Re: Problem with Java (j2sdk1.4.2_03 on a Windows XP client) and

[Seema Malkani]

For any questions on Sun's implementation of Java GSS/Kerberos,
please communicate to us via [EMAIL PROTECTED] alias.
For latest Java GSS/Kerberos features in J2SE 1.5.0, please refer to:
http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/jgss-tiger.html
For Java GSS/Kerberos features available since J2SE1.4.2, please refer to:
http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/jgss-features.html
I have already responded to you. Sending out the same to MIT alias for 
other folks.

You need to setup "udp_preference_limit" configuration parameter in the
Kerberos configuration file krb5.conf under [libdefaults] section, if 
you want
your application to use TCP. If not specified, Java Kerberos library 
will fallback
to TCP only if the Kerberos ticket request using UDP fails and the KDC 
returns
the error code KRB_ERR_RESPONSE_TOO_BIG.

*udp_preference_limit*
   When sending a message to the KDC, the library will try using TCP 
before UDP
   if the size of the message is above udp_preference_limit. If the 
message is
   smaller than udp_preference_limit, then UDP will be tried before TCP.

For e.g. you can set udp_preference_limit =1 to always use TCP.
Hope this helps.
Seema
Rouiller Claude wrote:
It seems now that Krb5LoginModule from java works (with TCP as fallback, as
Ram says), but kinit only works with UDP. kinit from Java 1.4.2 seems to
suffer from a bug when it has to use TCP.
Can anyone confirm (or deny)?
Claude
-----Original Message-----
From: ram marti [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, June 01, 2004 9:24 PM
To: [EMAIL PROTECTED]
Subject: Re: Problem with Java (j2sdk1.4.2_03 on a Windows XP client) and


Not quite correct. In 1.4.2, TCP should be used as a fall back when the 
message size is large and the error code KRB_ERR_RESPONSE_TOO_BIG is 
returned.


See:
http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/jgss-features.html
"Support TCP for Kerberos Key Distribution Center Transport
Sun's implementation of Kerberos implements Kerberos version 5 according 
to RFC 1510 and uses UDP transport for ticket requests. A new Internet 
draft updates this RFC. One of the added features is required support 
for TCP as a transport in addition to UDP. As a result, in cases where 
Kerberos tickets exceed the UDP packet size limit, the KDC would return 
an error code indicating that the request should be resent over TCP.

In the current 1.4.2 release, Sun's implementation of Kerberos now 
supports automatic fallback to TCP. Therefore, if the Kerberos ticket 
request using UDP fails and the KDC returns the error code 
KRB_ERR_RESPONSE_TOO_BIG, TCP is automatically the default transport.

..."
If the error  KRB_ERR_RESPONSE_TOO_BIG is returned, TCP will be used.
Thanks
               = Ram Marti
Jeffrey Altman wrote:
 

Apparently Java's Kerberos implementation does not
support using TCP connections to obtain Kerberos tickets.
This is required when using Windows 2003 Active Directory
as the KDC because the Kerberos tickets must include all
of the Windows ACL data.  The Kerberos tickets are therefore
larger then the maximum size of a UDP packet.
Jeffrey Altman
Rouiller Claude wrote:
   

When I start (java-) kinit I get the following output:
C:\DEV\OioTutorial>java -Dsun.security.krb5.debug=true
sun.security.krb5.internal.tools.Kinit sso_testuser
Config name: c:\winnt\krb5.ini
     

KinitOptions cache name is C:\Documents and
           

Settings\sso_testadmin\krb5cc_sso_testadmin
Principal is [EMAIL PROTECTED]
Password for [EMAIL PROTECTED]:123
     

Kinit console input 123
Kinit realm name is SSOTEST.RTC.CH
Creating KrbAsReq
KrbKdcReq local addresses for pcc2079 are:
           

       pcc2079/159.29.193.35
     

KrbAsReq salt is SSOTEST.RTC.CHsso_testuser
EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
KrbAsReq calling createMessage
KrbAsReq in createMessage
KrbAsReq etypes are: 3 1
Kinit: sending as_req to realm SSOTEST.RTC.CH
KrbKdcReq send: kdc=rtcnt978.ssotest.rtc.ch UDP:88, timeout=30000,
           

number of retries =3, #bytes=251
     

KDCCommunication: kdc=rtcnt978.ssotest.rtc.ch UDP:88,
           

timeout=30000,Attempt =1, #bytes=251
     

KrbKdcReq send: #bytes read=100
KrbKdcReq send: #bytes read=100
reading response from kdc
KDCRep: init() encoding tag is 126 req type is 11
KRBError:
           

        sTime is Tue Jun 01 11:17:27 CEST 2004 1086081447000
        suSec is 511665
        error code is 52
        error Message is Response too big for UDP, retry with TCP
        realm is SSOTEST.RTC.CH
        sname is krbtgt/SSOTEST.RTC.CH
Exception in thread "main" java.lang.IllegalAccessError: tried to access
class sun.security.krb5.KrbKdcReq from class
sun.security.krb5.internal.tools.Kinit
       at sun.security.krb5.internal.tools.Kinit.<init>(Unknown Source)
       at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)
Do you have any idea why i get this exception?
Thanks in advance
Claude
________________________________________________
Kerberos mailing list           [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
     

________________________________________________
Kerberos mailing list           [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list           [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
 


________________________________________________
Kerberos mailing list           [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos