[ https://issues.apache.org/jira/browse/DIRKRB-762?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jichao Wang updated DIRKRB-762: ------------------------------- Description: If change the value of preauth_required in the kdc.conf file to false, then using the following code to access the KDC causes an NPE error. * Test.java {code:java} // Test.java Run on JDK8 or JDK11 public class Test { public static void main(String[] args) throws Exception { LoginContext lc = new LoginContext("SampleClient", new Subject(), null, new CustomConfiguration("had...@hadoop.com", "/root/wjc/hadoop.keytab")); lc.login(); System.out.println(lc.getSubject().toString()); } } {code} * CustomConfiguration.java {code:java} import javax.security.auth.login.AppConfigurationEntry; import java.util.HashMap; import java.util.Map; class CustomConfiguration extends javax.security.auth.login.Configuration { private static final Map<String, String> BASIC_JAAS_OPTIONS = new HashMap<String, String>(); private static final Map<String, String> KEYTAB_KERBEROS_OPTIONS = new HashMap<String, String>(); private static final AppConfigurationEntry KEYTAB_KERBEROS_LOGIN = new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule", AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, KEYTAB_KERBEROS_OPTIONS); private static final AppConfigurationEntry[] KEYTAB_KERBEROS_CONF = new AppConfigurationEntry[]{KEYTAB_KERBEROS_LOGIN}; static { KEYTAB_KERBEROS_OPTIONS.put("doNotPrompt", "true"); KEYTAB_KERBEROS_OPTIONS.put("useKeyTab", "true"); KEYTAB_KERBEROS_OPTIONS.put("storeKey", "true"); KEYTAB_KERBEROS_OPTIONS.put("refreshKrb5Config", "true"); KEYTAB_KERBEROS_OPTIONS.putAll(BASIC_JAAS_OPTIONS); } private String keytabPrincipal; private String keytabFile; public CustomConfiguration(String keytabPrincipal, String keytabFile) { this.keytabPrincipal = keytabPrincipal; this.keytabFile = keytabFile; } private CustomConfiguration() { } public String getKeytabFile() { return keytabFile; } public String getKeytabPrincipal() { return keytabPrincipal; } @Override public AppConfigurationEntry[] getAppConfigurationEntry(String appName) { KEYTAB_KERBEROS_OPTIONS.put("keyTab", keytabFile); KEYTAB_KERBEROS_OPTIONS.put("principal", keytabPrincipal); return KEYTAB_KERBEROS_CONF; } } {code} Kerberos client error information is as follows: {code:java} Exception in thread "main" javax.security.auth.login.LoginException: null (5001) at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:781) at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:592) at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:726) at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665) at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663) at java.base/java.security.AccessController.doPrivileged(Native Method) at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663) at java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:574) at org.example.Main.main(Main.java:14) Caused by: KrbException: null (5001) at java.security.jgss/sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76) at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:326) at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:371) at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:753) ... 8 more Caused by: KrbException: Identifier doesn't match expected value (906) at java.security.jgss/sun.security.krb5.internal.KDCRep.init(KDCRep.java:140) at java.security.jgss/sun.security.krb5.internal.ASRep.init(ASRep.java:64) at java.security.jgss/sun.security.krb5.internal.ASRep.<init>(ASRep.java:59) at java.security.jgss/sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60) ... 11 more {code} The position where NPE occurs on kerby-kdc is as follows: !kdc-npe.png! was: If change the value of preauth_required in the kdc.conf file to false, then using the following code to access the KDC causes an NPE error. {code:java} // Run on JDK8 or JDK11 public class Test { public static void main(String[] args) throws Exception { LoginContext lc = new LoginContext("SampleClient", new Subject(), null, new CustomConfiguration("had...