Hi Colm,
1. Would you please update the codes to include some fixes we did today. But they may not relate to this issue, so see next; 2. Please disable preauth in KDC side or require preauth in client side. Looks like client didn’t send preauth data but KDC required it. If you don’t want to trouble with the config stuff, please just change the default value of PREAUTH_REQUIRED in krb/kdc config key enumeration. Regards, Kai From: Colm O hEigeartaigh [mailto:cohei...@apache.org] Sent: Tuesday, April 21, 2015 6:34 PM To: Apache Directory Developers List Subject: Re: Kerby GSS tests? Actually I spoke too soon, I do know how to reproduce the "pre-authentication" error. Simply uncomment the line "kerbyServer.setInnerKdcImpl(new NettyKdcServerImpl());" in the test. If I put a printStackTrace in the NettyKdcServerImpl, I see: Error occured while processing request:Generic error (description in e-text) SocketTimeOutException with attempt: 2 >>> KDCCommunication: kdc=127.0.0.1 TCP:9002, timeout=30000,Attempt =3, >>> #bytes=169 Apr 21, 2015 11:33:05 AM io.netty.util.internal.logging.Slf4JLogger info INFO: [id: 0xea7673e9, /0:0:0:0:0:0:0:0:9002] RECEIVED: [id: 0xbfe95a70, /127.0.0.1:43973<http://127.0.0.1:43973> => /127.0.0.1:9002<http://127.0.0.1:9002>] org.apache.kerby.kerberos.kerb.KrbErrorException: Generic error (description in e-text) at org.apache.kerby.kerberos.kerb.server.request.KdcRequest.preauth(KdcRequest.java:255) at org.apache.kerby.kerberos.kerb.server.request.KdcRequest.process(KdcRequest.java:94) at org.apache.kerby.kerberos.kerb.server.KdcHandler.handleMessage(KdcHandler.java:77) Colm. On Tue, Apr 21, 2015 at 11:29 AM, Colm O hEigeartaigh <cohei...@apache.org<mailto:cohei...@apache.org>> wrote: Hi Kai, Thanks for your response. I have a test-case of sorts that shows the interop failure (although I can't reproduce the issue I reported yesterday about the preauthentication data). https://github.com/coheigea/testcases/tree/master/apache/cxf/cxf-kerberos-kerby Run it with "mvn clean install". You may need the install the parent module as well before running this, which is one level up. The test sets up a Kerby server, and I have a @Ignore'd test using Kerby client API to successfully communicate with it. Then I have a Apache CXF-based test which uses the Kerberos functionality here (based on GSS) to get a service ticket. If I put printStackTrace in the DefaultKdcHandler the output looks like: Loaded from Java config >>> KdcAccessibility: reset >>> KdcAccessibility: reset Using builtin default etypes for default_tkt_enctypes default etypes for default_tkt_enctypes: 18 17 16 23 1 3. >>> KrbAsReq creating message >>> KrbKdcReq send: kdc=127.0.0.1 TCP:9002, timeout=30000, number of retries >>> =3, #bytes=169 >>> KDCCommunication: kdc=127.0.0.1 TCP:9002, timeout=30000,Attempt =1, >>> #bytes=169 java.net.SocketTimeoutException: Read timed out at java.net.SocketInputStream.socketRead0(Native Method) at java.net.SocketInputStream.read(SocketInputStream.java:152) at java.net.SocketInputStream.read(SocketInputStream.java:122) at java.net.SocketInputStream.read(SocketInputStream.java:210) at java.io.DataInputStream.readInt(DataInputStream.java:387) at org.apache.kerby.kerberos.kerb.transport.KrbTcpTransport.receiveMessage(KrbTcpTransport.java:54) at org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.run(DefaultKdcHandler.java:46) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) >>>DEBUG: TCPClient could not read length field >>> KrbKdcReq send: #bytes read=0 Any ideas? Colm. On Tue, Apr 21, 2015 at 12:09 AM, Zheng, Kai <kai.zh...@intel.com<mailto:kai.zh...@intel.com>> wrote: Hi Colm, We haven’t any test for GSS client against Kerby yet, though we do have tests in protocol level for ApReq (in kerb-core-test module). We might look at existing ApacheDS Kerberos codes to see if any such end to end tests to port. You’re right, current UDP support for KdcNetwork and NettyKdcNetwork are to be done yet. I originally got them done some days ago, but recently I was extremely busy with other projects, so kinds of delayed. Sure JIRAs would be good to record them. For the issue you ran into, do you have test codes to repeat it, so we may have the chance to look at it? Thanks. Regards, Kai From: Colm O hEigeartaigh [mailto:cohei...@apache.org<mailto:cohei...@apache.org>] Sent: Monday, April 20, 2015 10:40 PM To: Apache Directory Developers List Subject: Kerby GSS tests? Hi all, Are there any tests in the source (or has anyone successfully tested) a Java GSS client -> Apache Kerby? The first issue I ran into was that neither the KdcNetwork nor the NettyKdcNetwork work with UDP. Is there a JIRA for this (or any plans to fix it)? I could work around the above by setting "udp_preference_limit = 1". However, I then run into an issue where it fails due to no pre-authentication data in the request. Are we sure that this parsing is working correctly? Colm. -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
