RE: [VOTE] - Release Apache Kerby 2.0.1

[Li, Jiajia]

+1
Built and passed all tests.
Verified the kdc, kadmin, kinit tools.

Regards,
Jiajia

-Original Message-
From: Colm O hEigeartaigh  
Sent: Monday, May 25, 2020 5:50 PM
To: kerby@directory.apache.org; Apache Directory Developers List 

Subject: [VOTE] - Release Apache Kerby 2.0.1

This is a vote to release Apache Kerby 2.0.1. It's been over a year since the 
last release, this release fixes a few bugs and updates some dependencies.

Issues fixed:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310910&version=12344836
Artifacts:
https://repository.apache.org/content/repositories/orgapachedirectory-1192/
Source Artifacts:
https://repository.apache.org/content/repositories/orgapachedirectory-1192/org/apache/kerby/kerby-all/2.0.1/
Git tag: https://github.com/apache/directory-kerby/tree/kerby-all-2.0.1

+1 from me.

Colm.

RE: New release

[Li, Jiajia]

Hi Colm,

I fixed these failed UTs with changing the keys to 2048 bits. And have built 
and verified the HAS dist from the current trunk code.

Thanks,
Jiajia

-Original Message-
From: Li, Jiajia  
Sent: Thursday, December 26, 2019 10:19 AM
To: cohei...@apache.org
Cc: kerby@directory.apache.org
Subject: RE: New release

Hi Colm,
Thanks for your confirmation. I am using JDK 1.8 , I will try to use another 
version and then check the HAS feature, but I should do this work at the end of 
this week. Sorry for the delay.

Thanks,
Jiajia

-Original Message-
From: Colm O hEigeartaigh 
Sent: Sunday, December 22, 2019 2:29 AM
To: Li, Jiajia 
Cc: kerby@directory.apache.org
Subject: Re: New release

Hi Jiajia,

TokenTest works for me and also on Jenkins:
https://builds.apache.org/view/A-D/view/Directory/job/dir-kerby/

What JDK are you using?

Colm.

On Sat, Dec 21, 2019 at 12:23 PM Li, Jiajia  wrote:

> Hi Colm,
>
> Some of UTs in TokenTest are failed with the exception
> "java.lang.IllegalArgumentException: The RSA key size must be at least
> 2048 bits"
>
> I think the following commit is for fixing it:
> "
> commit c865ab74a9eb8a14b2506f3b86dbe4984c140545
> Author: Colm O hEigeartaigh 
> Date:   Mon Nov 11 12:58:58 2019 +
>
> Updating test keys to be 2048 bits "
>
> Could you help to check it? Thanks.
>
> Regards,
> Jiajia
>
> -Original Message-
> From: Li, Jiajia 
> Sent: Thursday, December 19, 2019 9:43 AM
> To: cohei...@apache.org; kerby@directory.apache.org
> Subject: RE: New release
>
> Hi Colm,
>
> Glad to hear that Kerby will have the new release version, I will 
> check the HAS feature in this week.
>
> Thanks,
> Jiajia
>
> From: Colm O hEigeartaigh 
> Sent: Wednesday, December 18, 2019 9:35 PM
> To: Li, Jiajia ; kerby@directory.apache.org
> Subject: New release
>
> Hi Jiajia,
>
> I want to release a new version of Kerby. Can you build the HAS dist 
> from the current trunk code and verify that it's working OK?
>
> Colm.
>

-
To unsubscribe, e-mail: kerby-unsubscr...@directory.apache.org
For additional commands, e-mail: kerby-h...@directory.apache.org


-
To unsubscribe, e-mail: kerby-unsubscr...@directory.apache.org
For additional commands, e-mail: kerby-h...@directory.apache.org

RE: New release

[Li, Jiajia]

Hi Colm,
Thanks for your confirmation. I am using JDK 1.8 , I will try to use another 
version and then check the HAS feature, but I should do this work at the end of 
this week. Sorry for the delay.

Thanks,
Jiajia

-Original Message-
From: Colm O hEigeartaigh  
Sent: Sunday, December 22, 2019 2:29 AM
To: Li, Jiajia 
Cc: kerby@directory.apache.org
Subject: Re: New release

Hi Jiajia,

TokenTest works for me and also on Jenkins:
https://builds.apache.org/view/A-D/view/Directory/job/dir-kerby/

What JDK are you using?

Colm.

On Sat, Dec 21, 2019 at 12:23 PM Li, Jiajia  wrote:

> Hi Colm,
>
> Some of UTs in TokenTest are failed with the exception
> "java.lang.IllegalArgumentException: The RSA key size must be at least 
> 2048 bits"
>
> I think the following commit is for fixing it:
> "
> commit c865ab74a9eb8a14b2506f3b86dbe4984c140545
> Author: Colm O hEigeartaigh 
> Date:   Mon Nov 11 12:58:58 2019 +
>
> Updating test keys to be 2048 bits "
>
> Could you help to check it? Thanks.
>
> Regards,
> Jiajia
>
> -Original Message-
> From: Li, Jiajia 
> Sent: Thursday, December 19, 2019 9:43 AM
> To: cohei...@apache.org; kerby@directory.apache.org
> Subject: RE: New release
>
> Hi Colm,
>
> Glad to hear that Kerby will have the new release version, I will 
> check the HAS feature in this week.
>
> Thanks,
> Jiajia
>
> From: Colm O hEigeartaigh 
> Sent: Wednesday, December 18, 2019 9:35 PM
> To: Li, Jiajia ; kerby@directory.apache.org
> Subject: New release
>
> Hi Jiajia,
>
> I want to release a new version of Kerby. Can you build the HAS dist 
> from the current trunk code and verify that it's working OK?
>
> Colm.
>

-
To unsubscribe, e-mail: kerby-unsubscr...@directory.apache.org
For additional commands, e-mail: kerby-h...@directory.apache.org

RE: New release

[Li, Jiajia]

Hi Colm,

Some of UTs in TokenTest are failed with the exception 
"java.lang.IllegalArgumentException: The RSA key size must be at least 2048 
bits"

I think the following commit is for fixing it:
"
commit c865ab74a9eb8a14b2506f3b86dbe4984c140545
Author: Colm O hEigeartaigh 
Date:   Mon Nov 11 12:58:58 2019 +

Updating test keys to be 2048 bits
"

Could you help to check it? Thanks.

Regards,
Jiajia

-Original Message-----
From: Li, Jiajia  
Sent: Thursday, December 19, 2019 9:43 AM
To: cohei...@apache.org; kerby@directory.apache.org
Subject: RE: New release

Hi Colm,

Glad to hear that Kerby will have the new release version, I will check the HAS 
feature in this week.

Thanks,
Jiajia

From: Colm O hEigeartaigh 
Sent: Wednesday, December 18, 2019 9:35 PM
To: Li, Jiajia ; kerby@directory.apache.org
Subject: New release

Hi Jiajia,

I want to release a new version of Kerby. Can you build the HAS dist from the 
current trunk code and verify that it's working OK?

Colm.

RE: New release

[Li, Jiajia]

Hi Colm,

Glad to hear that Kerby will have the new release version, I will check the HAS 
feature in this week.

Thanks,
Jiajia

From: Colm O hEigeartaigh 
Sent: Wednesday, December 18, 2019 9:35 PM
To: Li, Jiajia ; kerby@directory.apache.org
Subject: New release

Hi Jiajia,

I want to release a new version of Kerby. Can you build the HAS dist from the 
current trunk code and verify that it's working OK?

Colm.

RE: [VOTE] - Release Apache Kerby 2.0.0 - take II

[Li, Jiajia]

Hi Colm,

Thanks for driving the release and making it happen. Can we use the 2.0.0 now? 
Will there be the announcement email for this release?

Thanks,
Jiajia

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Monday, January 14, 2019 7:23 PM
To: kerby@directory.apache.org
Cc: Apache Directory Developers List 
Subject: Re: [VOTE] - Release Apache Kerby 2.0.0 - take II

With 4 +1 votes, and no other votes, this vote passes - I'll do the release!

Colm.

