Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id BEC1A200C6E for ; Mon, 8 May 2017 11:42:26 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id BD465160BBF; Mon, 8 May 2017 09:42:26 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id DEEB2160B99 for ; Mon, 8 May 2017 11:42:24 +0200 (CEST) Received: (qmail 42663 invoked by uid 500); 8 May 2017 09:42:23 -0000 Mailing-List: contact kerby-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: kerby@directory.apache.org Delivered-To: mailing list kerby@directory.apache.org Received: (qmail 42651 invoked by uid 99); 8 May 2017 09:42:23 -0000 Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 08 May 2017 09:42:23 +0000 Received: from mail-pg0-f50.google.com (mail-pg0-f50.google.com [74.125.83.50]) by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id 7931C1A0A97 for ; Mon, 8 May 2017 09:42:23 +0000 (UTC) Received: by mail-pg0-f50.google.com with SMTP id u28so20342028pgn.1 for ; Mon, 08 May 2017 02:42:23 -0700 (PDT) X-Gm-Message-State: AODbwcDIUMTnYuKmWlSAF1bTA5WDWIz/KVI83bZ9wU1WMdVu33srhJ9b cf7b7I8RIFoKm2PYJxlk5REzqjVenw== X-Received: by 10.99.103.7 with SMTP id b7mr1332323pgc.2.1494236542599; Mon, 08 May 2017 02:42:22 -0700 (PDT) MIME-Version: 1.0 Reply-To: coheigea@apache.org Received: by 10.100.149.76 with HTTP; Mon, 8 May 2017 02:42:20 -0700 (PDT) In-Reply-To: References: <1598dfe3-2ba4-b952-77e8-6dbfffb12928@xs4all.nl> <3c4f660a-b478-8ff5-c1ba-c8f97f658a46@xs4all.nl> <8D5F7E3237B3ED47B84CF187BB17B666629A35C8@SHSMSX103.ccr.corp.intel.com> <9037BCED616A964EB486B12FCA9DCFCF3BC81A1E@shsmsx102.ccr.corp.intel.com> <8D5F7E3237B3ED47B84CF187BB17B666629A7455@SHSMSX103.ccr.corp.intel.com> <9037BCED616A964EB486B12FCA9DCFCF3BC8289D@shsmsx102.ccr.corp.intel.com> <9037BCED616A964EB486B12FCA9DCFCF3BC8299C@shsmsx102.ccr.corp.intel.com> <9037BCED616A964EB486B12FCA9DCFCF3BC82A32@shsmsx102.ccr.corp.intel.com> <9037BCED616A964EB486B12FCA9DCFCF3BC82A91@shsmsx102.ccr.corp.intel.com> <11A118BD-21F7-4B07-A89B-D313D45D0AA4@intel.com> From: Colm O hEigeartaigh Date: Mon, 8 May 2017 10:42:20 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: MIT Kerberos compatibility To: "Zheng, Kai" Cc: "kerby@directory.apache.org" Content-Type: multipart/alternative; boundary=94eb2c070bc0550d97054f000e3d archived-at: Mon, 08 May 2017 09:42:26 -0000 --94eb2c070bc0550d97054f000e3d Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi Kai, Your changes fixed the error message I was seeing. However, I now see another problem when I run a few GSS client tests in a row: >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType >>> KrbAsReq creating message >>> KrbKdcReq send: kdc=3Dlocalhost UDP:42665, timeout=3D30000, number of retries =3D3, #bytes=3D245 >>> KDCCommunication: kdc=3Dlocalhost UDP:42665, timeout=3D30000,Attempt = =3D1, #bytes=3D245 SocketTimeOutException with attempt: 1 >>> KDCCommunication: kdc=3Dlocalhost UDP:42665, timeout=3D30000,Attempt = =3D2, #bytes=3D245 >>> KrbKdcReq send: error trying localhost:42665 java.net.PortUnreachableException: ICMP Port Unreachable Do you want me to create a JIRA + attach a test-case? Colm. On Sat, May 6, 2017 at 2:01 AM, Zheng, Kai wrote: > I haven't repeated the issue but revisited the codes again and made > improvements. Would you check it out? Thanks! > > Sent from iPhone > > > =E5=9C=A8 2017=E5=B9=B45=E6=9C=886=E6=97=A5=EF=BC=8C=E4=B8=8A=E5=8D=886= :28=EF=BC=8CZheng, Kai =E5=86=99=E9=81=93=EF=BC=9A > > > > Thanks colm for the clarification and it sounds an issue we need to > address. I will investigate it soon. > > > > Sent from iPhone > > > >> =E5=9C=A8 2017=E5=B9=B45=E6=9C=886=E6=97=A5=EF=BC=8C=E4=B8=8A=E5=8D=88= 2:14=EF=BC=8CColm O hEigeartaigh =E5=86=99=E9=81=93= =EF=BC=9A > >> > >> Hi Kai, > >> > >> If I enable UDP with the default Transport, I can get a ticket fine > using > >> kinit. However then the following error pops up in the window I'm > running > >> Kerby in (as a test): > >> > >> Exception in thread "Thread-1" java.lang.RuntimeException: Error occur= ed > >> while checking udp connections > >> at > >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run( > KdcNetwork.java:105) > >> at > >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork. > access$000(KdcNetwork.java:39) > >> at > >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork$1. > run(KdcNetwork.java:75) > >> at java.lang.Thread.run(Thread.java:748) > >> Caused by: java.nio.channels.ClosedChannelException > >> at > >> sun.nio.ch.DatagramChannelImpl.ensureOpen(DatagramChannelImpl.java:320= ) > >> at sun.nio.ch.DatagramChannelImpl.receive( > DatagramChannelImpl.java:331) > >> at > >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork. > checkUdpMessage(KdcNetwork.java:132) > >> at > >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run( > KdcNetwork.java:101) > >> > >> Colm. > >> > >> > >>> On Fri, May 5, 2017 at 5:56 PM, Zheng, Kai > wrote: > >>> > >>> Colm, did you see udp problem now instead? I'm a little confused. Udp > is > >>> sure supported but may not be enabled by default, which should be oka= y, > >>> imo. Thanks. > >>> > >>> Sent from iPhone > >>> > >>>> =E5=9C=A8 2017=E5=B9=B45=E6=9C=886=E6=97=A5=EF=BC=8C=E4=B8=8A=E5=8D= =8812:02=EF=BC=8CColm O hEigeartaigh =E5=86=99=E9=81= =93=EF=BC=9A > >>>> > >>>> That's probably it. Why does the default transport not support UDP i= n > >>> Kerby? > >>>> > >>>> Colm. > >>>> > >>>>> On Fri, May 5, 2017 at 4:54 PM, Li, Jiajia > wrote: > >>>>> > >>>>> Are you sure add kdc_allow_udp =3D false in kdc.conf? > >>>>> > >>>>> Thanks > >>>>> Jiajia > >>>>> > >>>>> -----Original Message----- > >>>>> From: Colm O hEigeartaigh [mailto:coheigea@apache.org] > >>>>> Sent: Friday, May 5, 2017 11:41 PM > >>>>> To: Li, Jiajia > >>>>> Cc: kerby@directory.apache.org; Zheng, Kai ; > >>> mailto: > >>>>> m.c.delignie@xs4all.nl > >>>>> Subject: Re: MIT Kerberos compatibility > >>>>> > >>>>> Sorry, it was my error, UDP was actually enabled there. But why am = I > >>> still > >>>>> seeing that error message? > >>>>> > >>>>> Colm. > >>>>> > >>>>>> On Fri, May 5, 2017 at 4:39 PM, Li, Jiajia > >>> wrote: > >>>>>> > >>>>>> Hi Colm, > >>>>>> I also test the Kerby KDC with kerby kint and MIT kinit, and