li, Jiajia <jiajia.li@intel.com<mailto:jiajia.li@intel.com>>
> > wrote:
> > >>>>>
> > >>>>> Are you sure add kdc_allow_udp = false in kdc.conf?
> > >>>>>
> > >>>>> Thanks
> > >>>>> Jiajia
> > >>>>>
> > >>>>> -----Original Message-----
> > >>>>> From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:coheigea@apache.org>]
> > >>>>> Sent: Friday, May 5, 2017 11:41 PM
> > >>>>> To: Li, Jiajia <jiajia.li@intel.com<mailto:jiajia.li@intel.com>>
> > >>>>> Cc: kerby@directory.apache.org<mailto:kerby@directory.apache.org>; Zheng, Kai
> > >>>>> <kai.zheng@intel.com<mailto:kai.zheng@intel.com>>;
> > >>> mailto:
> > >>>>> m.c.delignie@xs4all.nl<mailto:m.c.delignie@xs4all.nl> <m.c.delignie@xs4all.nl<mailto:m.c.delignie@xs4all.nl>>
> > >>>>> Subject: Re: MIT Kerberos compatibility
> > >>>>>
> > >>>>> Sorry, it was my error, UDP was actually enabled there. But why
> > >>>>> am I
> > >>> still
> > >>>>> seeing that error message?
> > >>>>>
> > >>>>> Colm.
> > >>>>>
> > >>>>>> On Fri, May 5, 2017 at 4:39 PM, Li, Jiajia
> > >>>>>> <jiajia.li@intel.com<mailto:jiajia.li@intel.com>>
> > >>> wrote:
> > >>>>>>
> > >>>>>> Hi Colm,
> > >>>>>> I also test the Kerby KDC with kerby kint and MIT kinit, and
> > >>>>>> only listen the tcp port(disable udp), both got ticket
> > >>>>>> successfully. But
> > I
> > >>>>>> don't get the error message. Both krb.conf and kdc.conf should
> > >>>>>> set
> > udp
> > >>>>>> to be false, udp is enabled in default.
> > >>>>>>
> > >>>>>> Thanks
> > >>>>>> Jiajia
> > >>>>>>
> > >>>>>> -----Original Message-----
> > >>>>>> From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:coheigea@apache.org>]
> > >>>>>> Sent: Friday, May 5, 2017 11:34 PM
> > >>>>>> To: kerby@directory.apache.org<mailto:kerby@directory.apache.org>
> > >>>>>> Cc: Zheng, Kai <kai.zheng@intel.com<mailto:kai.zheng@intel.com>>;
> > >>>>>> mailto:m.c.delignie@xs4all.nl<mailto:m.c.delignie@xs4all.nl>
> > <
> > >>>>>> m.c.delignie@xs4all.nl<mailto:m.c.delignie@xs4all.nl>>
> > >>>>>> Subject: Re: MIT Kerberos compatibility
> > >>>>>>
> > >>>>>> Hi Jiajia,
> > >>>>>>
> > >>>>>> If UDP is disabled and we don't use Netty, I can get a token
> > >>>>>> successfully via kinit. However I then see an error message in
> > >>>>>> the
> > >>> Kerby
> > >>>>> console:
> > >>>>>>
> > >>>>>> Exception in thread "Thread-1" java.lang.RuntimeException:
> > >>>>>> Error occured while checking udp connections  at
> > >>>>>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(
> > >>>>>> KdcNetwork.java:105)
> > >>>>>>  at
> > >>>>>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.
> > >>>>>> access$000(KdcNetwork.java:39)
> > >>>>>>  at
> > >>>>>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork$1.
> > >>>>>> run(KdcNetwork.java:75)
> > >>>>>>  at java.lang.Thread.run(Thread.java:748)
> > >>>>>> Caused by: java.nio.channels.ClosedChannelException
> > >>>>>>  at
> > >>>>>> sun.nio.ch<http://sun.nio.ch>.DatagramChannelImpl.ensureOpen(
> > >>> DatagramChannelImpl.java:320)
> > >>>>>>  at sun.nio.ch<http://sun.nio.ch>.DatagramChannelImpl.receive(
> > >>>>>> DatagramChannelImpl.java:331)
> > >>>>>>  at
> > >>>>>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.
> > >>>>>> checkUdpMessage(KdcNetwork.java:132)
> > >>>>>>  at
> > >>>>>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(
> > >>>>>> KdcNetwork.java:101)
> > >>>>>>
> > >>>>>> I'm not sure why we are seeing UDP errors when it's disabled?
> > >>>>>>
> > >>>>>> Colm.
> > >>>>>>
> > >>>>>>> On Fri, May 5, 2017 at 3:57 PM, Li, Jiajia
> > >>>>>>> <jiajia.li@intel.com<mailto:jiajia.li@intel.com>>
> > >>> wrote:
> > >>>>>>>
> > >>>>>>> Hi Colm,
> > >>>>>>> The shell client can't connect to kdc if the UDP is disabled.
> > >>>>>>> We don't use Netty in default.
> > >>>>>>> What's your test-cases? The same as the Marc's?
> > >>>>>>>
> > >>>>>>> Thanks
> > >>>>>>> Jiajia
> > >>>>>>>
> > >>>>>>> -----Original Message-----
> > >>>>>>> From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:coheigea@apache.org>]
> > >>>>>>> Sent: Friday, May 5, 2017 10:09 PM
> > >>>>>>> To: kerby@directory.apache.org<mailto:kerby@directory.apache.org>
> > >>>>>>> Cc: Zheng, Kai <kai.zheng@intel.com<mailto:kai.zheng@intel.com>>; mailto:
> > m.c.delignie@xs4all.nl<mailto:m.c.delignie@xs4all.nl>
> > >>>>>>> < m.c.delignie@xs4all.nl<mailto:m.c.delignie@xs4all.nl>>
> > >>>>>>> Subject: Re: MIT Kerberos compatibility
> > >>>>>>>
> > >>>>>>> Hi Jiajia,
> > >>>>>>>
> > >>>>>>> What are the issues if UDP is disabled and we don't use Netty?
> > >>>>>>> I tried doing this with my own test-cases and it didn't work,
> > >>>>>>> so it would be good to get this fixed soon.
> > >>>>>>>
> > >>>>>>> Colm.
> > >>>>>>>
> > >>>>>>> On Fri, May 5, 2017 at 2:46 PM, Li, Jiajia
> > >>>>>>> <jiajia.li@intel.com<mailto:jiajia.li@intel.com>>
> > >>>>> wrote:
> > >>>>>>>
> > >>>>>>>> Hi Marc,
> > >>>>>>>>>>> - your KRB5 tracing looks quite different. What OS and
> > >>>>>>>>>>> mit-kerberos
> > >>>>>>>> version did you use?
> > >>>>>>>> I use mac os and the python version is 2.7.10
> > >>>>>>>>
> > >>>>>>>>>>> - your KRB5 tracing shows UDP comms between kerberos
> > >>>>>>>>>>> client and KDC,
> > >>>>>>>> despite the allowUDP = false setting
> > >>>>>>>>>>> in my test. I did this setting because I get different
> > >>>>>>>>>>> problems
> > >>>>>>>> without it, see the additional logs below. So,
> > >>>>>>>>>>> we must also be aware of networking problems at my side.
> > >>>>>>>> I enable the UDP and use netty network, there are some issues
> > >>>>>>>> if UDP disabled, you can create a JIRA for this and we can
> > >>>>>>>> fix this issue in the next release version.