@hadoop.com", "/root/wjc/hadoop.keytab")); lc.login(); System.out.println(lc.getSubject().toString()); } } {code} Here is a fix to the problem: {code:java} Index: kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java --- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java (revision 03784fcde8e94fedbe789606d2f328104c20b33f) +++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java (date 1670208307220) @@ -678,11 +678,13 @@ } PaData preAuthData = request.getPaData(); - if (isPreauthRequired() && (preAuthData == null || preAuthData.isEmpty())) { - LOG.info("The preauth data is empty."); - KrbError krbError = makePreAuthenticationError(kdcContext, request, - KrbErrorCode.KDC_ERR_PREAUTH_REQUIRED, false); - throw new KdcRecoverableException(krbError); + if (isPreauthRequired()) { + if (preAuthData == null || preAuthData.isEmpty()) { + LOG.info("The preauth data is empty."); + KrbError krbError = makePreAuthenticationError(kdcContext, request, + KrbErrorCode.KDC_ERR_PREAUTH_REQUIRED, false); + throw new KdcRecoverableException(krbError); + } } else { getPreauthHandler().verify(this, preAuthData); } {code} > The AS request appears with an NPE when preauth_required is set to false > ------------------------------------------------------------------------ > > Key: DIRKRB-762 > URL: https://issues.apache.org/jira/browse/DIRKRB-762 > Project: Directory Kerberos > Issue Type: Bug > Affects Versions: 2.0.0, 2.0.1, 2.0.2 > Reporter: Jichao Wang > Priority: Major > Fix For: 2.0.3 > > Attachments: kdc-npe.png > > > If change the value of preauth_required in the kdc.conf file to false, then > using the following code to access the KDC causes an NPE error. > * Test.java > {code:java} > // Test.java Run on JDK8 or JDK11 > public class Test { > public static void main(String[] args) throws Exception { > LoginContext lc = new LoginContext("SampleClient", > new Subject(), > null, > new CustomConfiguration("had...@hadoop.com", > "/root/wjc/hadoop.keytab")); > lc.login(); > System.out.println(lc.getSubject().toString()); > } > } {code} > * > CustomConfiguration.java > {code:java} > import javax.security.auth.login.AppConfigurationEntry; > import java.util.HashMap; > import java.util.Map; > class CustomConfiguration > extends javax.security.auth.login.Configuration { > private static final Map<String, String> BASIC_JAAS_OPTIONS = > new HashMap<String, String>(); > private static final Map<String, String> KEYTAB_KERBEROS_OPTIONS = > new HashMap<String, String>(); > private static final AppConfigurationEntry KEYTAB_KERBEROS_LOGIN = > new > AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule", > AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, > KEYTAB_KERBEROS_OPTIONS); > private static final AppConfigurationEntry[] KEYTAB_KERBEROS_CONF = > new AppConfigurationEntry[]{KEYTAB_KERBEROS_LOGIN}; > static { > KEYTAB_KERBEROS_OPTIONS.put("doNotPrompt", "true"); > KEYTAB_KERBEROS_OPTIONS.put("useKeyTab", "true"); > KEYTAB_KERBEROS_OPTIONS.put("storeKey", "true"); > KEYTAB_KERBEROS_OPTIONS.put("refreshKrb5Config", "true"); > KEYTAB_KERBEROS_OPTIONS.putAll(BASIC_JAAS_OPTIONS); > } > private String keytabPrincipal; > private String keytabFile; > public CustomConfiguration(String keytabPrincipal, String keytabFile) { > this.keytabPrincipal = keytabPrincipal; > this.keytabFile = keytabFile; > } > private CustomConfiguration() { > } > public String getKeytabFile() { > return keytabFile; > } > public String getKeytabPrincipal() { > return keytabPrincipal; > } > @Override > public AppConfigurationEntry[] getAppConfigurationEntry(String appName) { > KEYTAB_KERBEROS_OPTIONS.put("keyTab", keytabFile); > KEYTAB_KERBEROS_OPTIONS.put("principal", keytabPrincipal); > return KEYTAB_KERBEROS_CONF; > } > } {code} > Kerberos client error information is as follows: > {code:java} > Exception in thread "main" javax.security.auth.login.LoginException: null > (5001) > at > jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:781) > at > jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:592) > at > java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:726) > at > java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665) > at > java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663) > at java.base/java.security.AccessController.doPrivileged(Native Method) > at > java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663) > at > java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:574) > at org.example.Main.main(Main.java:14) > Caused by: KrbException: null (5001) > at java.security.jgss/sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76) > at > java.security.jgss/sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:326) > at > java.security.jgss/sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:371) > at > jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:753) > ... 8 more > Caused by: KrbException: Identifier doesn't match expected value (906) > at > java.security.jgss/sun.security.krb5.internal.KDCRep.init(KDCRep.java:140) > at java.security.jgss/sun.security.krb5.internal.ASRep.init(ASRep.java:64) > at > java.security.jgss/sun.security.krb5.internal.ASRep.<init>(ASRep.java:59) > at java.security.jgss/sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60) > ... 11 more {code} > The position where NPE occurs on kerby-kdc is as follows: > !kdc-npe.png! -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org