On Fri, Jan 11, 2019 at 3:59 PM Shawn McKinney  wrote:

> +1
>
> [INFO] BUILD SUCCESS
> [INFO]
> --
> --
> [INFO] Total time: 5:25.228s
> [INFO] Finished at: Fri Jan 11 15:52:47 UTC 2019 [INFO] Final Memory: 
> 93M/419M [INFO]
> --
> --
> [student@li669-157 kerby]$ mvn -version Apache Maven 3.0.5 (Red Hat 
> 3.0.5-17) Maven home: /usr/share/maven Java version: 1.8.0_191, 
> vendor: Oracle Corporation Java home: 
> /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64/jre
> Default locale: en_US, platform encoding: UTF-8 OS name: "linux", 
> version: "3.10.0-862.11.6.el7.x86_64", arch: "amd64",
> family: "unix"
>
> > On Jan 10, 2019, at 12:17 AM, Li, Jiajia  wrote:
> >
> > +1
> > Built successfully with java 8, all tests passed.
> >
> > Regards,
> > Jiajia
> >
> > -Original Message-
> > From: Stefan Seelmann [mailto:m...@stefan-seelmann.de]
> > Sent: Thursday, January 10, 2019 6:07 AM
> > To: Apache Directory Developers List ;
> kerby@directory.apache.org
> > Subject: Re: [VOTE] - Release Apache Kerby 2.0.0 - take II
> >
> > +1
> >
> > Built with Java 8 and 11
> > Checked legal files
> >
> > Kind Regards,
> > Stefan
> >
> >
> > On 1/8/19 1:27 PM, Colm O hEigeartaigh wrote:
> >> This is a vote to release Apache Kerby 2.0.0. This is the second 
> >> vote
> >> - the first vote was cancelled due to licensing concerns raised by 
> >> Stefan which have been addressed.
> >>
> >> Git tag:
> >>
> >> https://github.com/apache/directory-kerby/tree/kerby-all-2.0.0
> >>
> >> Artifacts:
> >>
> >> https://repository.apache.org/content/repositories/orgapachedirecto
> >> ry-
> >> 1180/
> >>
> >> Issues fixed:
> >>
> >> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12
> >> 310
> >> 910&version=12342433
> >>
> >> +1 from me.
> >>
> >> Colm.
> >>
> >>
> >
>
>

--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

RE: [VOTE] - Release Apache Kerby 2.0.0 - take II

[Li, Jiajia]

+1
Built successfully with java 8, all tests passed.

Regards,
Jiajia

-Original Message-
From: Stefan Seelmann [mailto:m...@stefan-seelmann.de] 
Sent: Thursday, January 10, 2019 6:07 AM
To: Apache Directory Developers List ; 
kerby@directory.apache.org
Subject: Re: [VOTE] - Release Apache Kerby 2.0.0 - take II

+1

Built with Java 8 and 11
Checked legal files

Kind Regards,
Stefan


On 1/8/19 1:27 PM, Colm O hEigeartaigh wrote:
> This is a vote to release Apache Kerby 2.0.0. This is the second vote 
> - the first vote was cancelled due to licensing concerns raised by 
> Stefan which have been addressed.
> 
> Git tag:
> 
> https://github.com/apache/directory-kerby/tree/kerby-all-2.0.0
> 
> Artifacts:
> 
> https://repository.apache.org/content/repositories/orgapachedirectory-
> 1180/
> 
> Issues fixed:
> 
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310
> 910&version=12342433
> 
> +1 from me.
> 
> Colm.
> 
> 

RE: HadminApi REST API

[Li, Jiajia]

The implementation of HadminApi REST API is based on SPNEGO, the admin should 
have the admin.keytab to call this API.

Thanks,
Jiajia

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Thursday, January 3, 2019 8:57 PM
To: kerby@directory.apache.org
Subject: HadminApi REST API

Hi,

I'm wondering how the HadminApi REST API is secured to prevent non-admin users 
from calling it?

Colm.


--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

RE: [VOTE] - Release Apache Kerby 2.0.0

[Li, Jiajia]

Hi Stefan,

Thanks for the serious review. 

>The release includes binary artifacts of has-dist [1] which includes many 
>third-party libraries, but the required license/notice files are missing in 
>those dist packages.

It's because N&L are not included in assembly.xml, I've fixed in the pull 
request[1]

>The dist archives also include the jdk.tools-1.8.jar which I assume we are not 
>allowed to distribute. It's a system dependency from 
>hadoop-common/hadoop-annotatations lib, not sure if Hadoop includes it?

I've checked Hadoop does not include jdk.tool in distribution, I've excluded it 
in [1]

>PS: Dist packages of kdc-dist and tool-dist were not generated because their 
>pom.xml use a Maven profile "-Pdist" which probably was not enabled during 
>release build, but has-dist pom.xml does not inlude such a profile so 
>artifacts were built and deployed.

I've added the "dist" Maven profile in has-dist pom.xml in [1]

Could you have a look at the pull request?

[1] https://github.com/apache/directory-kerby/pull/43

Thanks,
Jiajia

-Original Message-
From: Stefan Seelmann [mailto:m...@stefan-seelmann.de] 
Sent: Sunday, December 16, 2018 5:08 AM
To: Apache Directory Developers List ; 
kerby@directory.apache.org
Subject: Re: [VOTE] - Release Apache Kerby 2.0.0

I'm afraid I have to give a -1.

The release includes binary artifacts of has-dist [1] which includes many 
third-party libraries, but the required license/notice files are missing in 
those dist packages.

The dist archives also include the jdk.tools-1.8.jar which I assume we are not 
allowed to distribute. It's a system dependency from 
hadoop-common/hadoop-annotatations lib, not sure if Hadoop includes it?

PS: Dist packages of kdc-dist and tool-dist were not generated because their 
pom.xml use a Maven profile "-Pdist" which probably was not enabled during 
release build, but has-dist pom.xml does not inlude such a profile so artifacts 
were built and deployed.

[1]
https://repository.apache.org/content/repositories/orgapachedirectory-1179/org/apache/kerby/has-dist/2.0.0/



On 12/11/18 12:49 PM, Colm O hEigeartaigh wrote:
> This is a vote to release Apache Kerby 2.0.0.
> 
> Artifacts:
> 
> https://repository.apache.org/content/repositories/orgapachedirectory-
> 1179/
> 
> Issues fixed:
> 
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310
> 910&version=12342433
> 
> Git tag:
> 
> https://github.com/apache/directory-kerby/tree/kerby-all-2.0.0
> 
> +1 from me.
> 
> Colm.
> 
> 

RE: [VOTE] - Release Apache Kerby 2.0.0

[Li, Jiajia]

+1
Built successfully with java version "1.8.0_112", all tests passed.

Regards,
Jiajia

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Tuesday, December 11, 2018 7:50 PM
To: Apache Directory Developers List 
Cc: kerby@directory.apache.org
Subject: [VOTE] - Release Apache Kerby 2.0.0

This is a vote to release Apache Kerby 2.0.0.

Artifacts:

https://repository.apache.org/content/repositories/orgapachedirectory-1179/

Issues fixed:

https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310910&version=12342433

Git tag:

https://github.com/apache/directory-kerby/tree/kerby-all-2.0.0

+1 from me.

Colm.


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

RE: Kerby 2.0.0

[Li, Jiajia]

Hi Emmanuel,

Could you have a look at the N&L, here are the links:

https://github.com/apache/directory-kerby/blob/trunk/kerby-dist/has-dist/LICENSE
https://github.com/apache/directory-kerby/blob/trunk/kerby-dist/has-dist/NOTICE
https://github.com/apache/directory-kerby/tree/trunk/kerby-dist/has-dist/licenses

Thanks,
Jiajia


-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Friday, October 26, 2018 6:38 PM
To: kerby@directory.apache.org
Subject: Re: Kerby 2.0.0

Hi Jiajia,

Looks fine to me, if Emmanuel is also happy then we can proceed to release.

Colm.

On Tue, Oct 23, 2018 at 9:11 AM Li, Jiajia  wrote:

> Thanks Emmanuel and Colm, I've added the N&L for the transitive 
> dependencies under the "has-dist".
>
> Regards,
> Jiajia
>
> -Original Message-
> From: Emmanuel Lécharny [mailto:elecha...@gmail.com]
> Sent: Tuesday, October 16, 2018 12:18 AM
> To: kerby@directory.apache.org
> Subject: Re: Kerby 2.0.0
>
>
>
> Le 15/10/2018 à 15:20, Colm O hEigeartaigh a écrit :
> > Hi Jiajia,
> >
> > My understanding is that the N&L are still needed as a user can 
> > create a
> > (binary) distribution from our (source) distribution.
>
> Absolutely, but they are different N&L files :-)
>
> Usually, there need to be a 'distribution' sub-project that manage to 
> cut a binary release, and this 'distribution' sub-project will contain 
> those specific N&L files.
>
> You can have a look at
>
> https://gitbox.apache.org/repos/asf?p=directory-ldap-api.git;a=tree;f=
> distribution;h=9fb6cf913a73f1295ef70ec67fcb3a503bd64875;hb=293d6590662
> bf4f03b3c7321a658bb31d7f303c9
>
>
> --
> Emmanuel Lecharny
>
> Symas.com
> directory.apache.org
>
>

--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

RE: Kerby 2.0.0

[Li, Jiajia]

Thanks Emmanuel and Colm, I've added the N&L for the transitive dependencies 
under the "has-dist".

Regards,
Jiajia

-Original Message-
From: Emmanuel Lécharny [mailto:elecha...@gmail.com] 
Sent: Tuesday, October 16, 2018 12:18 AM
To: kerby@directory.apache.org
Subject: Re: Kerby 2.0.0



Le 15/10/2018 à 15:20, Colm O hEigeartaigh a écrit :
> Hi Jiajia,
> 
> My understanding is that the N&L are still needed as a user can create 
> a
> (binary) distribution from our (source) distribution.