> > >>>>>>>>
> > >>>>>>>> The changes in my side as following:
> > >>>>>>>>
> > >>>>>>>> protected boolean allowUdp() {  return true; } @Override
> > >>>>>>>> protected void prepareKdc() throws KrbException {
> > >>>>>>>> getKdcServer().setInnerKdcImpl(
> > >>>>>>>>          new
> > >>>>>>>> NettyKdcServerImpl(getKdcServer().getKdcSetting()));
> > >>>>>>>>  super.prepareKdc();
> > >>>>>>>> }
> > >>>>>>>>
> > >>>>>>>> Here is log of MitIssueTest:
> > >>>>>>>> [INFO] Running
> > >>>>>>>> org.apache.kerby.kerberos.kerb.server.MitIssueTest
> > >>>>>>>> [nioEventLoopGroup-2-1] INFO
> > >>>>>>>> io.netty.handler.logging.LoggingHandler
> > >>>>>>>> -
> > >>>>>>>> [id: 0x2634fe6b] REGISTERED
> > >>>>>>>> [nioEventLoopGroup-2-1] INFO
> > >>>>>>>> io.netty.handler.logging.LoggingHandler
> > >>>>>>>> -
> > >>>>>>>> [id: 0x2634fe6b] BIND(0.0.0.0/0.0.0.0:53957<http://0.0.0.0/0.0.0.0:53957>)
> > >>>>>>>> [nioEventLoopGroup-2-1] INFO
> > >>>>>>>> io.netty.handler.logging.LoggingHandler -
> > >>>>>>>> [id: 0x2634fe6b, /0:0:0:0:0:0:0:0:53957] ACTIVE [main] INFO
> > >>>>>>>> org.apache.kerby.kerberos.kdc.impl.NettyKdcServerImpl - Netty
> > >>>>>>>> kdc server started.
> > >>>>>>>> [nioEventLoopGroup-2-1] INFO
> > >>>>>>>> io.netty.handler.logging.LoggingHandler
> > >>>>>>>> -
> > >>>>>>>> [id: 0x2634fe6b, /0:0:0:0:0:0:0:0:53957] RECEIVED: [id:
> > >>>>>>>> 0xdac7228b, /
> > >>>>>>>> 127.0.0.1:53961<http://127.0.0.1:53961> => /127.0.0.1:53957<http://127.0.0.1:53957>]
> > >>>>>>>> [defaultEventExecutorGroup-4-1] INFO
> > >>>>>>>> org.apache.kerby.kerberos.kerb.server.request.AsRequest
> > >>>>>>>> - AS_REQ ISSUE: authtime 1493991123792,drankye@TEST.COM<mailto:drankye@TEST.COM> for
> > >>>>>>>> krbtgt/ TEST.COM@TEST.COM<mailto:TEST.COM@TEST.COM> [main] INFO
> > >>>>>>>> org.apache.kerby.kerberos.kerb.client.impl.
> > DefaultInternalKrbClien
> > >>>>>>>> t
> > >>>>>>>> - Send to kdc success.
> > >>>>>>>> [main] INFO
> > >>>>>>>> org.apache.kerby.kerberos.kerb.client.KrbClientBase - Storing
> the tgt to the credential cache file.
> > >>>>>>>> [nioEventLoopGroup-5-1] INFO
> > >>>>>>>> org.apache.kerby.kerberos.kerb.server.request.KdcRequest
> > >>>>>>>> - The preauth data is empty.
> > >>>>>>>> [nioEventLoopGroup-5-1] INFO
> > >>>>>>>> org.apache.kerby.kerberos.kerb.server.KdcHandler
> > >>>>>>>> - KRB error occurred while processing request:Additional
> > >>>>>>>> pre-authentication required [nioEventLoopGroup-5-1] INFO
> > >>>>>>>> org.apache.kerby.kerberos.kerb.server.request.AsRequest
> > >>>>>>>> - AS_REQ ISSUE: authtime
> > >>>>>>>> 1493991123859,test-service/localhost@TEST.COM<mailto:localhost@TEST.COM>
> > >>>>>>>> for krbtgt/TEST.COM@TEST.COM<mailto:TEST.COM@TEST.COM>
> > >>>>>>>> [nioEventLoopGroup-5-1] INFO
> > >>>>>>>> org.apache.kerby.kerberos.kerb.server.request.TgsRequest
> > >>>>>>>> - TGS_REQ ISSUE: authtime 1493991142850,drankye for
> > >>>>>>>> test-service/ localhost@TEST.COM<mailto:localhost@TEST.COM>
> > >>>>>>>>
> > >>>>>>>> Thanks
> > >>>>>>>> Jiajia
> > >>>>>>>>
> > >>>>>>>> -----Original Message-----
> > >>>>>>>> From: Zheng, Kai
> > >>>>>>>> Sent: Friday, May 5, 2017 7:46 PM
> > >>>>>>>> To: kerby@directory.apache.org<mailto:kerby@directory.apache.org>; Li, Jiajia
> > >>>>>>>> <jiajia.li@intel.com<mailto:jiajia.li@intel.com>>
> > >>>>>>>> Subject: RE: MIT Kerberos compatibility
> > >>>>>>>>
> > >>>>>>>> Hi Marc,
> > >>>>>>>>
> > >>>>>>>> Looks like this is quite environment related, could you fire
> > >>>>>>>> an issue for this? I would suggest we target it to 1.1.0,
> > >>>>>>>> which can be done in
> > >>>>>>> June.
> > >>>>>>>>
> > >>>>>>>> Regards,
> > >>>>>>>> Kai
> > >>>>>>>>
> > >>>>>>>> -----Original Message-----
> > >>>>>>>> From: Marc de Lignie [mailto:m.c.delignie@xs4all.nl<mailto:m.c.delignie@xs4all.nl>]
> > >>>>>>>> Sent: Friday, May 05, 2017 4:44 PM
> > >>>>>>>> To: Li, Jiajia <jiajia.li@intel.com<mailto:jiajia.li@intel.com>>
> > >>>>>>>> Cc: kerby@directory.apache.org<mailto:kerby@directory.apache.org>
> > >>>>>>>> Subject: Re: MIT Kerberos compatibility
> > >>>>>>>>
> > >>>>>>>> Hi Jiajia,
> > >>>>>>>>
> > >>>>>>>> Great to read that you made progress on this issue and to see
> > >>>>>>>> a working config at your side. Below, I list my progress
> > >>>>>>>> below (with trunk merged into my MitIssue branch), but I am
> > >>>>>>>> afraid we are not done
> > >>>>>>> yet.
> > >>>>>>>>
> > >>>>>>>> Things that stand out:
> > >>>>>>>>
> > >>>>>>>> - the kdc decoding error is solved, relative to the logs
> > >>>>>>>> without your patch
> > >>>>>>>>
> > >>>>>>>> - your KRB5 tracing looks quite different. What OS and
> > >>>>>>>> mit-kerberos version did you use?
> > >>>>>>>>
> > >>>>>>>> - your KRB5 tracing shows UDP comms between kerberos client
> > >>>>>>>> and KDC, despite the allowUDP = false setting in my test. I
> > >>>>>>>> did this setting because I get different problems without it,
> > >>>>>>>> see the additional logs below. So, we must also be aware of
> > >>>>>>>> networking
> > >>>>> problems at my side.
> > >>>>>>>>
> > >>>>>>>> - the "Response was not from master KDC" msg is not relevant;
> > >>>>>>>> it disappears if you manually add master_kdc to the realms
> > >>>>>>>> section of the krb5.conf
> > >>>>>>>>
> > >>>>>>>> I have no idea how to proceed from here, so that is why I
> > >>>>>>>> just document the status at my side and ask about your -
> > >>>>>>>> apparently working -
> > >>>>>>> config.
> > >>>>>>>>
> > >>>>>>>> Cheers,   Marc
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>> KDC logging with allowUDP = false:
> > >>>>>>>>
> > >>>>>>>> [INFO] Running
> > >>>>>>>> org.apache.kerby.kerberos.kerb.server.MitIssueTest
> > >>>>>>>> [pool-1-thread-1] INFO
> > >>>>>>>> org.apache.kerby.kerberos.kerb.server.request.AsRequest -
> > >>>>>>>> AS_REQ
> > >>>>>> ISSUE:
> > >>>>>>>> authtime 1493970789075,drankye@TEST.COM<mailto:drankye@TEST.COM> for
> > >>>>>>>> krbtgt/TEST.COM@TEST.COM<mailto:TEST.COM@TEST.COM> [main] INFO
> > >>>>>>>> org.apache.kerby.kerberos.kerb.client.impl.
> > DefaultInternalKrbClien
> > >>>>>>>> t
> > >>>>>>>> - Send to kdc success.
> > >>>>>>>> [main] INFO
> > >>>>>>>> org.apache.kerby.kerberos.kerb.client.KrbClientBase - Storing
> the tgt to the credential cache file.
> > >>>>>>>> [pool-1-thread-1] INFO
> > >>>>>>>> org.apache.kerby.kerberos.kerb.server.request.KdcRequest -
> > >>>>>>>> The preauth data is empty.
