directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From pratyush parimal <pratyush.pari...@gmail.com>
Subject [Kerby] TGS req failing with "Unexpected item context"
Date Sat, 03 Jun 2017 19:09:18 GMT
Hi everyone,

I'm writing a simple Java program that stands up a KDC using
the SimpleKdcServer class, and I'm trying to use it for AS & TGS
operations. Relevant code is below:

        kdc = new SimpleKdcServer();
kdc.setKdcHost("kdc.example.com");
kdc.setKdcPort(60088);
kdc.setKdcRealm("EXAMPLE.COM");

kdc.setAllowUdp(false);
kdc.setWorkDir(keytabFile.getParentFile());

kdc.init();

kdc.createPrincipal("u1@EXAMPLE.COM", "u1pwd");
kdc.createPrincipal("myservice/kdc.example.com@EXAMPLE.COM",
"myservicepwd");

kdc.start();

I use kinit to fetch the TGT for my principal "u1" and that's successful.
However, the subsequent TGS req from my client program fails with the error:

GSSAPI continuation error: Unknown code krcM 137

. I debugged through the source code for Kerby and saw that the full
exception was not getting thrown because of a (e instanceof
KdcRecoverableException) check. When I print the stacktrace via a debugger,
I see the following (apologies for the huge stack trace):

[pool-1-thread-1] INFO
org.apache.kerby.kerberos.kerb.server.request.KdcRequest - Found fast
padata and starting to process it.
org.apache.kerby.kerberos.kerb.KrbException: Decoding failed
at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:85)
at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:70)
at
org.apache.kerby.kerberos.kerb.server.request.KdcRequest.kdcFindFast(KdcRequest.java:213)
at
org.apache.kerby.kerberos.kerb.server.request.KdcRequest.process(KdcRequest.java:170)
at
org.apache.kerby.kerberos.kerb.server.KdcHandler.handleMessage(KdcHandler.java:116)
at
org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.handleMessage(DefaultKdcHandler.java:67)
at
org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.run(DefaultKdcHandler.java:52)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.IOException: Unexpected item context [0] [tag=0xA0,
off=0, len=3+198], expecting 0x30
at org.apache.kerby.asn1.type.Asn1Encodeable.decode(Asn1Encodeable.java:219)
at org.apache.kerby.asn1.type.Asn1Encodeable.decode(Asn1Encodeable.java:207)
at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:83)
... 9 more
org.apache.kerby.kerberos.kerb.KrbException: Decoding failed
at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:85)
at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:70)
at
org.apache.kerby.kerberos.kerb.server.request.KdcRequest.kdcFindFast(KdcRequest.java:213)
at
org.apache.kerby.kerberos.kerb.server.request.KdcRequest.process(KdcRequest.java:170)
at
org.apache.kerby.kerberos.kerb.server.KdcHandler.handleMessage(KdcHandler.java:116)
at
org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.handleMessage(DefaultKdcHandler.java:67)
at
org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.run(DefaultKdcHandler.java:52)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.IOException: Unexpected item context [0] [tag=0xA0,
off=0, len=3+198], expecting 0x30
at org.apache.kerby.asn1.type.Asn1Encodeable.decode(Asn1Encodeable.java:219)
at org.apache.kerby.asn1.type.Asn1Encodeable.decode(Asn1Encodeable.java:207)
at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:83)
... 9 more

The client program (and also kinit) were using the krb5.conf that was
auto-generated by the SimpleKdcServer in the workdir, and looked like the
following (I just replaced localhost with the FQDN of my machine):

[libdefaults]
    kdc_realm = EXAMPLE.COM
    default_realm = EXAMPLE.COM
    udp_preference_limit = 1
    kdc_tcp_port = 60088
    #_KDC_UDP_PORT_

[realms]
    EXAMPLE.COM = {
        kdc = kdc.example.com:60088
    }

I had also enabled KRB5_TRACE on my client program that was making the TGS
req, and it shows the following:


[1588796] 1496515969.488037: ccselect can't find appropriate cache for
server principal myservice/kdc.example.com@
[1588796] 1496515969.488112: Getting credentials u1@EXAMPLE.COM ->
myservice/kdc.example.com@ using ccache FILE:/tmp/krb5cc_20474
[1588796] 1496515969.488170: Retrieving u1@EXAMPLE.COM ->
myservice/kdc.example.com@ from FILE:/tmp/krb5cc_20474 with result:
-1765328243/Matching credential not found (filename: /tmp/krb5cc_20474)
[1588796] 1496515969.488206: Retrying u1@EXAMPLE.COM -> myservice/
kdc.example.com@EXAMPLE.COM with result: -1765328243/Matching credential
not found (filename: /tmp/krb5cc_20474)
[1588796] 1496515969.488214: Server has referral realm; starting with
myservice/kdc.example.com@EXAMPLE.COM
[1588796] 1496515969.488250: Retrieving u1@EXAMPLE.COM -> krbtgt/
EXAMPLE.COM@EXAMPLE.COM from FILE:/tmp/krb5cc_20474 with result: 0/Success
[1588796] 1496515969.488259: Starting with TGT for client realm:
u1@EXAMPLE.COM -> krbtgt/EXAMPLE.COM@EXAMPLE.COM
[1588796] 1496515969.488266: Requesting tickets for myservice/
kdc.example.com@EXAMPLE.COM, referrals on
[1588796] 1496515969.488298: Generated subkey for TGS request:
aes128-cts/476E
[1588796] 1496515969.488345: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[1588796] 1496515969.488460: Encoding request body and padata into FAST
request
[1588796] 1496515969.488522: Sending request (835 bytes) to EXAMPLE.COM
[1588796] 1496515969.488553: Resolving hostname kdc.example.com
[1588796] 1496515969.488621: Initiating TCP connection to stream
172.17.0.53:60088
[1588796] 1496515969.488682: Sending TCP request to stream 172.17.0.53:60088
[1588796] 1496515969.492213: Received answer (134 bytes) from stream
172.17.0.53:60088
[1588796] 1496515969.492222: Terminating TCP connection to stream
172.17.0.53:60088
[1588796] 1496515969.492292: Response was not from master KDC
[1588796] 1496515969.492309: TGS request result: -1765323383/Unknown code
krcM 137
[1588796] 1496515969.492332: Requesting tickets for myservice/
kdc.example.com@EXAMPLE.COM, referrals off
[1588796] 1496515969.492351: Generated subkey for TGS request:
aes128-cts/AECC
[1588796] 1496515969.492377: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[1588796] 1496515969.492430: Encoding request body and padata into FAST
request
[1588796] 1496515969.492483: Sending request (835 bytes) to EXAMPLE.COM
[1588796] 1496515969.492493: Resolving hostname kdc.example.com
[1588796] 1496515969.492543: Initiating TCP connection to stream
172.17.0.53:60088
[1588796] 1496515969.492586: Sending TCP request to stream 172.17.0.53:60088
[1588796] 1496515969.496886: Received answer (134 bytes) from stream
172.17.0.53:60088
[1588796] 1496515969.496894: Terminating TCP connection to stream
172.17.0.53:60088
[1588796] 1496515969.496948: Response was not from master KDC
[1588796] 1496515969.496963: TGS request result: -1765323383/Unknown code
krcM 137


I've tried the same scenario with the MIT krb5kdc service with the same
principals, and the TGS req is successful, with the trace log:

[1590761] 1496516355.23070: ccselect module realm chose cache
FILE:/tmp/krb5cc_20474 with client principal u1@EXAMPLE.COM for server
principal myservice/kdc.example.com@EXAMPLE.COM
[1590761] 1496516355.23150: Getting credentials u1@EXAMPLE.COM -> myservice/
kdc.example.com@EXAMPLE.COM using ccache FILE:/tmp/krb5cc_20474
[1590761] 1496516355.23212: Retrieving u1@EXAMPLE.COM -> myservice/
kdc.example.com@EXAMPLE.COM from FILE:/tmp/krb5cc_20474 with result:
-1765328243/Matching credential not found (filename: /tmp/krb5cc_20474)
[1590761] 1496516355.23260: Retrieving u1@EXAMPLE.COM -> krbtgt/
EXAMPLE.COM@EXAMPLE.COM from FILE:/tmp/krb5cc_20474 with result: 0/Success
[1590761] 1496516355.23269: Starting with TGT for client realm:
u1@EXAMPLE.COM -> krbtgt/EXAMPLE.COM@EXAMPLE.COM
[1590761] 1496516355.23277: Requesting tickets for myservice/
kdc.example.com@EXAMPLE.COM, referrals on
[1590761] 1496516355.23312: Generated subkey for TGS request:
aes256-cts/3F0A
[1590761] 1496516355.23368: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[1590761] 1496516355.23485: Encoding request body and padata into FAST
request
[1590761] 1496516355.23552: Sending request (933 bytes) to EXAMPLE.COM
[1590761] 1496516355.23581: Resolving hostname kdc.example.com
[1590761] 1496516355.23651: Sending initial UDP request to dgram
172.17.0.53:88
[1590761] 1496516355.24205: Received answer (912 bytes) from dgram
172.17.0.53:88
[1590761] 1496516355.24223: Response was not from master KDC
[1590761] 1496516355.24240: Decoding FAST response
[1590761] 1496516355.24334: FAST reply key: aes256-cts/8818
[1590761] 1496516355.24376: TGS reply is for u1@EXAMPLE.COM -> myservice/
kdc.example.com@EXAMPLE.COM with session key aes256-cts/126E
[1590761] 1496516355.24390: TGS request result: 0/Success
[1590761] 1496516355.24395: Received creds for desired service myservice/
kdc.example.com@EXAMPLE.COM
[1590761] 1496516355.24401: Storing u1@EXAMPLE.COM -> myservice/
kdc.example.com@EXAMPLE.COM in FILE:/tmp/krb5cc_20474
[1590761] 1496516355.24517: Retrieving u1@EXAMPLE.COM -> krbtgt/
EXAMPLE.COM@EXAMPLE.COM from FILE:/tmp/krb5cc_20474 with result: 0/Success
[1590761] 1496516355.24528: Get cred via TGT krbtgt/EXAMPLE.COM@EXAMPLE.COM
after requesting krbtgt/EXAMPLE.COM@EXAMPLE.COM (canonicalize off)
[1590761] 1496516355.24546: Generated subkey for TGS request:
aes256-cts/0D91
[1590761] 1496516355.24574: etypes requested in TGS request: aes256-cts
[1590761] 1496516355.24633: Encoding request body and padata into FAST
request
[1590761] 1496516355.24689: Sending request (931 bytes) to EXAMPLE.COM
[1590761] 1496516355.24699: Resolving hostname kdc.example.com
[1590761] 1496516355.24750: Sending initial UDP request to dgram
172.17.0.53:88
[1590761] 1496516355.25098: Received answer (900 bytes) from dgram
172.17.0.53:88
[1590761] 1496516355.25115: Response was not from master KDC
[1590761] 1496516355.25127: Decoding FAST response
[1590761] 1496516355.25198: FAST reply key: aes256-cts/03AB
[1590761] 1496516355.25234: TGS reply is for u1@EXAMPLE.COM -> krbtgt/
EXAMPLE.COM@EXAMPLE.COM with session key aes256-cts/A423
[1590761] 1496516355.25246: Got cred; 0/Success
[1590761] 1496516355.25315: Creating authenticator for u1@EXAMPLE.COM ->
myservice/kdc.example.com@EXAMPLE.COM, seqnum 751690771, subkey
aes256-cts/91D0, session key aes256-cts/126E



My best guess is that maybe I'm missing some configuration steps in my Java
code and that's causing the FAST request to fail. I couldn't find any code
examples for kerby anywhere which can help me with my use case. Does anyone
have any ideas about the above?

Apologies again for the long email, just wanted to share my trials so far.
Have a nice weekend.

Cheers,
Pratyush

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message