Absolutely, but they are different N&L files :-)

Usually, there need to be a 'distribution' sub-project that manage to cut a 
binary release, and this 'distribution' sub-project will contain those specific 
N&L files.

You can have a look at
https://gitbox.apache.org/repos/asf?p=directory-ldap-api.git;a=tree;f=distribution;h=9fb6cf913a73f1295ef70ec67fcb3a503bd64875;hb=293d6590662bf4f03b3c7321a658bb31d7f303c9


--
Emmanuel Lecharny

Symas.com
directory.apache.org

RE: Kerby 2.0.0

[Li, Jiajia]

Thanks Emmanuel. 
Do you mean if we don't bundle the dependency jars in the released package, the 
N&L are not needed? If so, I think we can just release the source code for 
has-dist, users can download the source code, compile it before use it. Because 
the dependencies will change after upgrading the version, that will increase 
our maintenance cost. Please correct me if I am wrong.

Thanks,
Jiajia


-Original Message-
From: Emmanuel Lécharny [mailto:elecha...@gmail.com]
Sent: Thursday, October 11, 2018 4:20 PM
To: kerby@directory.apache.org
Subject: Re: Kerby 2.0.0



Le 11/10/2018 à 08:12, Li, Jiajia a écrit :
> Hi Colm,
> 
> I have added the NOTICE, LICENSE and README, but I have one question, 
> has-server with the hadoop-common(Apache license) dependency, so all the 
> hadoop-common dependency jars will be under the target/lib folder, should we 
> add N&L for these jars?

You should include all the N&L of all the dependencies you are bundling in the 
released package, including transitive dependencies (ie dependencies used by 
the dependencies...)

This is painful, but required.

You can use mvn dependency:tree for that purpose.

Note that the N&L will change between a binary package and a source package. 
Typically, in a source package, if you have dependencies that are only added 
while building a binary package, then there is no need to add them (I'm 
thinking of installer libraries, for instance).


--
Emmanuel Lecharny

Symas.com
directory.apache.org

RE: Kerby 2.0.0

[Li, Jiajia]

Hi Colm,

I have added the NOTICE, LICENSE and README, but I have one question, 
has-server with the hadoop-common(Apache license) dependency, so all the 
hadoop-common dependency jars will be under the target/lib folder, should we 
add N&L for these jars?

Thanks,
Jiajia

From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
Sent: Tuesday, October 2, 2018 12:22 AM
To: Li, Jiajia 
Cc: kerby@directory.apache.org
Subject: Re: Kerby 2.0.0

Hi Jiajia,

The "has-dist" directory is missing the following 3 files:

README.txt (describing the project + pointers as to how to use it)
LICENSE
NOTICE

In addition, it's not enough simply to put the third party licenses in the 
"licenses" directory. For each project, you need to go through the source and 
see if there are copyright notices that have to be preserved in the HAS NOTICE 
(see here: http://www.apache.org/dev/licensing-howto.html#mod-notice). Also add 
the end of LICENSE the non-Apache "permissively licensed" licenses (e.g. BSD, 
MIT) need to be referenced in the licenses directory (see 
http://www.apache.org/dev/licensing-howto.html#permissive-deps). Take a look at 
the "kdc-dist" NOTICE + LICENSE to see how it works.

Colm.

On Fri, Sep 21, 2018 at 4:10 AM Li, Jiajia 
mailto:jiajia...@intel.com>> wrote:
Hi Colm,

I've added required jars in HAS distribution, could you help check? And I've 
fixed some errors reported by Coverity(a static analysis code tool). Are there 
other review comments on your side? If not, do you think it is possible to 
start the Kerby 2.0.0 release processes?

Thanks,
Jiajia

-Original Message-
From: Li, Jiajia [mailto:jiajia...@intel.com<mailto:jiajia...@intel.com>]
Sent: Friday, September 14, 2018 11:27 AM
To: kerby@directory.apache.org<mailto:kerby@directory.apache.org>; 
cohei...@apache.org<mailto:cohei...@apache.org>
Subject: RE: Kerby 2.0.0

>
> >>> For both kdc-dist + tool-dist I can build a distribution
> >>> containing
> the required jars. How does it work for HAS?
> HAS can be the same as the kdc-dist + tool-dist.
>

> Do you mean here that you plan to change the HAS distribution to also include 
> the required jars?

Yes, I think it's better to add the required jars.

Thanks,
Jiajia

-Original Message-
From: Colm O hEigeartaigh 
[mailto:cohei...@apache.org<mailto:cohei...@apache.org>]
Sent: Thursday, September 13, 2018 7:13 PM
To: kerby@directory.apache.org<mailto:kerby@directory.apache.org>
Subject: Re: Kerby 2.0.0

Hi Jiajia,

On Thu, Sep 13, 2018 at 3:33 AM Li, Jiajia 
mailto:jiajia...@intel.com>> wrote:

>
> >>> For both kdc-dist + tool-dist I can build a distribution
> >>> containing
> the required jars. How does it work for HAS?
> HAS can be the same as the kdc-dist + tool-dist.
>

Do you mean here that you plan to change the HAS distribution to also include 
the required jars?

Colm.


>
> Thanks,
> Jiajia
>
> From: Colm O hEigeartaigh 
> [mailto:cohei...@apache.org<mailto:cohei...@apache.org>]
> Sent: Saturday, September 8, 2018 12:41 AM
> To: Li, Jiajia mailto:jiajia...@intel.com>>
> Cc: kerby@directory.apache.org<mailto:kerby@directory.apache.org>
> Subject: Re: Kerby 2.0.0
>
> Hi Jiajia,
>
> On Fri, Sep 7, 2018 at 6:26 AM Li, Jiajia 
> mailto:jiajia...@intel.com> jiajia...@intel.com<mailto:jiajia...@intel.com>>> wrote:
> Hi Colm,
>
> >>>How many different types of client login are supported by the
> >>>client
> plugin "out of the box"?
>
> HAS supports two plugin types: MySQL[1] and LDAP[2]
>
> These are the backends for retrieving the user credentials right? I
> meant what are the different credentials we support - obviously
> user/password, but do we support logging in using various tokens?
>
> Thanks for your reminder, we use "assembly.xml" the same as the file
> under kdc-dist and tool-dist, I'm not sure should we add the
> dependency jars in zip/tar/tar.gz for kdc-dist and tool-dist?
>
> For both kdc-dist + tool-dist I can build a distribution containing
> the required jars. How does it work for HAS?
>
> Yes, the Hadoop should have the patch(
> https://github.com/apache/directory-kerby/blob/trunk/has-project/suppo
> rts/hadoop/hadoop-2.7.2.patch), this patch let Hadoop Client using
> HasLoginModule to replace the Krb5LoginModule. In addition to using
> Credential cache and Keytab for JAAS login, we have added the new
> login method in HasLoginModule. This new login method will call the
> HasClient, then HasClient will select the configured plugin to login,
> after successful login, Kerby KDC will issue a Kerberos ticket, as you
> said "swapping a non-kerberos credential for a kerberos ticket".

RE: Kerby 2.0.0

[Li, Jiajia]

Hi Colm,

I've added required jars in HAS distribution, could you help check? And I've 
fixed some errors reported by Coverity(a static analysis code tool). Are there 
other review comments on your side? If not, do you think it is possible to 
start the Kerby 2.0.0 release processes?

Thanks,
Jiajia

-Original Message-----
From: Li, Jiajia [mailto:jiajia...@intel.com] 
Sent: Friday, September 14, 2018 11:27 AM
To: kerby@directory.apache.org; cohei...@apache.org
Subject: RE: Kerby 2.0.0

>
> >>> For both kdc-dist + tool-dist I can build a distribution 
> >>> containing
> the required jars. How does it work for HAS?
> HAS can be the same as the kdc-dist + tool-dist.
>

> Do you mean here that you plan to change the HAS distribution to also include 
> the required jars?

Yes, I think it's better to add the required jars.

Thanks,
Jiajia

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
Sent: Thursday, September 13, 2018 7:13 PM
To: kerby@directory.apache.org
Subject: Re: Kerby 2.0.0

Hi Jiajia,

On Thu, Sep 13, 2018 at 3:33 AM Li, Jiajia  wrote:

>
> >>> For both kdc-dist + tool-dist I can build a distribution 
> >>> containing
> the required jars. How does it work for HAS?
> HAS can be the same as the kdc-dist + tool-dist.
>

Do you mean here that you plan to change the HAS distribution to also include 
the required jars?

Colm.