> > >>>>>>>> [pool-1-thread-1] INFO
> > >>>>>>>> org.apache.kerby.kerberos.kerb.server.KdcHandler
> > >>>>>>>> - KRB error occurred while processing request:Additional
> > >>>>>>>> pre-authentication required [pool-1-thread-1] INFO
> > >>>>>>>> org.apache.kerby.kerberos.kerb.server.request.AsRequest -
> > >>>>>>>> AS_REQ
> > >>>>>> ISSUE:
> > >>>>>>>> authtime 1493970789108,test-service/localhost@TEST.COM<mailto:localhost@TEST.COM> for
> > krbtgt/
> > >>>>>>>> TEST.COM@TEST.COM<mailto:TEST.COM@TEST.COM> [pool-1-thread-1] INFO
> > >>>>>>>> org.apache.kerby.kerberos.kerb.server.request.KdcRequest
> > >>>>>>>> - Found fast padata and starting to process it.
> > >>>>>>>> [pool-1-thread-1] INFO
> > >>>>>>>> org.apache.kerby.kerberos.kerb.server.request.KdcRequest -
> > >>>>>>>> Found fast padata and starting to process it.
> > >>>>>>>>
> > >>>>>>>> Python script KRB5 tracing (MIT Kerberos 1.13.2 of Ubuntu
> > >>>>>>>> Xenial) with allowUDP = false:
> > >>>>>>>>
> > >>>>>>>> $ .
> > >>>>>>>> kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/
> > >>>>>>>> kerberos/kerb/server/MitIssueTest.sh
> > >>>>>>>> [25281] 1493970797.298753: Retrieving drankye@TEST.COM<mailto:drankye@TEST.COM> from
> > >>>>>>>> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0)
> > >>>>>>>> with
> > >>>>> result:
> > >>>>>>>> 2/Key table file '/etc/krb5/user/1000/client.keytab' not
> > >>>>>>>> found [25281]
> > >>>>>>>> 1493970797.298952: Retrieving drankye@TEST.COM<mailto:drankye@TEST.COM> from
> > >>>>>>>> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0)
> > >>>>>>>> with
> > >>>>> result:
> > >>>>>>>> 2/Key table file '/etc/krb5/user/1000/client.keytab' not
> > >>>>>>>> found [25281]
> > >>>>>>>> 1493970797.299106: Retrieving drankye@TEST.COM<mailto:drankye@TEST.COM> from
> > >>>>>>>> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0)
> > >>>>>>>> with
> > >>>>> result:
> > >>>>>>>> 2/Key table file '/etc/krb5/user/1000/client.keytab' not
> > >>>>>>>> found [25281]
> > >>>>>>>> 1493970797.299213: Retrieving drankye@TEST.COM<mailto:drankye@TEST.COM> from
> > >>>>>>>> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0)
> > >>>>>>>> with
> > >>>>> result:
> > >>>>>>>> 2/Key table file '/etc/krb5/user/1000/client.keytab' not
> > >>>>>>>> found [25281]
> > >>>>>>>> 1493970797.299323: Retrieving drankye@TEST.COM<mailto:drankye@TEST.COM> from
> > >>>>>>>> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0)
> > >>>>>>>> with
> > >>>>> result:
> > >>>>>>>> 2/Key table file '/etc/krb5/user/1000/client.keytab' not
> > >>>>>>>> found [25281]
> > >>>>>>>> 1493970797.299436: Retrieving drankye@TEST.COM<mailto:drankye@TEST.COM> from
> > >>>>>>>> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0)
> > >>>>>>>> with
> > >>>>> result:
> > >>>>>>>> 2/Key table file '/etc/krb5/user/1000/client.keytab' not
> > >>>>>>>> found [25281]
> > >>>>>>>> 1493970797.299545: Retrieving drankye@TEST.COM<mailto:drankye@TEST.COM> from
> > >>>>>>>> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0)
> > >>>>>>>> with
> > >>>>> result:
> > >>>>>>>> 2/Key table file '/etc/krb5/user/1000/client.keytab' not
> > >>>>>>>> found [25281]
> > >>>>>>>> 1493970797.299654: Retrieving drankye@TEST.COM<mailto:drankye@TEST.COM> from
> > >>>>>>>> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0)
> > >>>>>>>> with
> > >>>>> result:
> > >>>>>>>> 2/Key table file '/etc/krb5/user/1000/client.keytab' not
> > >>>>>>>> found kerberos.authGSSClientInit successful [25281]
> 1493970797.299922:
> > >>>>>>>> Getting credentials drankye@TEST.COM<mailto:drankye@TEST.COM> ->
> > >>>>>>>> test-service/localhost@ using ccache
> > >>>>>>>> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> > >>>>>>>> [25281] 1493970797.299945: Retrieving drankye@TEST.COM<mailto:drankye@TEST.COM> ->
> > >>>>>>>> test-service/localhost@ from
> > >>>>>>>> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> > >>>>>>>> with result:
> > >>>>>>>> -1765328243/Matching credential not found [25281]
> > 1493970797.299959:
> > >>>>>>>> Retrying drankye@TEST.COM<mailto:drankye@TEST.COM> -> test-service/localhost@TEST.COM<mailto:localhost@TEST.COM>
> > >>>>>>>> with
> > >>>>>>> result:
> > >>>>>>>> -1765328243/Matching credential not found [25281]
> > 1493970797.299962:
> > >>>>>>>> Server has referral realm; starting with
> > >>>>>>>> test-service/localhost@TEST.COM<mailto:localhost@TEST.COM> [25281]
> > >>>>>>>> 1493970797.299975: Retrieving drankye@TEST.COM<mailto:drankye@TEST.COM> ->
> > >>>>>>>> krbtgt/TEST.COM@TEST.COM<mailto:TEST.COM@TEST.COM> from
> > >>>>>>>> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> > >>>>>>> with result:
> > >>>>>>>> 0/Success [25281] 1493970797.299979: Starting with TGT for
> > >>>>>>>> client
> > >>>>>> realm:
> > >>>>>>>> drankye@TEST.COM<mailto:drankye@TEST.COM> -> krbtgt/TEST.COM@TEST.COM<mailto:TEST.COM@TEST.COM> [25281]
> > >>>>>> 1493970797.299981:
> > >>>>>>>> Requesting tickets for test-service/localhost@TEST.COM<mailto:localhost@TEST.COM>,
> > >>>>>>>> referrals on [25281] 1493970797.299994: Generated subkey for
> TGS request:
> > >>>>>>>> aes128-cts/1B9B [25281] 1493970797.300009: etypes requested
> > >>>>>>>> in TGS
> > >>>>>>> request:
> > >>>>>>>> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac,
> > >>>>>>>> camellia128-cts, camellia256-cts [25281] 1493970797.300054:
> > >>>>>>>> Encoding request body and padata into FAST request [25281]
> > >>>>>>>> 1493970797.300080: Sending request
> > >>>>>>>> (823 bytes) to TEST.COM<http://TEST.COM> [25281] 1493970797.300091: Resolving
> > >>>>>>>> hostname localhost [25281]
> > >>>>>>>> 1493970797.300136: Initiating TCP connection to stream
> > >>>>>>>> 127.0.0.1:34319<http://127.0.0.1:34319>
> > >>>>>>>> [25281] 1493970797.300191: Sending TCP request to stream
> > >>>>>>>> 127.0.0.1:34319<http://127.0.0.1:34319> [25281] 1493970797.303610: Received answer
> > >>>>>>>> (125
> > >>>>>>>> bytes) from stream
> > >>>>>>>> 127.0.0.1:34319<http://127.0.0.1:34319>
> > >>>>>>>> [25281] 1493970797.303618: Terminating TCP connection to
> > >>>>>>>> stream
> > >>>>>>>> 127.0.0.1:34319<http://127.0.0.1:34319>
> > >>>>>>>> [25281] 1493970797.553126: Response was not from master KDC
> > >>>>>>>> [25281]
> > >>>>>>>> 1493970797.553198: TGS request result: -1765323383/Unknown
> > >>>>>>>> code krcM
> > >>>>>>>> 137 [25281] 1493970797.553234: Requesting tickets for
> > >>>>>>>> test-service/ localhost@TEST.COM<mailto:localhost@TEST.COM>, referrals off [25281]
> > >>>>> 1493970797.553273:
> > >>>>>>>> Generated subkey for TGS request: aes128-cts/94C6 [25281]
> > >>>>>> 1493970797.553323:
> > >>>>>>>> etypes requested in TGS request: aes256-cts, aes128-cts,
> > >>>>>>>> des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
> > >>>>>>>> [25281]
> > >>>>>>>> 1493970797.553436: Encoding request body and padata into FAST
> > >>>>>>>> request
> > >>>>>>> [25281] 1493970797.553532:
> > >>>>>>>> Sending request (823 bytes) to TEST.COM<http://TEST.COM> [25281]
> > 1493970797.553567:
> > >>>>>>>> Resolving hostname localhost [25281] 1493970797.553745:
> > >>>>>>>> Initiating TCP connection to stream
> > >>>>>>>> 127.0.0.1:34319<http://127.0.0.1:34319>
> > >>>>>>>> [25281] 1493970797.553889: Sending TCP request to stream
> > >>>>>>>> 127.0.0.1:34319<http://127.0.0.1:34319> [25281] 1493970797.558297: Received answer
> > >>>>>>>> (125
> > >>>>>>>> bytes) from stream
> > >>>>>>>> 127.0.0.1:34319<http://127.0.0.1:34319>
> > >>>>>>>> [25281] 1493970797.558318: Terminating TCP connection to
> > >>>>>>>> stream
> > >>>>>>>> 127.0.0.1:34319<http://127.0.0.1:34319>
> > >>>>>>>> [25281] 1493970797.561189: Response was not from master KDC
> > >>>>>>>> [25281]
> > >>>>>>>> 1493970797.561258: TGS request result: -1765323383/Unknown
> > >>>>>>>> code krcM
> > >>>>>>>> 137 ('First kerberos.authGSSClientStep not successful',
> > >>>>>>>> GSSError(('Unspecified GSS failure.  Minor code may provide
> > >>>>>>>> more information', 851968), ('Unknown code krcM 137',
> > >>>>>>>> -1765323383)))
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>> KDC logging with allowUDP = true:
> > >>>>>>>>
> > >>>>>>>> [INFO] Running
> > >>>>>>>> org.apache.kerby.kerberos.kerb.server.MitIssueTest
> > >>>>>>>> [pool-1-thread-1] INFO
> > >>>>>>>> org.apache.kerby.kerberos.kerb.server.request.AsRequest -
> > >>>>>>>> AS_REQ
> > >>>>>> ISSUE:
> > >>>>>>>> authtime 1493972505784,drankye@TEST.COM<mailto:drankye@TEST.COM> for
> > >>>>>>>> krbtgt/TEST.COM@TEST.COM<mailto:TEST.COM@TEST.COM> [main] INFO
> > >>>>>>>> org.apache.kerby.kerberos.kerb.client.impl.
> > DefaultInternalKrbClien
> > >>>>>>>> t
> > >>>>>>>> - Send to kdc success.
> > >>>>>>>> [main] INFO
> > >>>>>>>> org.apache.kerby.kerberos.kerb.client.KrbClientBase - Storing
> the tgt to the credential cache file.
> > >>>>>>>> [pool-1-thread-1] INFO
> > >>>>>>>> org.apache.kerby.kerberos.kerb.server.request.KdcRequest -
> > >>>>>>>> The preauth data is empty.
> > >>>>>>>> [pool-1-thread-1] INFO
> > >>>>>>>> org.apache.kerby.kerberos.kerb.server.KdcHandler
> > >>>>>>>> - KRB error occurred while processing request:Additional
> > >>>>>>>> pre-authentication required [pool-1-thread-2] INFO
> > >>>>>>>> org.apache.kerby.kerberos.kerb.server.request.AsRequest -
> > >>>>>>>> AS_REQ
> > >>>>>> ISSUE:
> > >>>>>>>> authtime 1493972505948,test-service/localhost@TEST.COM<mailto:localhost@TEST.COM> for
> > krbtgt/
> > >>>>>>>> TEST.COM@TEST.COM<mailto:TEST.COM@TEST.COM> Exception in thread "Thread-0"
> > >>>>>>>> java.lang.RuntimeException: Error occured while checking udp
> > >>>>>> connections
> > >>>>>>>>   at
> > >>>>>>>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(
> > >>>>>>>> KdcNetwork.java:105)
> > >>>>>>>>   at
> > >>>>>>>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.
> > >>>>>>>> access$000(KdcNetwork.java:39)
> > >>>>>>>>   at
> > >>>>>>>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork$1.
> > >>>>>>>> run(KdcNetwork.java:75)
> > >>>>>>>>   at java.lang.Thread.run(Thread.java:748)
> > >>>>>>>> Caused by: java.nio.channels.ClosedChannelException
> > >>>>>>>>   at
> > >>>>>>>> sun.nio.ch<http://sun.nio.ch>.DatagramChannelImpl.ensureOpen(
> > >>>>>> DatagramChannelImpl.java:320)
> > >>>>>>>>   at sun.nio.ch<http://sun.nio.ch>.DatagramChannelImpl.receive(
> > >>>>>>>> DatagramChannelImpl.java:331)
> > >>>>>>>>   at
> > >>>>>>>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.
> > >>>>>>>> checkUdpMessage(KdcNetwork.java:132)
> > >>>>>>>>   at
> > >>>>>>>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(
> > >>>>>>>> KdcNetwork.java:101)
> > >>>>>>>>   ... 3 more
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>> krb5.conf:
> > >>>>>>>>
> > >>>>>>>> [libdefaults]
> > >>>>>>>>   kdc_realm = TEST.COM<http://TEST.COM>
> > >>>>>>>>   default_realm = TEST.COM<http://TEST.COM>
> > >>>>>>>>   udp_preference_limit = 4096
> > >>>>>>>>   kdc_tcp_port = 37080
> > >>>>>>>>   kdc_udp_port = 36525
> > >>>>>>>>
> > >>>>>>>> [realms]
> > >>>>>>>>   TEST.COM<http://TEST.COM> = {
> > >>>>>>>>       kdc = localhost:36525
> > >>>>>>>>   }
> > >>>>>>>>
> > >>>>>>>> And port 36525 does not show up in `netstat -l` (while 37080
> > >>>>>>>> does)
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>> Op 04-05-17 om 14:55 schreef Li, Jiajia:
> > >>>>>>>>> Hi Marc,
> > >>>>>>>>> I try to run your test(through applying your patch in the
> > >>>>>>>>> trunk) , I
> > >>>>>>>> think it's success now.  Could you take some time to check
> > >>>>>>>> about
> > it?
> > >>>>>>>>> Here is the log:
> > >>>>>>>>>
> > >>>>>>>>> directory-kerby git:(trunk) ? .