only > >>>>>> listen the tcp port(disable udp), both got ticket successfully. Bu= t > I > >>>>>> don't get the error message. Both krb.conf and kdc.conf should set > udp > >>>>>> to be false, udp is enabled in default. > >>>>>> > >>>>>> Thanks > >>>>>> Jiajia > >>>>>> > >>>>>> -----Original Message----- > >>>>>> From: Colm O hEigeartaigh [mailto:coheigea@apache.org] > >>>>>> Sent: Friday, May 5, 2017 11:34 PM > >>>>>> To: kerby@directory.apache.org > >>>>>> Cc: Zheng, Kai ; mailto:m.c.delignie@xs4all.n= l > < > >>>>>> m.c.delignie@xs4all.nl> > >>>>>> Subject: Re: MIT Kerberos compatibility > >>>>>> > >>>>>> Hi Jiajia, > >>>>>> > >>>>>> If UDP is disabled and we don't use Netty, I can get a token > >>>>>> successfully via kinit. However I then see an error message in the > >>> Kerby > >>>>> console: > >>>>>> > >>>>>> Exception in thread "Thread-1" java.lang.RuntimeException: Error > >>>>>> occured while checking udp connections > >>>>>> at > >>>>>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run( > >>>>>> KdcNetwork.java:105) > >>>>>> at > >>>>>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork. > >>>>>> access$000(KdcNetwork.java:39) > >>>>>> at > >>>>>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork$1. > >>>>>> run(KdcNetwork.java:75) > >>>>>> at java.lang.Thread.run(Thread.java:748) > >>>>>> Caused by: java.nio.channels.ClosedChannelException > >>>>>> at > >>>>>> sun.nio.ch.DatagramChannelImpl.ensureOpen( > >>> DatagramChannelImpl.java:320) > >>>>>> at sun.nio.ch.DatagramChannelImpl.receive( > >>>>>> DatagramChannelImpl.java:331) > >>>>>> at > >>>>>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork. > >>>>>> checkUdpMessage(KdcNetwork.java:132) > >>>>>> at > >>>>>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run( > >>>>>> KdcNetwork.java:101) > >>>>>> > >>>>>> I'm not sure why we are seeing UDP errors when it's disabled? > >>>>>> > >>>>>> Colm. > >>>>>> > >>>>>>> On Fri, May 5, 2017 at 3:57 PM, Li, Jiajia > >>> wrote: > >>>>>>> > >>>>>>> Hi Colm, > >>>>>>> The shell client can't connect to kdc if the UDP is disabled. > >>>>>>> We don't use Netty in default. > >>>>>>> What's your test-cases? The same as the Marc's? > >>>>>>> > >>>>>>> Thanks > >>>>>>> Jiajia > >>>>>>> > >>>>>>> -----Original Message----- > >>>>>>> From: Colm O hEigeartaigh [mailto:coheigea@apache.org] > >>>>>>> Sent: Friday, May 5, 2017 10:09 PM > >>>>>>> To: kerby@directory.apache.org > >>>>>>> Cc: Zheng, Kai ; mailto: > m.c.delignie@xs4all.nl > >>>>>>> < m.c.delignie@xs4all.nl> > >>>>>>> Subject: Re: MIT Kerberos compatibility > >>>>>>> > >>>>>>> Hi Jiajia, > >>>>>>> > >>>>>>> What are the issues if UDP is disabled and we don't use Netty? I > >>>>>>> tried doing this with my own test-cases and it didn't work, so it > >>>>>>> would be good to get this fixed soon. > >>>>>>> > >>>>>>> Colm. > >>>>>>> > >>>>>>> On Fri, May 5, 2017 at 2:46 PM, Li, Jiajia > >>>>> wrote: > >>>>>>> > >>>>>>>> Hi Marc, > >>>>>>>>>>> - your KRB5 tracing looks quite different. What OS and > >>>>>>>>>>> mit-kerberos > >>>>>>>> version did you use? > >>>>>>>> I use mac os and the python version is 2.7.10 > >>>>>>>> > >>>>>>>>>>> - your KRB5 tracing shows UDP comms between kerberos client a= nd > >>>>>>>>>>> KDC, > >>>>>>>> despite the allowUDP =3D false setting > >>>>>>>>>>> in my test. I did this setting because I get different > >>>>>>>>>>> problems > >>>>>>>> without it, see the additional logs below. So, > >>>>>>>>>>> we must also be aware of networking problems at my side. > >>>>>>>> I enable the UDP and use netty network, there are some issues if > >>>>>>>> UDP disabled, you can create a JIRA for this and we can fix this > >>>>>>>> issue in the next release version. > >>>>>>>> > >>>>>>>> The changes in my side as following: > >>>>>>>> > >>>>>>>> protected boolean allowUdp() { > >>>>>>>> return true; > >>>>>>>> } > >>>>>>>> @Override > >>>>>>>> protected void prepareKdc() throws KrbException { > >>>>>>>> getKdcServer().setInnerKdcImpl( > >>>>>>>> new NettyKdcServerImpl(getKdcServer().getKdcSetting()))= ; > >>>>>>>> super.prepareKdc(); > >>>>>>>> } > >>>>>>>> > >>>>>>>> Here is log of MitIssueTest: > >>>>>>>> [INFO] Running org.apache.kerby.kerberos.kerb.server.MitIssueTes= t > >>>>>>>> [nioEventLoopGroup-2-1] INFO > >>>>>>>> io.netty.handler.logging.LoggingHandler > >>>>>>>> - > >>>>>>>> [id: 0x2634fe6b] REGISTERED > >>>>>>>> [nioEventLoopGroup-2-1] INFO > >>>>>>>> io.netty.handler.logging.LoggingHandler > >>>>>>>> - > >>>>>>>> [id: 0x2634fe6b] BIND(0.0.0.0/0.0.0.0:53957) > >>>>>>>> [nioEventLoopGroup-2-1] INFO > >>>>>>>> io.netty.handler.logging.LoggingHandler - > >>>>>>>> [id: 0x2634fe6b, /0:0:0:0:0:0:0:0:53957] ACTIVE [main] INFO > >>>>>>>> org.apache.kerby.kerberos.kdc.impl.NettyKdcServerImpl - Netty kd= c > >>>>>>>> server started. > >>>>>>>> [nioEventLoopGroup-2-1] INFO > >>>>>>>> io.netty.handler.logging.LoggingHandler > >>>>>>>> - > >>>>>>>> [id: 0x2634fe6b, /0:0:0:0:0:0:0:0:53957] RECEIVED: [id: > >>>>>>>> 0xdac7228b, / > >>>>>>>> 127.0.0.1:53961 =3D> /127.0.0.1:53957] > >>>>>>>> [defaultEventExecutorGroup-4-1] INFO > >>>>>>>> org.apache.kerby.kerberos.kerb.server.request.AsRequest > >>>>>>>> - AS_REQ ISSUE: authtime 1493991123792,drankye@TEST.COM for > >>>>>>>> krbtgt/ TEST.COM@TEST.COM [main] INFO > >>>>>>>> org.apache.kerby.kerberos.kerb.client.impl. > DefaultInternalKrbClien > >>>>>>>> t > >>>>>>>> - Send to kdc success. > >>>>>>>> [main] INFO org.apache.kerby.kerberos.kerb.client.KrbClientBase = - > >>>>>>>> Storing the tgt to the credential cache file. > >>>>>>>> [nioEventLoopGroup-5-1] INFO > >>>>>>>> org.apache.kerby.kerberos.kerb.server.request.KdcRequest > >>>>>>>> - The preauth data is empty. > >>>>>>>> [nioEventLoopGroup-5-1] INFO > >>>>>>>> org.apache.kerby.kerberos.kerb.server.KdcHandler > >>>>>>>> - KRB error occurred while processing request:Additional > >>>>>>>> pre-authentication required [nioEventLoopGroup-5-1] INFO > >>>>>>>> org.apache.kerby.kerberos.kerb.server.request.AsRequest > >>>>>>>> - AS_REQ ISSUE: authtime > >>>>>>>> 1493991123859,test-service/localhost@TEST.COM > >>>>>>>> for krbtgt/TEST.COM@TEST.COM > >>>>>>>> [nioEventLoopGroup-5-1] INFO > >>>>>>>> org.apache.kerby.kerberos.kerb.server.request.TgsRequest > >>>>>>>> - TGS_REQ ISSUE: authtime 1493991142850,drankye for test-service= / > >>>>>>>> localhost@TEST.COM > >>>>>>>> > >>>>>>>> Thanks > >>>>>>>> Jiajia > >>>>>>>> > >>>>>>>> -----Original Message----- > >>>>>>>> From: Zheng, Kai > >>>>>>>> Sent: Friday, May 5, 2017 7:46 PM > >>>>>>>> To: kerby@directory.apache.org; Li, Jiajia > >>>>>>>> Subject: RE: MIT Kerberos compatibility > >>>>>>>> > >>>>>>>> Hi Marc, > >>>>>>>> > >>>>>>>> Looks like this is quite environment related, could you fire an > >>>>>>>> issue for this? I would suggest we target it to 1.1.0, which can > >>>>>>>> be done in > >>>>>>> June. > >>>>>>>> > >>>>>>>> Regards, > >>>>>>>> Kai > >>>>>>>> > >>>>>>>> -----Original Message----- > >>>>>>>> From: Marc de Lignie [mailto:m.c.delignie@xs4all.nl] > >>>>>>>> Sent: Friday, May 05, 2017 4:44 PM > >>>>>>>> To: Li, Jiajia > >>>>>>>> Cc: kerby@directory.apache.org > >>>>>>>> Subject: Re: MIT Kerberos compatibility > >>>>>>>> > >>>>>>>> Hi Jiajia, > >>>>>>>> > >>>>>>>> Great to read that you made progress on this issue and to see a > >>>>>>>> working config at your side. Below, I list my progress below (wi= th > >>>>>>>> trunk merged into my MitIssue branch), but I am afraid we are no= t > >>>>>>>> done > >>>>>>> yet. > >>>>>>>> > >>>>>>>> Things that stand out: > >>>>>>>> > >>>>>>>> - the kdc decoding error is solved, relative to the logs without > >>>>>>>> your patch > >>>>>>>> > >>>>>>>> - your KRB5 tracing looks quite different. What OS and > >>>>>>>> mit-kerberos version did you use? > >>>>>>>> > >>>>>>>> - your KRB5 tracing shows UDP comms between kerberos client and > >>>>>>>> KDC, despite the allowUDP =3D false setting in my test. I did th= is > >>>>>>>> setting because I get different problems without it, see the > >>>>>>>> additional logs below. So, we must also be aware of networking > >>>>> problems at my side. > >>>>>>>> > >>>>>>>> - the "Response was not from master KDC" msg is not relevant; it > >>>>>>>> disappears if you manually add master_kdc to the realms section = of > >>>>>>>> the krb5.conf > >>>>>>>> > >>>>>>>> I have no idea how to proceed from here, so that is why I just > >>>>>>>> document the status at my side and ask about your - apparently > >>>>>>>> working - > >>>>>>> config. > >>>>>>>> > >>>>>>>> Cheers, Marc > >>>>>>>> > >>>>>>>> > >>>>>>>> KDC logging with allowUDP =3D false: > >>>>>>>> > >>>>>>>> [INFO] Running org.apache.kerby.kerberos.kerb.server.MitIssueTes= t > >>>>>>>> [pool-1-thread-1] INFO > >>>>>>>> org.apache.kerby.kerberos.kerb.server.request.AsRequest - AS_REQ > >>>>>> ISSUE: > >>>>>>>> authtime 1493970789075,drankye@TEST.COM for > >>>>>>>> krbtgt/TEST.COM@TEST.COM [main] INFO > >>>>>>>> org.apache.kerby.kerberos.kerb.client.impl. > DefaultInternalKrbClien > >>>>>>>> t > >>>>>>>> - Send to kdc success. > >>>>>>>> [main] INFO org.apache.kerby.kerberos.kerb.client.KrbClientBase = - > >>>>>>>> Storing the tgt to the credential cache file. > >>>>>>>> [pool-1-thread-1] INFO > >>>>>>>> org.apache.kerby.kerberos.kerb.server.request.KdcRequest - The > >>>>>>>> preauth data is empty. > >>>>>>>> [pool-1-thread-1] INFO > >>>>>>>> org.apache.kerby.kerberos.kerb.server.KdcHandler > >>>>>>>> - KRB error occurred while processing request:Additional > >>>>>>>> pre-authentication required [pool-1-thread-1] INFO > >>>>>>>> org.apache.kerby.kerberos.kerb.server.request.AsRequest - AS_REQ > >>>>>> ISSUE: > >>>>>>>> authtime 1493970789108,test-service/localhost@TEST.COM for > krbtgt/ > >>>>>>>> TEST.COM@TEST.COM [pool-1-thread-1] INFO > >>>>>>>> org.apache.kerby.kerberos.kerb.server.request.KdcRequest > >>>>>>>> - Found fast padata and starting to process it. > >>>>>>>> [pool-1-thread-1] INFO > >>>>>>>> org.apache.kerby.kerberos.kerb.server.request.KdcRequest - Found > >>>>>>>> fast padata and starting to process it. > >>>>>>>> > >>>>>>>> Python script KRB5 tracing (MIT Kerberos 1.13.2 of Ubuntu Xenial= ) > >>>>>>>> with allowUDP =3D false: > >>>>>>>> > >>>>>>>> $ . > >>>>>>>> kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/ > >>>>>>>> kerberos/kerb/server/MitIssueTest.sh > >>>>>>>> [25281] 1493970797.298753: Retrieving drankye@TEST.COM from > >>>>>>>> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with > >>>>> result: > >>>>>>>> 2/Key table file '/etc/krb5/user/1000/client.keytab' not found > >>>>>>>> [25281] > >>>>>>>> 1493970797.298952: Retrieving drankye@TEST.COM from > >>>>>>>> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with > >>>>> result: > >>>>>>>> 2/Key table file '/etc/krb5/user/1000/client.keytab' not found > >>>>>>>> [25281] > >>>>>>>> 1493970797.299106: Retrieving drankye@TEST.COM from > >>>>>>>> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with > >>>>> result: > >>>>>>>> 2/Key table file '/etc/krb5/user/1000/client.keytab' not found > >>>>>>>> [25281] > >>>>>>>> 1493970797.299213: Retrieving drankye@TEST.COM from > >>>>>>>> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with > >>>>> result: > >>>>>>>> 2/Key table file '/etc/krb5/user/1000/client.keytab' not found > >>>>>>>> [25281] > >>>>>>>> 1493970797.299323: Retrieving drankye@TEST.COM from > >>>>>>>> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with > >>>>> result: > >>>>>>>> 2/Key table file '/etc/krb5/user/1000/client.keytab' not found > >>>>>>>> [25281] > >>>>>>>> 1493970797.299436: Retrieving drankye@TEST.COM from > >>>>>>>> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with > >>>>> result: > >>>>>>>> 2/Key table file '/etc/krb5/user/1000/client.keytab' not found > >>>>>>>> [25281] > >>>>>>>> 1493970797.299545: Retrieving drankye@TEST.COM from > >>>>>>>> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with > >>>>> result: > >>>>>>>> 2/Key table file '/etc/krb5/user/1000/client.keytab' not found > >>>>>>>> [25281] > >>>>>>>> 1493970797.299654: Retrieving drankye@TEST.COM from > >>>>>>>> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with > >>>>> result: > >>>>>>>> 2/Key table file '/etc/krb5/user/1000/client.keytab' not found > >>>>>>>> kerberos.authGSSClientInit successful [25281] 1493970797.299922: > >>>>>>>> Getting credentials drankye@TEST.COM -> test-service/localhost@ > >>>>>>>> using