>
> Thanks,
> Jiajia
>
> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> Sent: Saturday, September 8, 2018 12:41 AM
> To: Li, Jiajia 
> Cc: kerby@directory.apache.org
> Subject: Re: Kerby 2.0.0
>
> Hi Jiajia,
>
> On Fri, Sep 7, 2018 at 6:26 AM Li, Jiajia  jiajia...@intel.com>> wrote:
> Hi Colm,
>
> >>>How many different types of client login are supported by the 
> >>>client
> plugin "out of the box"?
>
> HAS supports two plugin types: MySQL[1] and LDAP[2]
>
> These are the backends for retrieving the user credentials right? I 
> meant what are the different credentials we support - obviously 
> user/password, but do we support logging in using various tokens?
>
> Thanks for your reminder, we use "assembly.xml" the same as the file 
> under kdc-dist and tool-dist, I'm not sure should we add the 
> dependency jars in zip/tar/tar.gz for kdc-dist and tool-dist?
>
> For both kdc-dist + tool-dist I can build a distribution containing 
> the required jars. How does it work for HAS?
>
> Yes, the Hadoop should have the patch( 
> https://github.com/apache/directory-kerby/blob/trunk/has-project/suppo
> rts/hadoop/hadoop-2.7.2.patch), this patch let Hadoop Client using 
> HasLoginModule to replace the Krb5LoginModule. In addition to using 
> Credential cache and Keytab for JAAS login, we have added the new 
> login method in HasLoginModule. This new login method will call the 
> HasClient, then HasClient will select the configured plugin to login, 
> after successful login, Kerby KDC will issue a Kerberos ticket, as you 
> said "swapping a non-kerberos credential for a kerberos ticket". In 
> conclusion, the changes in the Hadoop is for Hadoop Client using the 
> new authentication method.
>
> OK now I understand thanks.
>
> Colm.
>
>
> Thanks,
> Jiajia
>
>
> From: Colm O hEigeartaigh [mailto:cohei...@apache.org cohei...@apache.org>]
> Sent: Friday, September 7, 2018 12:24 AM
> To: Li, Jiajia mailto:jiajia...@intel.com>>
> Cc: kerby@directory.apache.org<mailto:kerby@directory.apache.org>
> Subject: Re: Kerby 2.0.0
>
> Hi Jiajia,
>
> How many different types of client login are supported by the client 
> plugin "out of the box"?
>
> How do I build the distribution? Running "mvn clean install" in 
> "directory-kerby/kerby-dist/has-dist" results in 
> target/has-dist-2.0.0-SNAPSHOT.zip with no jars.
>
> Is it still necessary to patch Hadoop as per ( 
> https://github.com/apache/directory-kerby/blob/trunk/has-project/supports/hadoop/README.md)?
> I'm wondering why it's necessary to configure Hadoop for "HAS" at all, 
> given that in the diagram we are just sending a kerberos ticket to 
> Hadoop as we normally would? I thought the idea was that HAS enables 
> you to log on to Hadoop by swapping a non-kerberos credential for a 
> kerberos ticket, maybe I misunderstood?
>
> Colm.
>
> Colm.
>
> On Mon, Aug 27, 2018 at 8:34 AM Li, Jiajia  jiajia...@intel.com>> wrote:
> Hi Colm,
> Thanks for taking time to review.
>
> >a) [WARNING] 'dependencies.dependency.version' for org.json:json:jar 
> >is
> either LATEST or RELEASE (both of them are being deprecated) @ 
> 

RE: Kerby 2.0.0

[Li, Jiajia]

>
> >>> For both kdc-dist + tool-dist I can build a distribution 
> >>> containing
> the required jars. How does it work for HAS?
> HAS can be the same as the kdc-dist + tool-dist.
>

> Do you mean here that you plan to change the HAS distribution to also include 
> the required jars?

Yes, I think it's better to add the required jars.

Thanks,
Jiajia

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Thursday, September 13, 2018 7:13 PM
To: kerby@directory.apache.org
Subject: Re: Kerby 2.0.0

Hi Jiajia,

On Thu, Sep 13, 2018 at 3:33 AM Li, Jiajia  wrote:

>
> >>> For both kdc-dist + tool-dist I can build a distribution 
> >>> containing
> the required jars. How does it work for HAS?
> HAS can be the same as the kdc-dist + tool-dist.
>

Do you mean here that you plan to change the HAS distribution to also include 
the required jars?

Colm.


>
> Thanks,
> Jiajia
>
> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> Sent: Saturday, September 8, 2018 12:41 AM
> To: Li, Jiajia 
> Cc: kerby@directory.apache.org
> Subject: Re: Kerby 2.0.0
>
> Hi Jiajia,
>
> On Fri, Sep 7, 2018 at 6:26 AM Li, Jiajia  jiajia...@intel.com>> wrote:
> Hi Colm,
>
> >>>How many different types of client login are supported by the 
> >>>client
> plugin "out of the box"?
>
> HAS supports two plugin types: MySQL[1] and LDAP[2]
>
> These are the backends for retrieving the user credentials right? I 
> meant what are the different credentials we support - obviously 
> user/password, but do we support logging in using various tokens?
>
> Thanks for your reminder, we use "assembly.xml" the same as the file 
> under kdc-dist and tool-dist, I'm not sure should we add the 
> dependency jars in zip/tar/tar.gz for kdc-dist and tool-dist?
>
> For both kdc-dist + tool-dist I can build a distribution containing 
> the required jars. How does it work for HAS?
>
> Yes, the Hadoop should have the patch( 
> https://github.com/apache/directory-kerby/blob/trunk/has-project/suppo
> rts/hadoop/hadoop-2.7.2.patch), this patch let Hadoop Client using 
> HasLoginModule to replace the Krb5LoginModule. In addition to using 
> Credential cache and Keytab for JAAS login, we have added the new 
> login method in HasLoginModule. This new login method will call the 
> HasClient, then HasClient will select the configured plugin to login, 
> after successful login, Kerby KDC will issue a Kerberos ticket, as you 
> said "swapping a non-kerberos credential for a kerberos ticket". In 
> conclusion, the changes in the Hadoop is for Hadoop Client using the 
> new authentication method.
>
> OK now I understand thanks.
>
> Colm.
>
>
> Thanks,
> Jiajia
>
>
> From: Colm O hEigeartaigh [mailto:cohei...@apache.org cohei...@apache.org>]
> Sent: Friday, September 7, 2018 12:24 AM
> To: Li, Jiajia mailto:jiajia...@intel.com>>
> Cc: kerby@directory.apache.org<mailto:kerby@directory.apache.org>
> Subject: Re: Kerby 2.0.0
>
> Hi Jiajia,
>
> How many different types of client login are supported by the client 
> plugin "out of the box"?
>
> How do I build the distribution? Running "mvn clean install" in 
> "directory-kerby/kerby-dist/has-dist" results in 
> target/has-dist-2.0.0-SNAPSHOT.zip with no jars.
>
> Is it still necessary to patch Hadoop as per ( 
> https://github.com/apache/directory-kerby/blob/trunk/has-project/supports/hadoop/README.md)?
> I'm wondering why it's necessary to configure Hadoop for "HAS" at all, 
> given that in the diagram we are just sending a kerberos ticket to 
> Hadoop as we normally would? I thought the idea was that HAS enables 
> you to log on to Hadoop by swapping a non-kerberos credential for a 
> kerberos ticket, maybe I misunderstood?
>
> Colm.
>
> Colm.
>
> On Mon, Aug 27, 2018 at 8:34 AM Li, Jiajia  jiajia...@intel.com>> wrote:
> Hi Colm,
> Thanks for taking time to review.
>
> >a) [WARNING] 'dependencies.dependency.version' for org.json:json:jar 
> >is
> either LATEST or RELEASE (both of them are being deprecated) @ 
> org.apache.kerby:has-tool:[unknown-version],
> >/home/colm/src/apache/directory-kerby/kerby-tool/has-tool/pom.xml, 
> >line
> 48, column 22
>
> I've removed the org.json dependency.
>
> >b) Should Hadoop 3.0.0 be updated to 3.0.3?
> >Does the "HAS project" build a distribution? If so have you followed 
> >the
> steps to include the license/copyright issues as per the existing 
> Kerby distributions?
>
> The Hadoop version has been u

RE: Kerby 2.0.0

[Li, Jiajia]

Hi Colm,

>>>These are the backends for retrieving the user credentials right? I meant 
>>>what are the different credentials we support - obviously user/password, but 
>>>do we support logging in using various tokens?

What user credentials to use depends on the implementation of the plugin, MySQL 
plugin and LDAP pluin using user/password for user credentials. Now we don't 
support create token as user credential, we only change the user credential to 
AuthToken . If a company has their identity management system(using token for 
authentication and this system can issue the token to user), they should 
implement the following client/server plugin interface to connect the existing 
authentication system.

HAS client plugin HasClientPlugin:
// Get the login module type ID, used to distinguish this module from others.
// Should correspond to the server side module.
String getLoginType()
// Perform all the client side login logics, the results wrapped in an 
AuthToken,
// will be validated by HAS server.
AuthToken login(Conf loginConf) throws HasLoginException

HAS server plugin HasServerPlugin:
// Get the login module type ID, used to distinguish this module from others.
// Should correspond to the client side module.
String getLoginType()
// Perform all the server side authentication logics, the results wrapped in an 
AuthToken,
// will be used to exchange a Kerberos ticket.
AuthToken authenticate(AuthToken userToken) throws HasAuthenException

>>> For both kdc-dist + tool-dist I can build a distribution containing the 
>>> required jars. How does it work for HAS?
HAS can be the same as the kdc-dist + tool-dist.