> > >>>>>>>>> kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerb
> > >>>>>>>>> eros
> > >>>>>>>>> /k
> > >>>>>>>>> er
> > >>>>>>>>> b/
> > >>>>>>>>> server/MitIssueTest.sh
> > >>>>>>>>> kerberos.authGSSClientInit successful
> > >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328234: entypes not
> > >>>>>>>>> supported
> > >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328243: Did not find
> > >>>>>>>>> credential for krb5_ccache_conf_data/realm-config@X-CACHECONF:
> > >>>>>>>>> in cache
> > >>>>>>>>> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> > >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328243: Did not find
> > >>>>>>>>> credential for test-service/localhost@TEST.COM<mailto:localhost@TEST.COM> in cache
> > >>>>>>>>> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> > >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328243: Did not find
> > >>>>>>>>> credential for
> > >>>>>>>>> krb5_ccache_conf_data/negative-cache/test-service\134/localh
> > >>>>>>>>> ost\
> > >>>>>>>>> 13
> > >>>>>>>>> 4@
> > >>>>>>>>> TE
> > >>>>>>>>> ST.COM@X-CACHECONF<mailto:ST.COM@X-CACHECONF>: in cache
> > >>>>>>>>> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> > >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328243: Did not find
> > >>>>>>>>> credential for krb5_ccache_conf_data/lkdc-hostname@X-CACHECONF
> :
> > >>>>>>>>> in cache
> > >>>>>>>>> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> > >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328243: Did not find
> > >>>>>>>>> credential for krb5_ccache_conf_data/sitename@X-CACHECONF:
> > >>>>>>>>> in cache
> > >>>>>>>>> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> > >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328243: Did not find
> > >>>>>>>>> credential for test-service/localhost@TEST.COM<mailto:localhost@TEST.COM> in cache
> > >>>>>>>>> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> > >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328234: Encryption type
> > >>>>>>>>> des-cbc-md5-deprecated not supported
> > >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328234: Encryption type
> > >>>>>>>>> des-cbc-md4-deprecated not supported
> > >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328234: Encryption type
> > >>>>>>>>> des-cbc-crc-deprecated not supported
> > >>>>>>>>> 2017-05-04T20:44:06 Trying to find service kdc for realm
> > >>>>>>>>> TEST.COM<http://TEST.COM> flags 0
> > >>>>>>>>> 2017-05-04T20:44:06 configuration file for realm TEST.COM<http://TEST.COM>
> > >>>>>>>>> found
> > >>>>>>>>> 2017-05-04T20:44:06 submissing new requests to new host
> > >>>>>>>>> 2017-05-04T20:44:06 host_create: setting hostname localhost
> > >>>>>>>>> 2017-05-04T20:44:06 connecting to host: udp ::1:52534
> > >>>>>>>>> (localhost)
> > >>>>>> tid:
> > >>>>>>>>> 00000001
> > >>>>>>>>> 2017-05-04T20:44:06 host_create: setting hostname localhost
> > >>>>>>>>> 2017-05-04T20:44:06 Queuing host in future (in 3s), its the
> > >>>>>>>>> 2 address on the same name: udp 127.0.0.1:52534<http://127.0.0.1:52534> (localhost)
> tid:
> > >>>>>>>>> 00000002
> > >>>>>>>>> 2017-05-04T20:44:06 writing packet: udp ::1:52534
> > >>>>>>>>> (localhost)
> > tid:
> > >>>>>>>>> 00000001
> > >>>>>>>>> 2017-05-04T20:44:06 reading packet: udp ::1:52534
> > >>>>>>>>> (localhost)
> > tid:
> > >>>>>>>>> 00000001
> > >>>>>>>>> 2017-05-04T20:44:06 host completed: udp ::1:52534
> > >>>>>>>>> (localhost)
> > tid:
> > >>>>>>>>> 00000001
> > >>>>>>>>> 2017-05-04T20:44:06 krb5_sendto_context TEST.COM<http://TEST.COM> done: 0
> > >>>>>>>>> hosts 1 packets 1 wc: 0.048927 nr: 0.000932 kh: 0.000814
> > >>>>>>>>> tid: 00000002
> > >>>>>>>>> 2017-05-04T20:44:06 tkt: extract key 17/763641F3
> > >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328353: Decrypt
> > >>>>>>>>> integrity check failed for checksum type
> > >>>>>>>>> hmac-sha1-96-aes128, key type
> > >>>>>>>>> aes128-cts-hmac-sha1-96
> > >>>>>>>>> 2017-05-04T20:44:06 tkt: extract key 17/3084A95C
> > >>>>>>>>> 2017-05-04T20:44:06 krb5_get_credentials_with_flags:
> > >>>>>>>>> TEST.COM<http://TEST.COM>
> > wc:
> > >>>>>>>>> 0.050317
> > >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328243: Did not find
> > >>>>>>>>> credential for krb5_ccache_conf_data/realm-config@X-CACHECONF:
> > >>>>>>>>> in cache
> > >>>>>>>>> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> > >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328243: Did not find
> > >>>>>>>>> credential for
> > >>>>>>>>> krb5_ccache_conf_data/time-offset/test-service\134/
> > >>>>>> localhost\134@TEST.
> > >>>>>>>>> COM@X-CACHECONF: in cache
> > >>>>>>>>> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> > >>>>>>>>> 2017-05-04T20:44:06 Setting up PFS for auth context
> > >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328234: Encryption type
> > >>>>>>>>> des-cbc-md5-deprecated not supported
> > >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328234: Encryption type
> > >>>>>>>>> des-cbc-md4-deprecated not supported
> > >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328234: Encryption type
> > >>>>>>>>> des-cbc-crc-deprecated not supported First
> > >>>>>>>>> kerberos.authGSSClientStep successful
> > >>>>>>>>>
> > >>>>>>>>> Thanks
> > >>>>>>>>> Jiajia
> > >>>>>>>>>
> > >>>>>>>>> -----Original Message-----
> > >>>>>>>>> From: Zheng, Kai [mailto:kai.zheng@intel.com<mailto:kai.zheng@intel.com>]
> > >>>>>>>>> Sent: Wednesday, May 3, 2017 7:29 PM
> > >>>>>>>>> To: kerby@directory.apache.org<mailto:kerby@directory.apache.org>
> > >>>>>>>>> Subject: RE: MIT Kerberos compatibility
> > >>>>>>>>>
> > >>>>>>>>> Hi Marc,
> > >>>>>>>>>
> > >>>>>>>>> In case you're not aware of this, please check out the
> > >>>>>>>>> latest fix made
> > >>>>>>>> by Jiajia. We thought your case may be different, but would
> > >>>>>>>> be good to have a check before we can repeat/fix your case.
> Thanks.
> > >>>>>>>>> https://issues.apache.org/jira/browse/DIRKRB-625
> > >>>>>>>>>
> > >>>>>>>>> Regards,
> > >>>>>>>>> Kai
> > >>>>>>>>>
> > >>>>>>>>> -----Original Message-----
> > >>>>>>>>> From: Marc de Lignie [mailto:m.c.delignie@xs4all.nl<mailto:m.c.delignie@xs4all.nl>]
> > >>>>>>>>> Sent: Sunday, April 30, 2017 7:45 PM
> > >>>>>>>>> To: kerby@directory.apache.org<mailto:kerby@directory.apache.org>
> > >>>>>>>>> Subject: Re: MIT Kerberos compatibility
> > >>>>>>>>>
> > >>>>>>>>> Hi Kai,
> > >>>>>>>>>
> > >>>>>>>>> The terminal output below is for the latest MIT Kerberos
> > >>>>>>>>> 1.15.1 (locally
> > >>>>>>>> built on Ubuntu Xenial). Before that, I also tested with the
> > >>>>>>>> default Xenial MIT Kerberos packages (1.13.2), with the same
> > >>>>>>>> result. I did not try earlier MIT Kerberos versions.
> > >>>>>>>>>
> > >>>>>>>>> Marc
> > >>>>>>>>>
> > >>>>>>>>> Op 29-04-17 om 21:42 schreef Marc de Lignie:
> > >>>>>>>>>> Hi Kai,
> > >>>>>>>>>>
> > >>>>>>>>>> Thanks for the response. I prepared a minimal config that
> > >>>>>>>>>> reproduces my problem.
> > >>>>>>>>>>
> > >>>>>>>>>> You can fetch the branch/commit from:
> > >>>>>>>>>> https://github.com/vtslab/directory-kerby/commits/MitIssue
> > >>>>>>>>>>
> > >>>>>>>>>> This is relative to RC2, but I also tried this on trunk for
> > >>>>>>>>>> my actual project.
> > >>>>>>>>>>
> > >>>>>>>>>> This config produces the debug and error messages below.
> > >>>>>>>>>>
> > >>>>>>>>>> 1. For the terminal with the bash + python script $ klist
> > >>>>>>>>>> Ticket
> > >>>>>>>>>> cache: FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> > >>>>>>>>>> Default principal: drankye@TEST.COM<mailto:drankye@TEST.COM>
> > >>>>>>>>>>
> > >>>>>>>>>> Valid starting     Expires            Service principal
> > >>>>>>>>>> 29-04-17 21:07:39  30-04-17 05:07:39  krbtgt/
> TEST.COM@TEST.COM<mailto:TEST.COM@TEST.COM>
> > >>>>>>>>>>   renew until 29-04-17 21:07:39
> > >>>>>>>>>>
> > >>>>>>>>>> $ .
> > >>>>>>>>>> kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/ker
> > >>>>>>>>>> bero s/ ke rb / server/MitIssueTest.sh [15538]
> > >>>>>>>>>> 1493491231.917606:
> > >>>>>>>>>> Retrieving drankye@TEST.COM<mailto:drankye@TEST.COM> from
> > >>>>>>>>>> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0)
> > >>>>>>>>>> with
> > >>>>>>>>>> result:
> > >>>>>>>>>> 2/Key table file '/etc/krb5/user/1000/client.keytab' not
> > >>>>>>>>>> found [15538]
> > >>>>>>>>>> 1493491231.917827: Retrieving drankye@TEST.COM<mailto:drankye@TEST.COM> from
> > >>>>>>>>>> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0)
> > >>>>>>>>>> with
> > >>>>>>> result:
> > >>>>>>>>>> 2/Key table file '/etc/krb5/user/1000/client.keytab' not
> > >>>>>>>>>> found kerberos.authGSSClientInit successful [15538]
> 1493491231.918185:
> > >>>>>>>>>> Getting credentials drankye@TEST.COM<mailto:drankye@TEST.COM> ->
> > >>>>>>>>>> test-service/localhost@ using ccache
> > >>>>>>>>>> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> > >>>>>>>>>> [15538] 1493491231.918210: Retrieving drankye@TEST.COM<mailto:drankye@TEST.COM> ->
> > >>>>>>>>>> test-service/localhost@ from
> > >>>>>>>>>> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc with
> > result:
> > >>>>>>>>>> -1765328243/Matching credential not found (filename:
> > >>>>>>>>>> kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc)
> > >>>>>>>>>> [15538] 1493491231.918226: Retrying drankye@TEST.COM<mailto:drankye@TEST.COM> ->
> > >>>>>>>>>> test-service/localhost@TEST.COM<mailto:localhost@TEST.COM> with result:
> > >>>>>>>>>> -1765328243/Matching credential not found (filename:
> > >>>>>>>>>> kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc)
> > >>>>>>>>>> [15538] 1493491231.918229: Server has referral realm;
> > >>>>>>>>>> starting with test-service/localhost@TEST.COM<mailto:localhost@TEST.COM> [15538]
> 1493491231.918278:
> > >>>>>>>>>> Retrieving drankye@TEST.COM<mailto:drankye@TEST.COM> -> krbtgt/TEST.COM@TEST.COM<mailto:TEST.COM@TEST.COM>
> > >>>>>>>>>> from FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> > >>>>>>>>>> with
> > result:
> > >>>>>>>>>> 0/Success
> > >>>>>>>>>> [15538] 1493491231.918281: Starting with TGT for client realm:
> > >>>>>>>>>> drankye@TEST.COM<mailto:drankye@TEST.COM> -> krbtgt/TEST.COM@TEST.COM<mailto:TEST.COM@TEST.COM> [15538]
> > >>>>>>>>>> 1493491231.918301: Requesting tickets for
> > >>>>>>>>>> test-service/localhost@TEST.COM<mailto:localhost@TEST.COM>, referrals on [15538]
> > >>>>>>>>>> 1493491231.918326: Generated subkey for TGS request:
> > >>>>>>>>>> aes128-cts/FA30
> > >>>>>>>>>> [15538] 1493491231.918359: etypes requested in TGS request:
> > >>>>>>>>>> aes256-cts, aes128-cts, aes256-sha2, aes128-sha2,
> > >>>>>>>>>> des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
> > >>>>>>>>>> [15538]
> > >>>>>> 1493491231.918484:
> > >>>>>>>>>> Encoding request body and padata into FAST request [15538]
> > >>>>>>>>>> 1493491231.918541: Sending request (836 bytes) to TEST.COM<http://TEST.COM>
> > >>>>>>>>>> [15538]
> > >>>>>>>>>> 1493491231.918597: Resolving hostname localhost [15538]
> > >>>>>>>>>> 1493491231.918703: Initiating TCP connection to stream
> > >>>>>>>>>> 127.0.0.1:44292<http://127.0.0.1:44292>
> > >>>>>>>>>> [15538] 1493491231.918777: Sending TCP request to stream
> > >>>>>>>>>> 127.0.0.1:44292<http://127.0.0.1:44292> [15538] 1493491231.922803: TCP error
> > >>>>>>>>>> receiving from stream
> > >>>>>>>>>> 127.0.0.1:44292<http://127.0.0.1:44292>: 104/Connection reset by peer [15538]
> > >>>>>>>>>> 1493491231.922812: Terminating TCP connection to stream
> > >>>>>>>>>> 127.0.0.1:44292<http://127.0.0.1:44292>
> > >>>>>>>>>> [15538] 1493491231.922858: Sending initial UDP request to
> > >>>>>>>>>> dgram
> > >>>>>>>>>> 127.0.0.1:44292<http://127.0.0.1:44292>
> > >>>>>>>>>> ('First kerberos.authGSSClientStep not successful',
> > >>>>>>>>>> GSSError(('Unspecified GSS failure.  Minor code may provide
> > >>>>>>>>>> more information', 851968), ("Cannot contact any KDC for
> > >>>>>>>>>> realm 'TEST.COM<http://TEST.COM>'",
> > >>>>>>>>>> -1765328228)))
> > >>>>>>>>>>
> > >>>>>>>>>> 2. For the terminal that runs mvn clean test
> > >>>>>>>>>> -Dtest=MitIssueTest Running
> > >>>>>>>>>> org.apache.kerby.kerberos.kerb.server.MitIssueTest
> > >>>>>>>>>> 2017-04-29 21:07:39,182 DEBUG [main] backend.
> > >>>>>> AbstractIdentityBackend:
> > >>>>>>>>>> initialize called
> > >>>>>>>>>> 2017-04-29 21:07:39,195 DEBUG [main] backend.
> > >>>>>> AbstractIdentityBackend:
> > >>>>>>>>>> getIdentity called, principalName =
> > >>>>>>>>>> krbtgt/TEST.COM@TEST.COM<mailto:TEST.COM@TEST.COM>
> > >>>>>>>>>> 2017-04-29 21:07:39,195 DEBUG [main] backend.
> > >>>>>> AbstractIdentityBackend:
> > >>>>>>>>>> getIdentity failed, principalName =
> > >>>>>>>>>> krbtgt/TEST.COM@TEST.COM<mailto:TEST.COM@TEST.COM>
> > >>>>>>>>>> 2017-04-29 21:07:39,212 DEBUG [main] backend.
> > >>>>>> AbstractIdentityBackend:
> > >>>>>>>>>> addIdentity successful, principalName =
> > >>>>>>>>>> krbtgt/TEST.COM@TEST.COM<mailto:TEST.COM@TEST.COM>
> > >>>>>>>>>> 2017-04-29 21:07:39,212 DEBUG [main] backend.
> > >>>>>> AbstractIdentityBackend:
> > >>>>>>>>>> getIdentity called, principalName =
> > >>>>>>>>>> kadmin/TEST.COM@TEST.COM<mailto:TEST.COM@TEST.COM>
> > >>>>>>>>>> 2017-04-29 21:07:39,212 DEBUG [main] backend.
> > >>>>>> AbstractIdentityBackend:
> > >>>>>>>>>> getIdentity failed, principalName =
> > >>>>>>>>>> kadmin/TEST.COM@TEST.COM<mailto:TEST.COM@TEST.COM>
> > >>>>>>>>>> 2017-04-29 21:07:39,213 DEBUG [main] backend.
> > >>>>>> AbstractIdentityBackend:
> > >>>>>>>>>> addIdentity successful, principalName =
> > >>>>>>>>>> kadmin/TEST.COM@TEST.COM<mailto:TEST.COM@TEST.COM>
> > >>>>>>>>>> 2017-04-29 21:07:39,216 DEBUG [main] backend.
> > >>>>>> AbstractIdentityBackend:
> > >>>>>>>>>> start called
> > >>>>>>>>>> 2017-04-29 21:07:39,232 DEBUG [main] backend.
> > >>>>>> AbstractIdentityBackend:
> > >>>>>>>>>> addIdentity successful, principalName =
> > >>>>>>>>>> test-service/localhost@TEST.COM<mailto:localhost@TEST.COM>
> > >>>>>>>>>> 2017-04-29 21:07:39,425 DEBUG [main] backend.
> > >>>>>> AbstractIdentityBackend:
> > >>>>>>>>>> addIdentity successful, principalName = drankye@TEST.COM<mailto:drankye@TEST.COM>
> > >>>>>>>>>> 2017-04-29 21:07:39,465 DEBUG [pool-1-thread-1]
> > >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity called,
> > >>>>>>>>>> principalName = krbtgt/TEST.COM@TEST.COM<mailto:TEST.COM@TEST.COM>
> > >>>>>>>>>> 2017-04-29 21:07:39,465 DEBUG [pool-1-thread-1]
> > >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity successful,
> > >>>>>>>>>> principalName = krbtgt/TEST.COM@TEST.COM<mailto:TEST.COM@TEST.COM>
> > >>>>>>>>>> 2017-04-29 21:07:39,465 INFO  [pool-1-thread-1]
> > >>>>> request.KdcRequest:
> > >>>>>>>>>> Client entry is empty.