ccache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.c= c > >>>>>>>> [25281] 1493970797.299945: Retrieving drankye@TEST.COM -> > >>>>>>>> test-service/localhost@ from > >>>>>>>> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc > >>>>>>>> with result: > >>>>>>>> -1765328243/Matching credential not found [25281] > 1493970797.299959: > >>>>>>>> Retrying drankye@TEST.COM -> test-service/localhost@TEST.COM wit= h > >>>>>>> result: > >>>>>>>> -1765328243/Matching credential not found [25281] > 1493970797.299962: > >>>>>>>> Server has referral realm; starting with > >>>>>>>> test-service/localhost@TEST.COM [25281] > >>>>>>>> 1493970797.299975: Retrieving drankye@TEST.COM -> > >>>>>>>> krbtgt/TEST.COM@TEST.COM from > >>>>>>>> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc > >>>>>>> with result: > >>>>>>>> 0/Success [25281] 1493970797.299979: Starting with TGT for clien= t > >>>>>> realm: > >>>>>>>> drankye@TEST.COM -> krbtgt/TEST.COM@TEST.COM [25281] > >>>>>> 1493970797.299981: > >>>>>>>> Requesting tickets for test-service/localhost@TEST.COM, referral= s > >>>>>>>> on [25281] 1493970797.299994: Generated subkey for TGS request: > >>>>>>>> aes128-cts/1B9B [25281] 1493970797.300009: etypes requested in T= GS > >>>>>>> request: > >>>>>>>> aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts= , > >>>>>>>> camellia256-cts [25281] 1493970797.300054: Encoding request body > >>>>>>>> and padata into FAST request [25281] 1493970797.300080: Sending > >>>>>>>> request > >>>>>>>> (823 bytes) to TEST.COM [25281] 1493970797.300091: Resolving > >>>>>>>> hostname localhost [25281] > >>>>>>>> 1493970797.300136: Initiating TCP connection to stream > >>>>>>>> 127.0.0.1:34319 > >>>>>>>> [25281] 1493970797.300191: Sending TCP request to stream > >>>>>>>> 127.0.0.1:34319 [25281] 1493970797.303610: Received answer (125 > >>>>>>>> bytes) from stream > >>>>>>>> 127.0.0.1:34319 > >>>>>>>> [25281] 1493970797.303618: Terminating TCP connection to stream > >>>>>>>> 127.0.0.1:34319 > >>>>>>>> [25281] 1493970797.553126: Response was not from master KDC > >>>>>>>> [25281] > >>>>>>>> 1493970797.553198: TGS request result: -1765323383/Unknown code > >>>>>>>> krcM > >>>>>>>> 137 [25281] 1493970797.553234: Requesting tickets for > >>>>>>>> test-service/ localhost@TEST.COM, referrals off [25281] > >>>>> 1493970797.553273: > >>>>>>>> Generated subkey for TGS request: aes128-cts/94C6 [25281] > >>>>>> 1493970797.553323: > >>>>>>>> etypes requested in TGS request: aes256-cts, aes128-cts, > >>>>>>>> des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts [25281= ] > >>>>>>>> 1493970797.553436: Encoding request body and padata into FAST > >>>>>>>> request > >>>>>>> [25281] 1493970797.553532: > >>>>>>>> Sending request (823 bytes) to TEST.COM [25281] > 1493970797.553567: > >>>>>>>> Resolving hostname localhost [25281] 1493970797.553745: Initiati= ng > >>>>>>>> TCP connection to stream > >>>>>>>> 127.0.0.1:34319 > >>>>>>>> [25281] 1493970797.553889: Sending TCP request to stream > >>>>>>>> 127.0.0.1:34319 [25281] 1493970797.558297: Received answer (125 > >>>>>>>> bytes) from stream > >>>>>>>> 127.0.0.1:34319 > >>>>>>>> [25281] 1493970797.558318: Terminating TCP connection to stream > >>>>>>>> 127.0.0.1:34319 > >>>>>>>> [25281] 1493970797.561189: Response was not from master KDC > >>>>>>>> [25281] > >>>>>>>> 1493970797.561258: TGS request result: -1765323383/Unknown code > >>>>>>>> krcM > >>>>>>>> 137 ('First kerberos.authGSSClientStep not successful', > >>>>>>>> GSSError(('Unspecified GSS failure. Minor code may provide more > >>>>>>>> information', 851968), ('Unknown code krcM 137', -1765323383))) > >>>>>>>> > >>>>>>>> > >>>>>>>> KDC logging with allowUDP =3D true: > >>>>>>>> > >>>>>>>> [INFO] Running org.apache.kerby.kerberos.kerb.server.MitIssueTes= t > >>>>>>>> [pool-1-thread-1] INFO > >>>>>>>> org.apache.kerby.kerberos.kerb.server.request.AsRequest - AS_REQ > >>>>>> ISSUE: > >>>>>>>> authtime 1493972505784,drankye@TEST.COM for > >>>>>>>> krbtgt/TEST.COM@TEST.COM [main] INFO > >>>>>>>> org.apache.kerby.kerberos.kerb.client.impl. > DefaultInternalKrbClien > >>>>>>>> t > >>>>>>>> - Send to kdc success. > >>>>>>>> [main] INFO org.apache.kerby.kerberos.kerb.client.KrbClientBase = - > >>>>>>>> Storing the tgt to the credential cache file. > >>>>>>>> [pool-1-thread-1] INFO > >>>>>>>> org.apache.kerby.kerberos.kerb.server.request.KdcRequest - The > >>>>>>>> preauth data is empty. > >>>>>>>> [pool-1-thread-1] INFO > >>>>>>>> org.apache.kerby.kerberos.kerb.server.KdcHandler > >>>>>>>> - KRB error occurred while processing request:Additional > >>>>>>>> pre-authentication required [pool-1-thread-2] INFO > >>>>>>>> org.apache.kerby.kerberos.kerb.server.request.AsRequest - AS_REQ > >>>>>> ISSUE: > >>>>>>>> authtime 1493972505948,test-service/localhost@TEST.COM for > krbtgt/ > >>>>>>>> TEST.COM@TEST.COM Exception in thread "Thread-0" > >>>>>>>> java.lang.RuntimeException: Error occured while checking udp > >>>>>> connections > >>>>>>>> at > >>>>>>>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run( > >>>>>>>> KdcNetwork.java:105) > >>>>>>>> at > >>>>>>>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork. > >>>>>>>> access$000(KdcNetwork.java:39) > >>>>>>>> at > >>>>>>>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork$1. > >>>>>>>> run(KdcNetwork.java:75) > >>>>>>>> at java.lang.Thread.run(Thread.java:748) > >>>>>>>> Caused by: java.nio.channels.ClosedChannelException > >>>>>>>> at > >>>>>>>> sun.nio.ch.DatagramChannelImpl.ensureOpen( > >>>>>> DatagramChannelImpl.java:320) > >>>>>>>> at sun.nio.ch.DatagramChannelImpl.receive( > >>>>>>>> DatagramChannelImpl.java:331) > >>>>>>>> at > >>>>>>>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork. > >>>>>>>> checkUdpMessage(KdcNetwork.java:132) > >>>>>>>> at > >>>>>>>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run( > >>>>>>>> KdcNetwork.java:101) > >>>>>>>> ... 3 more > >>>>>>>> > >>>>>>>> > >>>>>>>> krb5.conf: > >>>>>>>> > >>>>>>>> [libdefaults] > >>>>>>>> kdc_realm =3D TEST.COM > >>>>>>>> default_realm =3D TEST.COM > >>>>>>>> udp_preference_limit =3D 4096 > >>>>>>>> kdc_tcp_port =3D 37080 > >>>>>>>> kdc_udp_port =3D 36525 > >>>>>>>> > >>>>>>>> [realms] > >>>>>>>> TEST.COM =3D { > >>>>>>>> kdc =3D localhost:36525 > >>>>>>>> } > >>>>>>>> > >>>>>>>> And port 36525 does not show up in `netstat -l` (while 37080 doe= s) > >>>>>>>> > >>>>>>>> > >>>>>>>> Op 04-05-17 om 14:55 schreef Li, Jiajia: > >>>>>>>>> Hi Marc, > >>>>>>>>> I try to run your test(through applying your patch in the trunk= ) > >>>>>>>>> , I > >>>>>>>> think it's success now. Could you take some time to check about > it? > >>>>>>>>> Here is the log: > >>>>>>>>> > >>>>>>>>> directory-kerby git:(trunk) ? . > >>>>>>>>> kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerbero= s > >>>>>>>>> /k > >>>>>>>>> er > >>>>>>>>> b/ > >>>>>>>>> server/MitIssueTest.sh > >>>>>>>>> kerberos.authGSSClientInit successful > >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328234: entypes not > >>>>>>>>> supported > >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328243: Did not find > >>>>>>>>> credential for krb5_ccache_conf_data/realm-config@X-CACHECONF: > >>>>>>>>> in cache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc > >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328243: Did not find > >>>>>>>>> credential for test-service/localhost@TEST.COM in cache > >>>>>>>>> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc > >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328243: Did not find > >>>>>>>>> credential for > >>>>>>>>> krb5_ccache_conf_data/negative-cache/test-service\134/localhost= \ > >>>>>>>>> 13 > >>>>>>>>> 4@ > >>>>>>>>> TE > >>>>>>>>> ST.COM@X-CACHECONF: in cache > >>>>>>>>> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc > >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328243: Did not find > >>>>>>>>> credential for krb5_ccache_conf_data/lkdc-hostname@X-CACHECONF: > >>>>>>>>> in cache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc > >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328243: Did not find > >>>>>>>>> credential for krb5_ccache_conf_data/sitename@X-CACHECONF: in > >>>>>>>>> cache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc > >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328243: Did not find > >>>>>>>>> credential for test-service/localhost@TEST.COM in cache > >>>>>>>>> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc > >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328234: Encryption type > >>>>>>>>> des-cbc-md5-deprecated not supported > >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328234: Encryption type > >>>>>>>>> des-cbc-md4-deprecated not supported > >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328234: Encryption type > >>>>>>>>> des-cbc-crc-deprecated not supported > >>>>>>>>> 2017-05-04T20:44:06 Trying to find service kdc for realm > >>>>>>>>> TEST.COM flags 0 > >>>>>>>>> 2017-05-04T20:44:06 configuration file for realm TEST.COM found > >>>>>>>>> 2017-05-04T20:44:06 submissing new requests to new host > >>>>>>>>> 2017-05-04T20:44:06 host_create: setting hostname localhost > >>>>>>>>> 2017-05-04T20:44:06 connecting to host: udp ::1:52534 > >>>>>>>>> (localhost) > >>>>>> tid: > >>>>>>>>> 00000001 > >>>>>>>>> 2017-05-04T20:44:06 host_create: setting hostname localhost > >>>>>>>>> 2017-05-04T20:44:06 Queuing host in future (in 3s), its the 2 > >>>>>>>>> address on the same name: udp 127.0.0.1:52534 (localhost) tid: > >>>>>>>>> 00000002 > >>>>>>>>> 2017-05-04T20:44:06 writing packet: udp ::1:52534 (localhost) > tid: > >>>>>>>>> 00000001 > >>>>>>>>> 2017-05-04T20:44:06 reading packet: udp ::1:52534 (localhost) > tid: > >>>>>>>>> 00000001 > >>>>>>>>> 2017-05-04T20:44:06 host completed: udp ::1:52534 (localhost) > tid: > >>>>>>>>> 00000001 > >>>>>>>>> 2017-05-04T20:44:06 krb5_sendto_context TEST.COM done: 0 hosts = 1 > >>>>>>>>> packets 1 wc: 0.048927 nr: 0.000932 kh: 0.000814 tid: 00000002 > >>>>>>>>> 2017-05-04T20:44:06 tkt: extract key 17/763641F3 > >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328353: Decrypt integrity > >>>>>>>>> check failed for checksum type hmac-sha1-96-aes128, key type > >>>>>>>>> aes128-cts-hmac-sha1-96 > >>>>>>>>> 2017-05-04T20:44:06 tkt: extract key 17/3084A95C > >>>>>>>>> 2017-05-04T20:44:06 krb5_get_credentials_with_flags: TEST.COM > wc: > >>>>>>>>> 0.050317 > >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328243: Did not find > >>>>>>>>> credential for krb5_ccache_conf_data/realm-config@X-CACHECONF: > >>>>>>>>> in cache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc > >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328243: Did not find > >>>>>>>>> credential for > >>>>>>>>> krb5_ccache_conf_data/time-offset/test-service\134/ > >>>>>> localhost\134@TEST. > >>>>>>>>> COM@X-CACHECONF: in cache > >>>>>>>>> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc > >>>>>>>>> 2017-05-04T20:44:06 Setting up PFS for auth context > >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328234: Encryption type > >>>>>>>>> des-cbc-md5-deprecated not supported > >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328234: Encryption type > >>>>>>>>> des-cbc-md4-deprecated not supported > >>>>>>>>> 2017-05-04T20:44:06 set-error: -1765328234: Encryption type > >>>>>>>>> des-cbc-crc-deprecated not supported First > >>>>>>>>> kerberos.authGSSClientStep successful > >>>>>>>>> > >>>>>>>>> Thanks > >>>>>>>>> Jiajia > >>>>>>>>> > >>>>>>>>> -----Original Message----- > >>>>>>>>> From: Zheng, Kai [mailto:kai.zheng@intel.com] > >>>>>>>>> Sent: Wednesday, May 3, 2017 7:29 PM > >>>>>>>>> To: kerby@directory.apache.org > >>>>>>>>> Subject: RE: MIT Kerberos compatibility > >>>>>>>>> > >>>>>>>>> Hi Marc, > >>>>>>>>> > >>>>>>>>> In case you're not aware of this, please check out the latest > >>>>>>>>> fix made > >>>>>>>> by Jiajia. We thought your case may be different, but would be > >>>>>>>> good to have a check before we can repeat/fix your case. Thanks. > >>>>>>>>> https://issues.apache.org/jira/browse/DIRKRB-625 > >>>>>>>>> > >>>>>>>>> Regards, > >>>>>>>>> Kai > >>>>>>>>> > >>>>>>>>> -----Original Message----- > >>>>>>>>> From: Marc de Lignie [mailto:m.c.delignie@xs4all.nl] > >>>>>>>>> Sent: Sunday, April 30, 2017 7:45 PM > >>>>>>>>> To: kerby@directory.apache.org > >>>>>>>>> Subject: Re: MIT Kerberos compatibility > >>>>>>>>> > >>>>>>>>> Hi