Thanks,
Jiajia

From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
Sent: Saturday, September 8, 2018 12:41 AM
To: Li, Jiajia 
Cc: kerby@directory.apache.org
Subject: Re: Kerby 2.0.0

Hi Jiajia,

On Fri, Sep 7, 2018 at 6:26 AM Li, Jiajia 
mailto:jiajia...@intel.com>> wrote:
Hi Colm,

>>>How many different types of client login are supported by the client plugin 
>>>"out of the box"?

HAS supports two plugin types: MySQL[1] and LDAP[2]

These are the backends for retrieving the user credentials right? I meant what 
are the different credentials we support - obviously user/password, but do we 
support logging in using various tokens?

Thanks for your reminder, we use "assembly.xml" the same as the file under 
kdc-dist and tool-dist, I'm not sure should we add the dependency jars in 
zip/tar/tar.gz for kdc-dist and tool-dist?

For both kdc-dist + tool-dist I can build a distribution containing the 
required jars. How does it work for HAS?

Yes, the Hadoop should have the 
patch(https://github.com/apache/directory-kerby/blob/trunk/has-project/supports/hadoop/hadoop-2.7.2.patch),
 this patch let Hadoop Client using HasLoginModule to replace the 
Krb5LoginModule. In addition to using Credential cache and Keytab for JAAS 
login, we have added the new login method in HasLoginModule. This new login 
method will call the HasClient, then HasClient will select the configured 
plugin to login, after successful login, Kerby KDC will issue a Kerberos 
ticket, as you said "swapping a non-kerberos credential for a kerberos ticket". 
In conclusion, the changes in the Hadoop is for Hadoop Client using the new 
authentication method.

OK now I understand thanks.

Colm.


Thanks,
Jiajia


From: Colm O hEigeartaigh 
[mailto:cohei...@apache.org<mailto:cohei...@apache.org>]
Sent: Friday, September 7, 2018 12:24 AM
To: Li, Jiajia mailto:jiajia...@intel.com>>
Cc: kerby@directory.apache.org<mailto:kerby@directory.apache.org>
Subject: Re: Kerby 2.0.0

Hi Jiajia,

How many different types of client login are supported by the client plugin 
"out of the box"?

How do I build the distribution? Running "mvn clean install" in 
"directory-kerby/kerby-dist/has-dist" results in 
target/has-dist-2.0.0-SNAPSHOT.zip with no jars.

Is it still necessary to patch Hadoop as per 
(https://github.com/apache/directory-kerby/blob/trunk/has-project/supports/hadoop/README.md)?
 I'm wondering why it's necessary to configure Hadoop for "HAS" at all, given 
that in the diagram we are just sending a kerberos ticket to Hadoop as we 
normally would? I thought the idea was that HAS enables you to log on to Hadoop 
by swapping a non-kerberos credential for a kerberos ticket, maybe I 
misunderstood?

Colm.

Colm.

On Mon, Aug 27, 2018 at 8:34 AM Li, Jiajia 
mailto:jiajia...@intel.com>> wrote:
Hi Colm,
Thanks for taking time to review.

>a) [WARNING] 'dependencies.dependency.version' for org.json:json:jar is either 
>LATEST or RELEASE (both of them are being deprecated) @ 
>org.apache.kerby:has-tool:[unknown-version],
>/home/colm/src/apache/directory-kerby/kerby-tool/has-tool/pom.xml, line 48, 
>column 22

I've removed the org.json dependen

RE: Kerby 2.0.0

[Li, Jiajia]

Hi Colm,

>>>How many different types of client login are supported by the client plugin 
>>>"out of the box"?

HAS supports two plugin types: MySQL[1] and LDAP[2]

[1]https://github.com/apache/directory-kerby/blob/trunk/has-project/docs/mysql-plugin.md
[2]https://github.com/apache/directory-kerby/blob/trunk/has-project/docs/ldap-plugin.md

>>>How do I build the distribution? Running "mvn clean install" in 
>>>"directory-kerby/kerby-dist/has-dist" results in 
>>>target/has-dist-2.0.0-SNAPSHOT.zip with no jars.

Thanks for your reminder, we use "assembly.xml" the same as the file under 
kdc-dist and tool-dist, I'm not sure should we add the dependency jars in 
zip/tar/tar.gz for kdc-dist and tool-dist?

>>>Is it still necessary to patch Hadoop as per 
>>>(https://github.com/apache/directory-kerby/blob/trunk/has-project/supports/hadoop/README.md)?
>>> I'm wondering why it's necessary to configure Hadoop for "HAS" at all, 
>>>given that in the diagram we are just sending a kerberos ticket to Hadoop as 
>>>we normally would? I thought the idea was that HAS enables you to log on to 
>>>Hadoop by swapping a non-kerberos credential for a kerberos ticket, maybe I 
>>>misunderstood?

Yes, the Hadoop should have the 
patch(https://github.com/apache/directory-kerby/blob/trunk/has-project/supports/hadoop/hadoop-2.7.2.patch),
 this patch let Hadoop Client using HasLoginModule to replace the 
Krb5LoginModule. In addition to using Credential cache and Keytab for JAAS 
login, we have added the new login method in HasLoginModule. This new login 
method will call the HasClient, then HasClient will select the configured 
plugin to login, after successful login, Kerby KDC will issue a Kerberos 
ticket, as you said "swapping a non-kerberos credential for a kerberos ticket". 
In conclusion, the changes in the Hadoop is for Hadoop Client using the new 
authentication method.

Thanks,
Jiajia


From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
Sent: Friday, September 7, 2018 12:24 AM
To: Li, Jiajia 
Cc: kerby@directory.apache.org
Subject: Re: Kerby 2.0.0

Hi Jiajia,

How many different types of client login are supported by the client plugin 
"out of the box"?

How do I build the distribution? Running "mvn clean install" in 
"directory-kerby/kerby-dist/has-dist" results in 
target/has-dist-2.0.0-SNAPSHOT.zip with no jars.

Is it still necessary to patch Hadoop as per 
(https://github.com/apache/directory-kerby/blob/trunk/has-project/supports/hadoop/README.md)?
 I'm wondering why it's necessary to configure Hadoop for "HAS" at all, given 
that in the diagram we are just sending a kerberos ticket to Hadoop as we 
normally would? I thought the idea was that HAS enables you to log on to Hadoop 
by swapping a non-kerberos credential for a kerberos ticket, maybe I 
misunderstood?

Colm.

Colm.

On Mon, Aug 27, 2018 at 8:34 AM Li, Jiajia 
mailto:jiajia...@intel.com>> wrote:
Hi Colm,
Thanks for taking time to review.

>a) [WARNING] 'dependencies.dependency.version' for org.json:json:jar is either 
>LATEST or RELEASE (both of them are being deprecated) @ 
>org.apache.kerby:has-tool:[unknown-version],
>/home/colm/src/apache/directory-kerby/kerby-tool/has-tool/pom.xml, line 48, 
>column 22

I've removed the org.json dependency.

>b) Should Hadoop 3.0.0 be updated to 3.0.3?
>Does the "HAS project" build a distribution? If so have you followed the steps 
>to include the license/copyright issues as per the existing Kerby 
>distributions?

The Hadoop version has been upgraded to 3.0.3.
"HAS project" will build a distribution, here is the license folder： 
https://github.com/apache/directory-kerby/tree/trunk/kerby-dist/has-dist/licenses

Thanks,
Jiajia


-Original Message-
From: Colm O hEigeartaigh 
[mailto:cohei...@apache.org<mailto:cohei...@apache.org>]
Sent: Monday, August 13, 2018 8:49 PM
To: kerby@directory.apache.org<mailto:kerby@directory.apache.org>
Subject: Re: Kerby 2.0.0

OK thanks, give me a few days to review it. Two issues I noticed:

a) [WARNING] 'dependencies.dependency.version' for org.json:json:jar is either 
LATEST or RELEASE (both of them are being deprecated) @ 
org.apache.kerby:has-tool:[unknown-version],
/home/colm/src/apache/directory-kerby/kerby-tool/has-tool/pom.xml, line 48, 
column 22

b) Should Hadoop 3.0.0 be updated to 3.0.3?

Does the "HAS project" build a distribution? If so have you followed the steps 
to include the license/copyright issues as per the existing Kerby distributions?

Colm.

On Fri, Aug 10, 2018 at 8:02 AM, Li, Jiajia 
mailto:jiajia...@intel.com>> wrote:

> Hi all,
>
> We have finished all the taskes  for Kerby major release(2.0.0),  

RE: Kerby 2.0.0

[Li, Jiajia]

Hi Colm,
Thanks for taking time to review.

>a) [WARNING] 'dependencies.dependency.version' for org.json:json:jar is either 
>LATEST or RELEASE (both of them are being deprecated) @ 
>org.apache.kerby:has-tool:[unknown-version],
>/home/colm/src/apache/directory-kerby/kerby-tool/has-tool/pom.xml, line 48, 
>column 22

I've removed the org.json dependency.