> > >>>>>>>>>> 2017-04-29 21:07:39,465 DEBUG [pool-1-thread-1]
> > >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity called,
> > >>>>>>>>>> principalName = drankye@TEST.COM<mailto:drankye@TEST.COM>
> > >>>>>>>>>> 2017-04-29 21:07:39,465 DEBUG [pool-1-thread-1]
> > >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity successful,
> > >>>>>>>>>> principalName = drankye@TEST.COM<mailto:drankye@TEST.COM>
> > >>>>>>>>>> 2017-04-29 21:07:39,465 DEBUG [pool-1-thread-1]
> > >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity called,
> > >>>>>>>>>> principalName = krbtgt/TEST.COM@TEST.COM<mailto:TEST.COM@TEST.COM>
> > >>>>>>>>>> 2017-04-29 21:07:39,465 DEBUG [pool-1-thread-1]
> > >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity successful,
> > >>>>>>>>>> principalName = krbtgt/TEST.COM@TEST.COM<mailto:TEST.COM@TEST.COM>
> > >>>>>>>>>> 2017-04-29 21:07:39,476 DEBUG [pool-1-thread-1]
> > >>>>>>>>>> impl.DefaultKdcHandler: Transport or decoding error
> > >>>>>>>>>> occurred, disconnecting abnormally java.io.EOFException
> > >>>>>>>>>>   at java.io.DataInputStream.readInt(DataInputStream.java:
> 392)
> > >>>>>>>>>>   at
> > >>>>>>>>>> org.apache.kerby.kerberos.kerb.transport.KrbTcpTransport.
> > >>>>>>>> receiveMessage(KrbTcpTransport.java:54)
> > >>>>>>>>>>   at
> > >>>>>>>>>> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandle
> > >>>>>>>>>> r.ru<http://r.ru>
> > >>>>>>>>>> n(
> > >>>>>>>> DefaultKdcHandler.java:46)
> > >>>>>>>>>>   at
> > >>>>>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(
> > >>>>>>>> ThreadPoolExecutor.java:1142)
> > >>>>>>>>>>   at
> > >>>>>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(
> > >>>>>>>> ThreadPoolExecutor.java:617)
> > >>>>>>>>>>   at java.lang.Thread.run(Thread.java:748)
> > >>>>>>>>>> 2017-04-29 21:07:39,477 INFO  [main] client.KrbClientBase:
> > >>>>>>>>>> Storing the tgt to the credential cache file.
> > >>>>>>>>>> 2017-04-29 21:07:39,491 DEBUG [main] backend.
> > >>>>>> AbstractIdentityBackend:
> > >>>>>>>>>> getIdentity called, principalName =
> > >>>>>>>>>> test-service/localhost@TEST.COM<mailto:localhost@TEST.COM>
> > >>>>>>>>>> 2017-04-29 21:07:39,491 DEBUG [main] backend.
> > >>>>>> AbstractIdentityBackend:
> > >>>>>>>>>> getIdentity successful, principalName =
> > >>>>>>>>>> test-service/localhost@TEST.COM<mailto:localhost@TEST.COM>
> > >>>>>>>>>> 2017-04-29 21:07:39,498 DEBUG [pool-1-thread-1]
> > >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity called,
> > >>>>>>>>>> principalName = krbtgt/TEST.COM@TEST.COM<mailto:TEST.COM@TEST.COM>
> > >>>>>>>>>> 2017-04-29 21:07:39,498 DEBUG [pool-1-thread-1]
> > >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity successful,
> > >>>>>>>>>> principalName = krbtgt/TEST.COM@TEST.COM<mailto:TEST.COM@TEST.COM>
> > >>>>>>>>>> 2017-04-29 21:07:39,498 INFO  [pool-1-thread-1]
> > >>>>> request.KdcRequest:
> > >>>>>>>>>> Client entry is empty.
> > >>>>>>>>>> 2017-04-29 21:07:39,499 DEBUG [pool-1-thread-1]
> > >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity called,
> > >>>>>>>>>> principalName = test-service/localhost@TEST.COM<mailto:localhost@TEST.COM>
> > >>>>>>>>>> 2017-04-29 21:07:39,499 DEBUG [pool-1-thread-1]
> > >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity successful,
> > >>>>>>>>>> principalName = test-service/localhost@TEST.COM<mailto:localhost@TEST.COM>
> > >>>>>>>>>> 2017-04-29 21:07:39,499 DEBUG [pool-1-thread-1]
> > >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity called,
> > >>>>>>>>>> principalName = krbtgt/TEST.COM@TEST.COM<mailto:TEST.COM@TEST.COM>
> > >>>>>>>>>> 2017-04-29 21:07:39,499 DEBUG [pool-1-thread-1]
> > >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity successful,
> > >>>>>>>>>> principalName = krbtgt/TEST.COM@TEST.COM<mailto:TEST.COM@TEST.COM>
> > >>>>>>>>>> 2017-04-29 21:07:39,499 INFO  [pool-1-thread-1]
> > >>>>> request.KdcRequest:
> > >>>>>>>>>> The preauth data is empty.
> > >>>>>>>>>> 2017-04-29 21:07:39,501 INFO  [pool-1-thread-1]
> > server.KdcHandler:
> > >>>>>>>>>> KRB error occurred while processing request:Additional
> > >>>>>>>>>> pre-authentication required
> > >>>>>>>>>> 2017-04-29 21:07:39,502 DEBUG [pool-1-thread-1]
> > >>>>>>>>>> impl.DefaultKdcHandler: Transport or decoding error
> > >>>>>>>>>> occurred, disconnecting abnormally java.io.EOFException
> > >>>>>>>>>>   at java.io.DataInputStream.readInt(DataInputStream.java:
> 392)
> > >>>>>>>>>>   at
> > >>>>>>>>>> org.apache.kerby.kerberos.kerb.transport.KrbTcpTransport.
> > >>>>>>>> receiveMessage(KrbTcpTransport.java:54)
> > >>>>>>>>>>   at
> > >>>>>>>>>> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandle
> > >>>>>>>>>> r.ru<http://r.ru>
> > >>>>>>>>>> n(
> > >>>>>>>> DefaultKdcHandler.java:46)
> > >>>>>>>>>>   at
> > >>>>>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(
> > >>>>>>>> ThreadPoolExecutor.java:1142)
> > >>>>>>>>>>   at
> > >>>>>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(
> > >>>>>>>> ThreadPoolExecutor.java:617)
> > >>>>>>>>>>   at java.lang.Thread.run(Thread.java:748)
> > >>>>>>>>>> 2017-04-29 21:07:39,505 DEBUG [pool-1-thread-1]
> > >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity called,
> > >>>>>>>>>> principalName = krbtgt/TEST.COM@TEST.COM<mailto:TEST.COM@TEST.COM>
> > >>>>>>>>>> 2017-04-29 21:07:39,505 DEBUG [pool-1-thread-1]
> > >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity successful,
> > >>>>>>>>>> principalName = krbtgt/TEST.COM@TEST.COM<mailto:TEST.COM@TEST.COM>
> > >>>>>>>>>> 2017-04-29 21:07:39,505 INFO  [pool-1-thread-1]
> > >>>>> request.KdcRequest:
> > >>>>>>>>>> Client entry is empty.