Kai, > >>>>>>>>> > >>>>>>>>> The terminal output below is for the latest MIT Kerberos 1.15.1 > >>>>>>>>> (locally > >>>>>>>> built on Ubuntu Xenial). Before that, I also tested with the > >>>>>>>> default Xenial MIT Kerberos packages (1.13.2), with the same > >>>>>>>> result. I did not try earlier MIT Kerberos versions. > >>>>>>>>> > >>>>>>>>> Marc > >>>>>>>>> > >>>>>>>>> Op 29-04-17 om 21:42 schreef Marc de Lignie: > >>>>>>>>>> Hi Kai, > >>>>>>>>>> > >>>>>>>>>> Thanks for the response. I prepared a minimal config that > >>>>>>>>>> reproduces my problem. > >>>>>>>>>> > >>>>>>>>>> You can fetch the branch/commit from: > >>>>>>>>>> https://github.com/vtslab/directory-kerby/commits/MitIssue > >>>>>>>>>> > >>>>>>>>>> This is relative to RC2, but I also tried this on trunk for my > >>>>>>>>>> actual project. > >>>>>>>>>> > >>>>>>>>>> This config produces the debug and error messages below. > >>>>>>>>>> > >>>>>>>>>> 1. For the terminal with the bash + python script $ klist > >>>>>>>>>> Ticket > >>>>>>>>>> cache: FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc > >>>>>>>>>> Default principal: drankye@TEST.COM > >>>>>>>>>> > >>>>>>>>>> Valid starting Expires Service principal > >>>>>>>>>> 29-04-17 21:07:39 30-04-17 05:07:39 krbtgt/TEST.COM@TEST.COM > >>>>>>>>>> renew until 29-04-17 21:07:39 > >>>>>>>>>> > >>>>>>>>>> $ . > >>>>>>>>>> kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerber= o > >>>>>>>>>> s/ ke rb / server/MitIssueTest.sh [15538] 1493491231.917606: > >>>>>>>>>> Retrieving drankye@TEST.COM from > >>>>>>>>>> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with > >>>>>>>>>> result: > >>>>>>>>>> 2/Key table file '/etc/krb5/user/1000/client.keytab' not found > >>>>>>>>>> [15538] > >>>>>>>>>> 1493491231.917827: Retrieving drankye@TEST.COM from > >>>>>>>>>> FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with > >>>>>>> result: > >>>>>>>>>> 2/Key table file '/etc/krb5/user/1000/client.keytab' not found > >>>>>>>>>> kerberos.authGSSClientInit successful [15538] 1493491231.91818= 5: > >>>>>>>>>> Getting credentials drankye@TEST.COM -> test-service/localhost= @ > >>>>>>>>>> using ccache > >>>>>>>>>> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc > >>>>>>>>>> [15538] 1493491231.918210: Retrieving drankye@TEST.COM -> > >>>>>>>>>> test-service/localhost@ from > >>>>>>>>>> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc with > result: > >>>>>>>>>> -1765328243/Matching credential not found (filename: > >>>>>>>>>> kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc) > >>>>>>>>>> [15538] 1493491231.918226: Retrying drankye@TEST.COM -> > >>>>>>>>>> test-service/localhost@TEST.COM with result: > >>>>>>>>>> -1765328243/Matching credential not found (filename: > >>>>>>>>>> kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc) > >>>>>>>>>> [15538] 1493491231.918229: Server has referral realm; starting > >>>>>>>>>> with test-service/localhost@TEST.COM [15538] 1493491231.918278= : > >>>>>>>>>> Retrieving drankye@TEST.COM -> krbtgt/TEST.COM@TEST.COM from > >>>>>>>>>> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc with > result: > >>>>>>>>>> 0/Success > >>>>>>>>>> [15538] 1493491231.918281: Starting with TGT for client realm: > >>>>>>>>>> drankye@TEST.COM -> krbtgt/TEST.COM@TEST.COM [15538] > >>>>>>>>>> 1493491231.918301: Requesting tickets for > >>>>>>>>>> test-service/localhost@TEST.COM, referrals on [15538] > >>>>>>>>>> 1493491231.918326: Generated subkey for TGS request: > >>>>>>>>>> aes128-cts/FA30 > >>>>>>>>>> [15538] 1493491231.918359: etypes requested in TGS request: > >>>>>>>>>> aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, > >>>>>>>>>> des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts > >>>>>>>>>> [15538] > >>>>>> 1493491231.918484: > >>>>>>>>>> Encoding request body and padata into FAST request [15538] > >>>>>>>>>> 1493491231.918541: Sending request (836 bytes) to TEST.COM > >>>>>>>>>> [15538] > >>>>>>>>>> 1493491231.918597: Resolving hostname localhost [15538] > >>>>>>>>>> 1493491231.918703: Initiating TCP connection to stream > >>>>>>>>>> 127.0.0.1:44292 > >>>>>>>>>> [15538] 1493491231.918777: Sending TCP request to stream > >>>>>>>>>> 127.0.0.1:44292 [15538] 1493491231.922803: TCP error receiving > >>>>>>>>>> from stream > >>>>>>>>>> 127.0.0.1:44292: 104/Connection reset by peer [15538] > >>>>>>>>>> 1493491231.922812: Terminating TCP connection to stream > >>>>>>>>>> 127.0.0.1:44292 > >>>>>>>>>> [15538] 1493491231.922858: Sending initial UDP request to dgra= m > >>>>>>>>>> 127.0.0.1:44292 > >>>>>>>>>> ('First kerberos.authGSSClientStep not successful', > >>>>>>>>>> GSSError(('Unspecified GSS failure. Minor code may provide > >>>>>>>>>> more information', 851968), ("Cannot contact any KDC for realm > >>>>>>>>>> 'TEST.COM'", > >>>>>>>>>> -1765328228))) > >>>>>>>>>> > >>>>>>>>>> 2. For the terminal that runs mvn clean test > >>>>>>>>>> -Dtest=3DMitIssueTest Running > >>>>>>>>>> org.apache.kerby.kerberos.kerb.server.MitIssueTest > >>>>>>>>>> 2017-04-29 21:07:39,182 DEBUG [main] backend. > >>>>>> AbstractIdentityBackend: > >>>>>>>>>> initialize called > >>>>>>>>>> 2017-04-29 21:07:39,195 DEBUG [main] backend. > >>>>>> AbstractIdentityBackend: > >>>>>>>>>> getIdentity called, principalName =3D krbtgt/TEST.COM@TEST.COM > >>>>>>>>>> 2017-04-29 21:07:39,195 DEBUG [main] backend. > >>>>>> AbstractIdentityBackend: > >>>>>>>>>> getIdentity failed, principalName =3D krbtgt/TEST.COM@TEST.COM > >>>>>>>>>> 2017-04-29 21:07:39,212 DEBUG [main] backend. > >>>>>> AbstractIdentityBackend: > >>>>>>>>>> addIdentity successful, principalName =3D > >>>>>>>>>> krbtgt/TEST.COM@TEST.COM > >>>>>>>>>> 2017-04-29 21:07:39,212 DEBUG [main] backend. > >>>>>> AbstractIdentityBackend: > >>>>>>>>>> getIdentity called, principalName =3D kadmin/TEST.COM@TEST.COM > >>>>>>>>>> 2017-04-29 21:07:39,212 DEBUG [main] backend. > >>>>>> AbstractIdentityBackend: > >>>>>>>>>> getIdentity failed, principalName =3D kadmin/TEST.COM@TEST.COM > >>>>>>>>>> 2017-04-29 21:07:39,213 DEBUG [main] backend. > >>>>>> AbstractIdentityBackend: > >>>>>>>>>> addIdentity successful, principalName =3D > >>>>>>>>>> kadmin/TEST.COM@TEST.COM > >>>>>>>>>> 2017-04-29 21:07:39,216 DEBUG [main] backend. > >>>>>> AbstractIdentityBackend: > >>>>>>>>>> start called > >>>>>>>>>> 2017-04-29 21:07:39,232 DEBUG [main] backend. > >>>>>> AbstractIdentityBackend: > >>>>>>>>>> addIdentity successful, principalName =3D > >>>>>>>>>> test-service/localhost@TEST.COM > >>>>>>>>>> 2017-04-29 21:07:39,425 DEBUG [main] backend. > >>>>>> AbstractIdentityBackend: > >>>>>>>>>> addIdentity successful, principalName =3D drankye@TEST.COM > >>>>>>>>>> 2017-04-29 21:07:39,465 DEBUG [pool-1-thread-1] > >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity called, > >>>>>>>>>> principalName =3D krbtgt/TEST.COM@TEST.COM > >>>>>>>>>> 2017-04-29 21:07:39,465 DEBUG [pool-1-thread-1] > >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity successful, > >>>>>>>>>> principalName =3D krbtgt/TEST.COM@TEST.COM > >>>>>>>>>> 2017-04-29 21:07:39,465 INFO [pool-1-thread-1] > >>>>> request.KdcRequest: > >>>>>>>>>> Client entry is empty. > >>>>>>>>>> 2017-04-29 21:07:39,465 DEBUG [pool-1-thread-1] > >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity called, > >>>>>>>>>> principalName =3D drankye@TEST.COM > >>>>>>>>>> 2017-04-29 21:07:39,465 DEBUG [pool-1-thread-1] > >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity successful, > >>>>>>>>>> principalName =3D drankye@TEST.COM > >>>>>>>>>> 2017-04-29 21:07:39,465 DEBUG [pool-1-thread-1] > >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity called, > >>>>>>>>>> principalName =3D krbtgt/TEST.COM@TEST.COM > >>>>>>>>>> 2017-04-29 21:07:39,465 DEBUG [pool-1-thread-1] > >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity successful, > >>>>>>>>>> principalName =3D krbtgt/TEST.COM@TEST.COM > >>>>>>>>>> 2017-04-29 21:07:39,476 DEBUG [pool-1-thread-1] > >>>>>>>>>> impl.DefaultKdcHandler: Transport or decoding error occurred, > >>>>>>>>>> disconnecting abnormally java.io.EOFException > >>>>>>>>>> at java.io.DataInputStream.readInt(DataInputStream.java:392) > >>>>>>>>>> at > >>>>>>>>>> org.apache.kerby.kerberos.kerb.transport.KrbTcpTransport. > >>>>>>>> receiveMessage(KrbTcpTransport.java:54) > >>>>>>>>>> at > >>>>>>>>>> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.r= u > >>>>>>>>>> n( > >>>>>>>> DefaultKdcHandler.java:46) > >>>>>>>>>> at > >>>>>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker( > >>>>>>>> ThreadPoolExecutor.java:1142) > >>>>>>>>>> at > >>>>>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run( > >>>>>>>> ThreadPoolExecutor.java:617) > >>>>>>>>>> at java.lang.Thread.run(Thread.java:748) > >>>>>>>>>> 2017-04-29 21:07:39,477 INFO [main] client.KrbClientBase: > >>>>>>>>>> Storing the tgt to the credential cache file. > >>>>>>>>>> 2017-04-29 21:07:39,491 DEBUG [main] backend. > >>>>>> AbstractIdentityBackend: > >>>>>>>>>> getIdentity called, principalName =3D > >>>>>>>>>> test-service/localhost@TEST.COM > >>>>>>>>>> 2017-04-29 21:07:39,491 DEBUG [main] backend. > >>>>>> AbstractIdentityBackend: > >>>>>>>>>> getIdentity successful, principalName =3D > >>>>>>>>>> test-service/localhost@TEST.COM > >>>>>>>>>> 2017-04-29 21:07:39,498 DEBUG [pool-1-thread-1] > >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity called, > >>>>>>>>>> principalName =3D krbtgt/TEST.COM@TEST.COM > >>>>>>>>>> 2017-04-29 21:07:39,498 DEBUG [pool-1-thread-1] > >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity successful, > >>>>>>>>>> principalName =3D krbtgt/TEST.COM@TEST.COM > >>>>>>>>>> 2017-04-29 21:07:39,498 INFO [pool-1-thread-1] > >>>>> request.KdcRequest: > >>>>>>>>>> Client entry is empty. > >>>>>>>>>> 2017-04-29 21:07:39,499 DEBUG [pool-1-thread-1] > >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity called, > >>>>>>>>>> principalName =3D test-service/localhost@TEST.COM > >>>>>>>>>> 2017-04-29 21:07:39,499 DEBUG [pool-1-thread-1] > >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity successful, > >>>>>>>>>> principalName =3D test-service/localhost@TEST.COM > >>>>>>>>>> 2017-04-29 21:07:39,499 DEBUG [pool-1-thread-1] > >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity called, > >>>>>>>>>> principalName =3D krbtgt/TEST.COM@TEST.COM > >>>>>>>>>> 2017-04-29 21:07:39,499 DEBUG [pool-1-thread-1] > >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity successful, > >>>>>>>>>> principalName =3D krbtgt/TEST.COM@TEST.COM > >>>>>>>>>> 2017-04-29 21:07:39,499 INFO [pool-1-thread-1] > >>>>> request.KdcRequest: > >>>>>>>>>> The preauth data is empty. > >>>>>>>>>> 2017-04-29 21:07:39,501 INFO [pool-1-thread-1] > server.KdcHandler: > >>>>>>>>>> KRB error occurred while processing request:Additional > >>>>>>>>>> pre-authentication required > >>>>>>>>>> 2017-04-29 21:07:39,502 DEBUG [pool-1-thread-1] > >>>>>>>>>> impl.DefaultKdcHandler: Transport or decoding error occurred, > >>>>>>>>>> disconnecting abnormally java.io.EOFException > >>>>>>>>>> at java.io.DataInputStream.readInt(DataInputStream.java:392) > >>>>>>>>>> at > >>>>>>>>>> org.apache.kerby.kerberos.kerb.transport.KrbTcpTransport. > >>>>>>>> receiveMessage(KrbTcpTransport.java:54) > >>>>>>>>>> at > >>>>>>>>>> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.r= u > >>>>>>>>>> n( > >>>>>>>> DefaultKdcHandler.java:46) > >>>>>>>>>> at > >>>>>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker( > >>>>>>>> ThreadPoolExecutor.java:1142) > >>>>>>>>>> at > >>>>>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run( > >>>>>>>> ThreadPoolExecutor.java:617) > >>>>>>>>>> at java.lang.Thread.run(Thread.java:748) > >>>>>>>>>> 2017-04-29 21:07:39,505 DEBUG [pool-1-thread-1] > >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity called, > >>>>>>>>>> principalName =3D krbtgt/TEST.COM@TEST.COM > >>>>>>>>>> 2017-04-29 21:07:39,505 DEBUG [pool-1-thread-1] > >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity successful, > >>>>>>>>>> principalName =3D krbtgt/TEST.COM@TEST.COM > >>>>>>>>>> 2017-04-29 21:07:39,505 INFO [pool-1-thread-1] > >>>>> request.KdcRequest: > >>>>>>>>>> Client entry is empty. > >>>>>>>>>> 2017-04-29 21:07:39,506 DEBUG [pool-1-thread-1] > >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity called, > >>>>>>>>>> principalName =3D test-service/localhost@TEST.COM > >>>>>>>>>> 2017-04-29 21:07:39,506 DEBUG [pool-1-thread-1] > >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity successful, > >>>>>>>>>> principalName =3D test-service/localhost@TEST.COM > >>>>>>>>>> 2017-04-29 21:07:39,506 DEBUG [pool-1-thread-1] > >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity called, > >>>>>>>>>> principalName =3D krbtgt/TEST.COM@TEST.COM > >>>>>>>>>> 2017-04-29 21:07:39,506 DEBUG [pool-1-thread-1] > >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity successful, > >>>>>>>>>> principalName =3D krbtgt/TEST.COM@TEST.COM > >>>>>>>>>> 2017-04-29 21:07:39,510 DEBUG [pool-1-thread-1] > >>>>>>>>>> impl.DefaultKdcHandler: Transport or decoding error occurred, > >>>>>>>>>> disconnecting abnormally java.io.EOFException > >>>>>>>>>> at java.io.DataInputStream.readInt(DataInputStream.java:392) > >>>>>>>>>> at > >>>>>>>>>> org.apache.kerby.kerberos.kerb.transport.KrbTcpTransport. > >>>>>>>> receiveMessage(KrbTcpTransport.java:54) > >>>>>>>>>> at > >>>>>>>>>> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.r= u > >>>>>>>>>> n( > >>>>>>>> DefaultKdcHandler.java:46) > >>>>>>>>>> at > >>>>>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker( > >>>>>>>> ThreadPoolExecutor.java:1142) > >>>>>>>>>> at > >>>>>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run( > >>>>>>>> ThreadPoolExecutor.java:617) > >>>>>>>>>> at java.lang.Thread.run(Thread.java:748) > >>>>>>>>>> 2017-04-29 21:07:55,602 DEBUG [pool-1-thread-1] > >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity called, > >>>>>>>>>> principalName =3D krbtgt/TEST.COM@TEST.COM > >>>>>>>>>> 2017-04-29 21:07:55,602 DEBUG [pool-1-thread-1] > >>>>>>>>>> backend.AbstractIdentityBackend: getIdentity successful, > >>>>>>>>>> principalName =3D krbtgt/TEST.COM@TEST.COM > >>>>>>>>>> 2017-04-29 21:07:55,602 INFO [pool-1-thread-1] > >>>>> request.KdcRequest: > >>>>>>>>>> Found fast padata and start to process it. > >>>>>>>>>> 2017-04-29 21:07:55,603 ERROR [pool-1-thread-1] > >>>>>>>>>> impl.DefaultKdcHandler: Error occured while processing request= : > >>>>>>>>>> org.apache.kerby.kerberos.kerb.KrbException: Decoding failed > >>>>>>>>>> at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec. > >>>>>>>> java:85) > >>>>>>>>>> at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec. > >>>>>>>> java:70) > >>>>>>>>>> at > >>>>>>>>>> org.apache.kerby.kerberos.kerb.server.request.KdcRequest.kdcFi= n > >>>>>>>>>> dF > >>>>>>>>>> as > >>>>>>>>>> t( > >>>>>>>> KdcRequest.java:208) > >>>>>>>>>> at > >>>>>>>>>> org.apache.kerby.kerberos.kerb.server.request. > >>>>>>>> KdcRequest.process(KdcRequest.java:168) > >>>>>>>>>> at > >>>>>>>>>> org.apache.kerby.kerberos.kerb.server.KdcHandler. > >>>>>>>> handleMessage(KdcHandler.java:115) > >>>>>>>>>> at > >>>>>>>>>> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler. > >>>>>>>> handleMessage(DefaultKdcHandler.java:67) > >>>>>>>>>> at > >>>>>>>>>> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.r= u > >>>>>>>>>> n( > >>>>>>>> DefaultKdcHandler.java:52) > >>>>>>>>>> at > >>>>>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker( > >>>>>>>> ThreadPoolExecutor.java:1142) > >>>>>>>>>> at > >>>>>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run( > >>>>>>>> ThreadPoolExecutor.java:617) > >>>>>>>>>> at java.lang.Thread.run(Thread.java:748) > >>>>>>>>>> Caused by: java.io.IOException: Unexpected item context [0] > >>>>>>>>>> [tag=3D0xA0, off=3D0, len=3D3+207], expecting 0x30 > >>>>>>>>>> at > >>>>>>>>>> org.apache.kerby.asn1.type.Asn1Encodeable.decode( > >>>>>>>> Asn1Encodeable.java:210) > >>>>>>>>>> at > >>>>>>>>>> org.apache.kerby.asn1.type.Asn1Encodeable.decode( > >>>>>>>> Asn1Encodeable.java:197) > >>>>>>>>>> at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec. > >>>>>>>> java:83) > >>>>>>>>>> ... 9 more > >>>>>>>>>> 2017-04-29 21:07:55,604 DEBUG [pool-1-thread-1] > >>>>>>>>>> impl.DefaultKdcHandler: Transport or decoding error occurred, > >>>>>>>>>> disconnecting abnormally > >>>>>>>>>> java.net.SocketException: Socket closed > >>>>>>>>>> at java.net.SocketInputStream.socketRead0(Native Method) > >>>>>>>>>> at java.net.SocketInputStream.socketRead(SocketInputStream. > >>>>>>>> java:116) > >>>>>>>>>> at java.net.SocketInputStream.read(SocketInputStream.java: > >>>>> 171) > >>>>>>>>>> at java.net.SocketInputStream.read(SocketInputStream.java: > >>>>> 141) > >>>>>>>>>> at java.net.SocketInputStream.read(SocketInputStream.java: > >>>>> 224) > >>>>>>>>>> at java.io.DataInputStream.readInt(DataInputStream.java:387) > >>>>>>>>>> at > >>>>>>>>>> org.apache.kerby.kerberos.kerb.transport.KrbTcpTransport. > >>>>>>>> receiveMessage(KrbTcpTransport.java:54) > >>>>>>>>>> at > >>>>>>>>>> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.r= u > >>>>>>>>>> n( > >>>>>>>> DefaultKdcHandler.java:46) > >>>>>>>>>> at > >>>>>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker( > >>>>>>>> ThreadPoolExecutor.java:1142) > >>>>>>>>>> at > >>>>>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run( > >>>>>>>> ThreadPoolExecutor.java:617) > >>>>>>>>>> at java.lang.Thread.run(Thread.java:748) > >>>>>>>>>> > >>>>>>>>>> In a FreeIPA environment these python lines "just" work. > >>>>>>>>>> > >>>>>>>>>> Any suggestions are welcome! > >>>>>>>>>> > >>>>>>>>>> Marc > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> -- > >>>>>>>>> Marc de Lignie > >>>>>>>>> > >>>>>>>> > >>>>>>>> -- > >>>>>>>> Marc de Lignie > >>>>>>>> > >>>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> -- > >>>>>>> Colm O hEigeartaigh > >>>>>>> > >>>>>>> Talend Community Coder > >>>>>>> http://coders.talend.com > >>>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> -- > >>>>>> Colm O hEigeartaigh > >>>>>> > >>>>>> Talend Community Coder > >>>>>> http://coders.talend.com > >>>>>> > >>>>> > >>>>> > >>>>> > >>>>> -- > >>>>> Colm O hEigeartaigh > >>>>> > >>>>> Talend Community Coder > >>>>> http://coders.talend.com > >>>>> > >>>> > >>>> > >>>> > >>>> -- > >>>> Colm O hEigeartaigh > >>>> > >>>> Talend Community Coder > >>>> http://coders.talend.com > >>> > >>> > >> > >> > >> -- > >> Colm O hEigeartaigh > >> > >> Talend Community Coder > >> http://coders.talend.com > --=20 Colm O hEigeartaigh Talend Community Coder http://coders.talend.com --94eb2c070bc0550d97054f000e3d--