>b) Should Hadoop 3.0.0 be updated to 3.0.3?
>Does the "HAS project" build a distribution? If so have you followed the steps 
>to include the license/copyright issues as per the existing Kerby 
>distributions?

The Hadoop version has been upgraded to 3.0.3.
"HAS project" will build a distribution, here is the license folder： 
https://github.com/apache/directory-kerby/tree/trunk/kerby-dist/has-dist/licenses

Thanks,
Jiajia


-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Monday, August 13, 2018 8:49 PM
To: kerby@directory.apache.org
Subject: Re: Kerby 2.0.0

OK thanks, give me a few days to review it. Two issues I noticed:

a) [WARNING] 'dependencies.dependency.version' for org.json:json:jar is either 
LATEST or RELEASE (both of them are being deprecated) @ 
org.apache.kerby:has-tool:[unknown-version],
/home/colm/src/apache/directory-kerby/kerby-tool/has-tool/pom.xml, line 48, 
column 22

b) Should Hadoop 3.0.0 be updated to 3.0.3?

Does the "HAS project" build a distribution? If so have you followed the steps 
to include the license/copyright issues as per the existing Kerby distributions?

Colm.

On Fri, Aug 10, 2018 at 8:02 AM, Li, Jiajia  wrote:

> Hi all,
>
> We have finished all the taskes  for Kerby major release(2.0.0),  and 
> here is the "getting started" for HAS:
> https://github.com/apache/directory-kerby/blob/trunk/
> has-project/docs/has-start.md
>
>
> Thanks,
> Jiajia
>
> -Original Message-
> From: Li, Jiajia [mailto:jiajia...@intel.com]
> Sent: Thursday, June 21, 2018 9:11 AM
> To: kerby@directory.apache.org; cohei...@apache.org
> Subject: RE: Kerby 2.0.0
>
> >> Yes that seems reasonable to me. I think the documentation part is 
> >> critical
> >> - we need some "getting started" type tutorials to explain how to 
> >> use
> the product.
>
> Agree with you, it's also in our plan.
>
> Regards,
> Jiajia
>
> -Original Message-
> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> Sent: Wednesday, June 20, 2018 7:02 PM
> To: kerby@directory.apache.org
> Subject: Re: Kerby 2.0.0
>
> Yes that seems reasonable to me. I think the documentation part is 
> critical
> - we need some "getting started" type tutorials to explain how to use 
> the product.
>
> Colm.
>
> On Wed, Jun 20, 2018 at 9:08 AM, Li, Jiajia  wrote:
>
> >
> > Hi all,
> >
> > We discussed "Merge HAS to Apache Kerby" in November last year. We 
> > started the merging process in DIRKRB-671(https://issues.
> > apache.org/jira/browse/DIRKRB-671) and we also added some new 
> > features(such as MySQL plugin) during this process. Now the merging 
> > process is coming to an end, we're thinking about a new Kerby major
> > release(2.0.0) with HAS after completing the following tasks:
> >
> > 1.  We added MySQL plugin as the default plugin, it's better to add 
> > more plugins(such as LDAP plugin).
> > 2.  The remote admin through REST API should support more commands.
> > 3.  Add more documents
> > 4.  Testing
> >
> > How do you think about this?
> >
> >
> > Regards,
> > Jiajia
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

RE: Kerby 2.0.0

[Li, Jiajia]

Hi all,

We have finished all the taskes  for Kerby major release(2.0.0),  and here is 
the "getting started" for HAS:
https://github.com/apache/directory-kerby/blob/trunk/has-project/docs/has-start.md


Thanks,
Jiajia

-Original Message-----
From: Li, Jiajia [mailto:jiajia...@intel.com] 
Sent: Thursday, June 21, 2018 9:11 AM
To: kerby@directory.apache.org; cohei...@apache.org
Subject: RE: Kerby 2.0.0

>> Yes that seems reasonable to me. I think the documentation part is 
>> critical
>> - we need some "getting started" type tutorials to explain how to use the 
>> product. 

Agree with you, it's also in our plan. 

Regards,
Jiajia

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
Sent: Wednesday, June 20, 2018 7:02 PM
To: kerby@directory.apache.org
Subject: Re: Kerby 2.0.0

Yes that seems reasonable to me. I think the documentation part is critical
- we need some "getting started" type tutorials to explain how to use the 
product.

Colm.

On Wed, Jun 20, 2018 at 9:08 AM, Li, Jiajia  wrote:

>
> Hi all,
>
> We discussed "Merge HAS to Apache Kerby" in November last year. We 
> started the merging process in DIRKRB-671(https://issues.
> apache.org/jira/browse/DIRKRB-671) and we also added some new 
> features(such as MySQL plugin) during this process. Now the merging 
> process is coming to an end, we're thinking about a new Kerby major
> release(2.0.0) with HAS after completing the following tasks:
>
> 1.  We added MySQL plugin as the default plugin, it's better to add 
> more plugins(such as LDAP plugin).
> 2.  The remote admin through REST API should support more commands.
> 3.  Add more documents
> 4.  Testing
>
> How do you think about this?
>
>
> Regards,
> Jiajia
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

RE: directory-kerby git commit: DIRKRB-677 Add LDAP plugin for new authentication mechanism. Contributed by Songjun.

[Li, Jiajia]

Thanks Stefan, I have another question: LDAP API can access all types of LDAP 
servers now?

Regards,
Jiajia

-Original Message-
From: Stefan Seelmann [mailto:m...@stefan-seelmann.de] 
Sent: Friday, July 20, 2018 1:54 AM
To: kerby@directory.apache.org
Subject: Re: directory-kerby git commit: DIRKRB-677 Add LDAP plugin for new 
authentication mechanism. Contributed by Songjun.

On 07/19/2018 10:28 AM, Li, Jiajia wrote:
> Hi Stefan,
> 
> Thanks for your reminder, I've replaced JDNI with LDAP API in the following 
> commit:
> 
> commit d1055af7e8508e0ad81fadaaf3dd860ab1131ee7
> Author: plusplusjiajia 
> Date:   Thu Jul 19 15:46:16 2018 +0800
> 
> DIRKRB-724 Replace JNDI with LDAP API in LDAP plugin.

Cool :)

> Because I am not familiar with LDAP API, I have one question, it will throw 
> exception when I start the server:
> 
> after I adding the following dependency, it works.
>
> org.apache.directory.api
> api-ldap-codec-standalone
> 1.0.0
> 
> 
> Is the method correct?

Yes, that's the minimal solution. The other option would be to use "api-all" 
but that contains more dependencies.

Kind Regards,
Stefan

RE: directory-kerby git commit: DIRKRB-677 Add LDAP plugin for new authentication mechanism. Contributed by Songjun.

[Li, Jiajia]

Hi Stefan,

Thanks for your reminder, I've replaced JDNI with LDAP API in the following 
commit:

commit d1055af7e8508e0ad81fadaaf3dd860ab1131ee7
Author: plusplusjiajia 
Date:   Thu Jul 19 15:46:16 2018 +0800

DIRKRB-724 Replace JNDI with LDAP API in LDAP plugin.

Because I am not familiar with LDAP API, I have one question, it will throw 
exception when I start the server:

ERROR{LdapApiServiceFactory.java:139}-Failed to instantiate a viable instance, 
instantiating new instance of 
java.lang.ClassNotFoundException: 
org.apache.directory.api.ldap.codec.standalone.StandaloneLdapApiService
at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:331)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:264)
at 
org.apache.directory.api.ldap.codec.api.LdapApiServiceFactory.initialize(LdapApiServiceFactory.java:133)
at 
org.apache.directory.api.ldap.codec.api.LdapApiServiceFactory.getSingleton(LdapApiServiceFactory.java:96)
at 
org.apache.directory.ldap.client.api.LdapNetworkConnection.(LdapNetworkConnection.java:268)
at 
org.apache.directory.ldap.client.api.LdapNetworkConnection.(LdapNetworkConnection.java:410)
at 
org.apache.directory.ldap.client.api.LdapNetworkConnection.(LdapNetworkConnection.java:379)
at 
org.apache.kerby.has.plugins.server.ldap.LDAPUtils.ldapAPI(LDAPUtils.java:55)
at 
org.apache.kerby.has.plugins.server.ldap.LDAPServerPlugin.doAuthenticate(LDAPServerPlugin.java:52)
at 
org.apache.kerby.has.server.AbstractHasServerPlugin.authenticate(AbstractHasServerPlugin.java:40)
at 
org.apache.kerby.has.server.web.rest.AsRequestApi.asRequest(AsRequestApi.java:110)
at 
org.apache.kerby.has.server.web.rest.AsRequestApi.asRequest(AsRequestApi.java:77)

after I adding the following dependency, it works.
   
org.apache.directory.api
api-ldap-codec-standalone
1.0.0


Is the method correct?