> > >>>>>>>>>> 2017-04-29 21:07:39,506 DEBUG [pool-1-thread-1]
> > >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity called,
> > >>>>>>>>>> principalName = test-service/localhost@TEST.COM<mailto:localhost@TEST.COM>
> > >>>>>>>>>> 2017-04-29 21:07:39,506 DEBUG [pool-1-thread-1]
> > >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity successful,
> > >>>>>>>>>> principalName = test-service/localhost@TEST.COM<mailto:localhost@TEST.COM>
> > >>>>>>>>>> 2017-04-29 21:07:39,506 DEBUG [pool-1-thread-1]
> > >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity called,
> > >>>>>>>>>> principalName = krbtgt/TEST.COM@TEST.COM<mailto:TEST.COM@TEST.COM>
> > >>>>>>>>>> 2017-04-29 21:07:39,506 DEBUG [pool-1-thread-1]
> > >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity successful,
> > >>>>>>>>>> principalName = krbtgt/TEST.COM@TEST.COM<mailto:TEST.COM@TEST.COM>
> > >>>>>>>>>> 2017-04-29 21:07:39,510 DEBUG [pool-1-thread-1]
> > >>>>>>>>>> impl.DefaultKdcHandler: Transport or decoding error
> > >>>>>>>>>> occurred, disconnecting abnormally java.io.EOFException
> > >>>>>>>>>>   at java.io.DataInputStream.readInt(DataInputStream.java:
> 392)
> > >>>>>>>>>>   at
> > >>>>>>>>>> org.apache.kerby.kerberos.kerb.transport.KrbTcpTransport.
> > >>>>>>>> receiveMessage(KrbTcpTransport.java:54)
> > >>>>>>>>>>   at
> > >>>>>>>>>> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandle
> > >>>>>>>>>> r.ru<http://r.ru>
> > >>>>>>>>>> n(
> > >>>>>>>> DefaultKdcHandler.java:46)
> > >>>>>>>>>>   at
> > >>>>>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(
> > >>>>>>>> ThreadPoolExecutor.java:1142)
> > >>>>>>>>>>   at
> > >>>>>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(
> > >>>>>>>> ThreadPoolExecutor.java:617)
> > >>>>>>>>>>   at java.lang.Thread.run(Thread.java:748)
> > >>>>>>>>>> 2017-04-29 21:07:55,602 DEBUG [pool-1-thread-1]
> > >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity called,
> > >>>>>>>>>> principalName = krbtgt/TEST.COM@TEST.COM<mailto:TEST.COM@TEST.COM>
> > >>>>>>>>>> 2017-04-29 21:07:55,602 DEBUG [pool-1-thread-1]
> > >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity successful,
> > >>>>>>>>>> principalName = krbtgt/TEST.COM@TEST.COM<mailto:TEST.COM@TEST.COM>
> > >>>>>>>>>> 2017-04-29 21:07:55,602 INFO  [pool-1-thread-1]
> > >>>>> request.KdcRequest:
> > >>>>>>>>>> Found fast padata and start to process it.
> > >>>>>>>>>> 2017-04-29 21:07:55,603 ERROR [pool-1-thread-1]
> > >>>>>>>>>> impl.DefaultKdcHandler: Error occured while processing
> request:
> > >>>>>>>>>> org.apache.kerby.kerberos.kerb.KrbException: Decoding failed
> > >>>>>>>>>>   at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.
> > >>>>>>>> java:85)
> > >>>>>>>>>>   at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.
> > >>>>>>>> java:70)
> > >>>>>>>>>>   at
> > >>>>>>>>>> org.apache.kerby.kerberos.kerb.server.request.KdcRequest.kd
> > >>>>>>>>>> cFin
> > >>>>>>>>>> dF
> > >>>>>>>>>> as
> > >>>>>>>>>> t(
> > >>>>>>>> KdcRequest.java:208)
> > >>>>>>>>>>   at
> > >>>>>>>>>> org.apache.kerby.kerberos.kerb.server.request.
> > >>>>>>>> KdcRequest.process(KdcRequest.java:168)
> > >>>>>>>>>>   at
> > >>>>>>>>>> org.apache.kerby.kerberos.kerb.server.KdcHandler.
> > >>>>>>>> handleMessage(KdcHandler.java:115)
> > >>>>>>>>>>   at
> > >>>>>>>>>> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.
> > >>>>>>>> handleMessage(DefaultKdcHandler.java:67)
> > >>>>>>>>>>   at
> > >>>>>>>>>> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandle
> > >>>>>>>>>> r.ru<http://r.ru>
> > >>>>>>>>>> n(
> > >>>>>>>> DefaultKdcHandler.java:52)
> > >>>>>>>>>>   at
> > >>>>>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(
> > >>>>>>>> ThreadPoolExecutor.java:1142)
> > >>>>>>>>>>   at
> > >>>>>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(
> > >>>>>>>> ThreadPoolExecutor.java:617)
> > >>>>>>>>>>   at java.lang.Thread.run(Thread.java:748)
> > >>>>>>>>>> Caused by: java.io.IOException: Unexpected item context [0]
> > >>>>>>>>>> [tag=0xA0, off=0, len=3+207], expecting 0x30
> > >>>>>>>>>>   at
> > >>>>>>>>>> org.apache.kerby.asn1.type.Asn1Encodeable.decode(
> > >>>>>>>> Asn1Encodeable.java:210)
> > >>>>>>>>>>   at
> > >>>>>>>>>> org.apache.kerby.asn1.type.Asn1Encodeable.decode(
> > >>>>>>>> Asn1Encodeable.java:197)
> > >>>>>>>>>>   at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.
> > >>>>>>>> java:83)
> > >>>>>>>>>>   ... 9 more
> > >>>>>>>>>> 2017-04-29 21:07:55,604 DEBUG [pool-1-thread-1]
> > >>>>>>>>>> impl.DefaultKdcHandler: Transport or decoding error
> > >>>>>>>>>> occurred, disconnecting abnormally
> > >>>>>>>>>> java.net.SocketException: Socket closed
> > >>>>>>>>>>   at java.net.SocketInputStream.socketRead0(Native Method)
> > >>>>>>>>>>   at java.net.SocketInputStream.socketRead(SocketInputStream.
> > >>>>>>>> java:116)
> > >>>>>>>>>>   at java.net.SocketInputStream.read(SocketInputStream.java:
> > >>>>> 171)
> > >>>>>>>>>>   at java.net.SocketInputStream.read(SocketInputStream.java:
> > >>>>> 141)
> > >>>>>>>>>>   at java.net.SocketInputStream.read(SocketInputStream.java:
> > >>>>> 224)
> > >>>>>>>>>>   at java.io.DataInputStream.readInt(DataInputStream.java:
> 387)
> > >>>>>>>>>>   at
> > >>>>>>>>>> org.apache.kerby.kerberos.kerb.transport.KrbTcpTransport.
> > >>>>>>>> receiveMessage(KrbTcpTransport.java:54)
> > >>>>>>>>>>   at
> > >>>>>>>>>> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandle
> > >>>>>>>>>> r.ru<http://r.ru>
> > >>>>>>>>>> n(
> > >>>>>>>> DefaultKdcHandler.java:46)
> > >>>>>>>>>>   at
> > >>>>>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(
> > >>>>>>>> ThreadPoolExecutor.java:1142)
> > >>>>>>>>>>   at
> > >>>>>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(
> > >>>>>>>> ThreadPoolExecutor.java:617)
> > >>>>>>>>>>   at java.lang.Thread.run(Thread.java:748)
> > >>>>>>>>>>
> > >>>>>>>>>> In a FreeIPA environment these python lines "just" work.
> > >>>>>>>>>>
> > >>>>>>>>>> Any suggestions are welcome!
> > >>>>>>>>>>
> > >>>>>>>>>> Marc
> > >>>>>>>>>>
> > >>>>>>>>>>
> > >>>>>>>>> --
> > >>>>>>>>> Marc de Lignie
> > >>>>>>>>>
> > >>>>>>>>
> > >>>>>>>> --
> > >>>>>>>> Marc de Lignie
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>
> > >>>>>>>
> > >>>>>>> --
> > >>>>>>> Colm O hEigeartaigh
> > >>>>>>>
> > >>>>>>> Talend Community Coder
> > >>>>>>> http://coders.talend.com
> > >>>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>> --
> > >>>>>> Colm O hEigeartaigh
> > >>>>>>
> > >>>>>> Talend Community Coder
> > >>>>>> http://coders.talend.com
> > >>>>>>
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>> --
> > >>>>> Colm O hEigeartaigh
> > >>>>>
> > >>>>> Talend Community Coder
> > >>>>> http://coders.talend.com
> > >>>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>> --
> > >>>> Colm O hEigeartaigh
> > >>>>
> > >>>> Talend Community Coder
> > >>>> http://coders.talend.com
> > >>>
> > >>>
> > >>
> > >>
> > >> --
> > >> Colm O hEigeartaigh
> > >>
> > >> Talend Community Coder
> > >> http://coders.talend.com
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message