Thanks,
Jiajia

-Original Message-
From: Stefan Seelmann [mailto:m...@stefan-seelmann.de] 
Sent: Saturday, July 14, 2018 6:46 PM
To: kerby@directory.apache.org
Subject: Re: directory-kerby git commit: DIRKRB-677 Add LDAP plugin for new 
authentication mechanism. Contributed by Songjun.

Hi Jiajia,

I noticed build failure for Kerby on Jenkins and looked into it. Then I saw 
that you use JNDI in the new LDAPUtils class, see below. Any reason not to use 
the LDAP API? It is alrady used in the ldap-backend module.

Kind Regards,
Stefan

On 07/12/2018 04:15 AM, plusplusjia...@apache.org wrote:
> 
> DIRKRB-677 Add LDAP plugin for new authentication mechanism. Contributed by 
> Songjun.
> 
> Commit: 5747dd130fa31a09291c95385d8e8b046f665817
>
> +++ b/has-project/has-plugins/src/main/java/org/apache/kerby/has/plugi
> +++ ns/server/ldap/LDAPUtils.java
> +public static boolean doUserAuth(String user, String pwd) throws 
> NamingException {
> +Map env = new HashMap<>();
> +env.put(Context.INITIAL_CONTEXT_FACTORY, 
> "com.sun.jndi.ldap.LdapCtxFactory");
> +env.put(Context.PROVIDER_URL, ldapServerConf.getLdapUrl());
> +env.put(Context.SECURITY_AUTHENTICATION, "simple");
> +env.put(Context.SECURITY_PRINCIPAL, ldapServerConf.getBindDN());
> +env.put(Context.SECURITY_CREDENTIALS, ldapServerConf.getBindPwd());
> +DirContext ctx = null;
> +
> +boolean ret = false;
> +try {
> +ctx = new InitialDirContext(new Hashtable<>(env));

RE: Kerby 2.0.0

[Li, Jiajia]

Hi all,

For Kerby 2.0 release, I propose to start code freeze of Kerby from PDT time, 
July 15, I will create a new branch kerby-2.0, no new features can be added 
anymore by that time, only blockers/criticals can be committed to branch. After 
July 15, we will focus on stability and documents.

Regards,
Jiajia


-Original Message-
From: Li, Jiajia [mailto:jiajia...@intel.com] 
Sent: Thursday, June 21, 2018 9:11 AM
To: kerby@directory.apache.org; cohei...@apache.org
Subject: RE: Kerby 2.0.0

>> Yes that seems reasonable to me. I think the documentation part is 
>> critical
>> - we need some "getting started" type tutorials to explain how to use the 
>> product. 

Agree with you, it's also in our plan. 

Regards,
Jiajia

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
Sent: Wednesday, June 20, 2018 7:02 PM
To: kerby@directory.apache.org
Subject: Re: Kerby 2.0.0

Yes that seems reasonable to me. I think the documentation part is critical
- we need some "getting started" type tutorials to explain how to use the 
product.

Colm.

On Wed, Jun 20, 2018 at 9:08 AM, Li, Jiajia  wrote:

>
> Hi all,
>
> We discussed "Merge HAS to Apache Kerby" in November last year. We 
> started the merging process in DIRKRB-671(https://issues.
> apache.org/jira/browse/DIRKRB-671) and we also added some new 
> features(such as MySQL plugin) during this process. Now the merging 
> process is coming to an end, we're thinking about a new Kerby major
> release(2.0.0) with HAS after completing the following tasks:
>
> 1.  We added MySQL plugin as the default plugin, it's better to add 
> more plugins(such as LDAP plugin).
> 2.  The remote admin through REST API should support more commands.
> 3.  Add more documents
> 4.  Testing
>
> How do you think about this?
>
>
> Regards,
> Jiajia
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

RE: Kerby 2.0.0

[Li, Jiajia]

>> Yes that seems reasonable to me. I think the documentation part is critical 
>> - we need some "getting started" type tutorials to explain how to use the 
>> product. 

Agree with you, it's also in our plan. 

Regards,
Jiajia

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Wednesday, June 20, 2018 7:02 PM
To: kerby@directory.apache.org
Subject: Re: Kerby 2.0.0

Yes that seems reasonable to me. I think the documentation part is critical
- we need some "getting started" type tutorials to explain how to use the 
product.

Colm.

On Wed, Jun 20, 2018 at 9:08 AM, Li, Jiajia  wrote:

>
> Hi all,
>
> We discussed "Merge HAS to Apache Kerby" in November last year. We 
> started the merging process in DIRKRB-671(https://issues.
> apache.org/jira/browse/DIRKRB-671) and we also added some new 
> features(such as MySQL plugin) during this process. Now the merging 
> process is coming to an end, we're thinking about a new Kerby major 
> release(2.0.0) with HAS after completing the following tasks:
>
> 1.  We added MySQL plugin as the default plugin, it's better to add 
> more plugins(such as LDAP plugin).
> 2.  The remote admin through REST API should support more commands.
> 3.  Add more documents
> 4.  Testing
>
> How do you think about this?
>
>
> Regards,
> Jiajia
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Kerby 2.0.0

[Li, Jiajia]

Hi all,

We discussed "Merge HAS to Apache Kerby" in November last year. We started the 
merging process in DIRKRB-671(https://issues.apache.org/jira/browse/DIRKRB-671) 
and we also added some new features(such as MySQL plugin) during this process. 
Now the merging process is coming to an end, we're thinking about a new Kerby 
major release(2.0.0) with HAS after completing the following tasks:

1.  We added MySQL plugin as the default plugin, it's better to add more 
plugins(such as LDAP plugin).
2.  The remote admin through REST API should support more commands.
3.  Add more documents
4.  Testing

How do you think about this?


Regards,
Jiajia

RE: Create keytab through Java

[Li, Jiajia]

The example of creating keytab with principal and password:  


  List keys = EncryptionUtil.generateKeys(principal, password, 
encryptionTypes);

List lstEntries = new ArrayList();
for (EncryptionKey key : keys) {
  KeytabEntry keytabEntry = new KeytabEntry(
principal, 1, new KerberosTime(), (byte) 1, key);
  lstEntries.add(keytabEntry);
}

Keytab keytab = new Keytab();
keytab.addKeytabEntries(lstEntries);
keytab.store(new File(keytabFileName));


Regards,
Jiajia


-Original Message-
From: Marc Boorshtein [mailto:mboorsht...@gmail.com] 
Sent: Saturday, June 9, 2018 2:41 AM
To: kerby@directory.apache.org
Subject: Create keytab through Java

Hello, I'm trying to build a keytab using a user's principal and password.
I've got the following sample code:
https://stackoverflow.com/questions/23269894/can-i-generate-my-own-keytab-programmatically-in-java
which
is pretty old.  I'm integrating it with kerby 1.1.1 and it doesn't look like 
KerberosKeyFactory exists anymore.  Is there an example of how to do this with 
kerby 1.1.1?

Thanks
Marc

RE: Semicolon as a comment character in krb5.conf

[Li, Jiajia]

Hi Kamil,

I think it's a bug, could you create the 
JIRA(https://issues.apache.org/jira/browse/DIRKRB-102) for this issue?

Thanks,
Jiajia

-Original Message-
From: Kamil Krzysztof Krynicki [mailto:kamil.krzysztof.kryni...@cern.ch] 
Sent: Tuesday, May 29, 2018 9:23 PM
To: kerby@directory.apache.org
Subject: Semicolon as a comment character in krb5.conf

Hello everybody, Colm, Li

I've recently been trying to work with krb5.conf files using kerby and it kept 
on crashing when ";" was used as a comment character in the krb5.conf file.

Accodring to the MIT code:
https://github.com/krb5/krb5/blob/0744026f06e8cbf477aa49cfe16b5fd28a9ddc9e/src/util/profile/prof_parse.c#L86https://github.com/krb5/krb5/blob/0744026f06e8cbf477aa49cfe16b5fd28a9ddc9e/src/util/profile/prof_parse.c#L86
it should be allowed.

While Kerby does this:
https://github.com/apache/directory-kerby/blob/trunk/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/Krb5Parser.java#L195

Is it a bug or an aware decision?

Can you think of a way to bypass this issue?

Cheers,
Kamil Krynicki

RE: [VOTE] - Release Apache Kerby 1.1.1

[Li, Jiajia]

+1
Built successfully with java version "1.8.0_40", all tests passed, and tested 
the tools (kinit,kadmin,klist).

Thanks,
Jiajia

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Monday, May 21, 2018 8:13 PM
To: Apache Directory Developers List ; 
kerby@directory.apache.org
Subject: [VOTE] - Release Apache Kerby 1.1.1

This is a vote to release Apache Kerby 1.1.1.

Artifacts:

https://repository.apache.org/content/repositories/orgapachedirectory-1156/

Git tag:

https://github.com/apache/directory-kerby/tree/kerby-all-1.1.1

Issues fixed:

https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310910&version=12342211

+1 from me.

Colm.


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

RE: Re: Kerby support for keytab in arcfour-hmac-md5?

[Li, Jiajia]

Hi Colm,

Are there any other blocking issues for 1.1.1?

Thanks,
Jiajia

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Wednesday, April 25, 2018 4:55 PM
To: kerby@directory.apache.org
Subject: Re: Re: Kerby support for keytab in arcfour-hmac-md5?

That's great! Yes the fix is already in the 1.1.x branch. It should be released 
pretty soon - I'm just waiting on confirmation for one more issue.

Colm.

On Wed, Apr 25, 2018 at 9:52 AM, Kamil Krzysztof Krynicki < 
kamil.krzysztof.kryni...@cern.ch> wrote:

> Hi Colm,
>
> Yup. Works like a charm.
>
> Please be sure to include this fix in 1.1.1!
>
> Btw. When is the planned release?
>
> Cheers,
> Kamil
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

RE: 1.1.1 release soon?

[Li, Jiajia]

Thanks Colm. No other issues from me.
+1 for the 1.1.1 release.

Regards,
Jiajia

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Tuesday, April 10, 2018 10:57 PM
To: kerby@directory.apache.org
Subject: 1.1.1 release soon?

Hi all,

We released 1.1.0 last November, and there have been 8 issues fixed so far for 
1.1.1, so I think we should release 1.1.1 soon:

https://issues.apache.org/jira/projects/DIRKRB/versions/12342211

There are currently 2 issues outstanding for this release (DIRKRB-694 + 
DIRKRB-695). The latter has a patch but no test.

Are there any other issues that should make it in for 1.1.1?

Colm.


--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

RE: Caching

[Li, Jiajia]

Hi Shane,

>> Incidentally, is there docs about configuring the client as I always get 
>> (against a real KDC)

Two ways to configure the client, the first way is what you use, the another 
way is the same as the MIT Kerberos,  using the krb5.conf, putting the 
krb5.conf under "confDir", then create the client as following:

KrbClient krbClient = new KrbClient(confDir);


>> org.apache.kerby.kerberos.kerb.KrbException: null with error code:
>> KDC_ERR_ETYPE_NOSUPP

Please try to reset "permitted_enctypes", the default encryption type is 
"aes128-cts-hmac-sha1-96"


>>Does Kerby cache SGTs?

Call the API " void storeTicket(SgtTicket sgtTicket, File ccacheFile)" to cache 
SGTs.

krbClient.storeTicket(sgt, ccFile);

Thanks,
Jiajia

-Original Message-
From: Shane Clements [mailto:shane.cleme...@gmail.com] 
Sent: Wednesday, March 7, 2018 5:35 AM
To: kerby@directory.apache.org
Subject: Caching

Hi,

I'm wondering if Kerby might be a solution to a problem that I am having. As I 
understand it, Java 1.7 libraries for working with KDC/Kerberos do not cache 
service tickets.

I was trying a toy program to see if I could cache a service ticket with Kerby 
library:

try {

  KrbConfig config = new KrbConfig();
  config.enableDebug();
  KrbClient client = new KrbClient(config);
  client.setKdcHost("ADHOST");
  client.setKdcTcpPort(88);
  //client.setAllowUdp(false);
  client.setKdcRealm("Realm");

  client.init();

  TgtTicket tgt;
  SgtTicket sgt;

  tgt = client.requestTgt("user", new File("krb5.keytab"));
  sgt = client.requestSgt(tgt, "HTTP/test.example.com");

} catch (KrbException e1) {

  e1.printStackTrace();

}

Incidentally, is there docs about configuring the client as I always get 
(against a real KDC)

org.apache.kerby.kerberos.kerb.KrbException: null with error code:
KDC_ERR_ETYPE_NOSUPP

Which I'm guessing means I need to configure some settings for supported 
encrption types.

Does Kerby cache SGTs?

Thanks,

Shane

RE: Switch to use JLine for Kadmin

[Li, Jiajia]

Switching to use JLine looks great, I think it could also support console 
history.

Thanks,
Jiajia

-Original Message-
From: Zeng, Frank [mailto:frank.z...@intel.com] 
Sent: Sunday, February 11, 2018 11:04 PM
To: kerby@directory.apache.org; cohei...@apache.org
Subject: RE: Switch to use JLine for Kadmin

Hi Colm,

I tried to use arrow keys in Kadmin tool, it worked, the wrong characters were 
gone.
Just a very simple question: do we need to support autocomplete in Kadmin tool 
later? JLine supports command line completion.

Thanks,
Frank

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Friday, February 9, 2018 6:28 PM
To: kerby@directory.apache.org
Subject: Switch to use JLine for Kadmin

Hi all,

In response to two JIRAs that were filed about the Kadmin tool not supporting 
using arrow keys, I submitted a simple patch here to switch to use JLine 
instead of java.util.Scanner:

https://issues.apache.org/jira/browse/DIRKRB-693

Please take a look and let me know what you think.

Colm.


--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

RE: directory-kerby git commit: Update hadoop patch for plugin dependencies.

[Li, Jiajia]

Hi Colm,

Some users are using the "has-project" branch because we haven' t finished the 
merging process in "master" branch, so we need to maintain the "has-project" 
branch, and we will also commit these patches to "master" a litter later. Users 
will use the Kerby release version after Kerby finishing the merging process, 
we will speed up the progress, make the Kerby 2.0 available as soon as possible.

Thanks,
Jiajia

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Thursday, February 1, 2018 5:40 PM
To: kerby@directory.apache.org
Subject: Re: directory-kerby git commit: Update hadoop patch for plugin 
dependencies.

Hi,

I'm concerned at the way that we are committing both to the "has-project"
and "master" branches. It's inevitable that commits will get lost by doing 
this. What are the reasons that we can't just merge to master, given that the 
"has-project" is already there?

Colm.

On Thu, Feb 1, 2018 at 2:20 AM,  wrote:

> Repository: directory-kerby
> Updated Branches:
>   refs/heads/has-project 9e370a760 -> 88df20bc8
>
>
> Update hadoop patch for plugin dependencies.
>
>
> Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
> Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/
> commit/88df20bc
> Tree: 
> http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/88df20bc
> Diff: 
> http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/88df20bc
>
> Branch: refs/heads/has-project
> Commit: 88df20bc853063291d646ad258183b0e4d3861b2
> Parents: 9e370a7
> Author: zenglinx 
> Authored: Thu Feb 1 10:20:00 2018 +0800
> Committer: zenglinx 
> Committed: Thu Feb 1 10:20:00 2018 +0800
>
> --
>  has/supports/hadoop/hadoop-2.7.2.patch | 10 ++
>  1 file changed, 10 insertions(+)
> --
>
>
> http://git-wip-us.apache.org/repos/asf/directory-kerby/
> blob/88df20bc/has/supports/hadoop/hadoop-2.7.2.patch
> --
> diff --git a/has/supports/hadoop/hadoop-2.7.2.patch
> b/has/supports/hadoop/hadoop-2.7.2.patch
> index 85c7c3f..c7597be 100644
> --- a/has/supports/hadoop/hadoop-2.7.2.patch
> +++ b/has/supports/hadoop/hadoop-2.7.2.patch
> @@ -11,6 +11,16 @@ index aa3c2c7..e4f1fd2 100644
>  +  has-client
>  + 1.0.0-SNAPSHOT
>  +
> ++
> ++  org.drizzle.jdbc
> ++  drizzle-jdbc
> ++  1.4
> ++
> ++
> ++  org.apache.kerby
> ++  has-plugins
> ++  1.0.0-SNAPSHOT
> ++
> 
>
> 
>
>


--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

RE: directory-kerby git commit: DIRKRB-689 Create principals and export keytabs with host and role.

[Li, Jiajia]

Hi Colm,

Sorry for my mistake, it's ok now.

Thanks,
Jiajia

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Monday, January 29, 2018 5:46 PM
To: kerby@directory.apache.org
Cc: Li, Jiajia 
Subject: Re: directory-kerby git commit: DIRKRB-689 Create principals and 
export keytabs with host and role.

Hi Jiajia,

I'm getting a compilation failure:

[ERROR] Failed to execute goal
org.apache.maven.plugins:maven-compiler-plugin:3.6.2:compile
(default-compile) on project has-server: Compilation failure [ERROR] 
/home/colm/src/apache/directory-kerby/has-project/has-server/src/main/java/org/apache/kerby/has/server/admin/LocalHadmin.java:[39,8]
class LocalHasAdmin is public, should be declared in a file named 
LocalHasAdmin.java

Colm.

On Mon, Jan 29, 2018 at 6:31 AM,  wrote:

> Repository: directory-kerby
> Updated Branches:
>   refs/heads/trunk 8806cd183 -> 2e9a86443
>
>
> DIRKRB-689 Create principals and export keytabs with host and role.
>
>
> Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
> Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/
> commit/2e9a8644
> Tree: 
> http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/2e9a8644
> Diff: 
> http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/2e9a8644
>
> Branch: refs/heads/trunk
> Commit: 2e9a86443024794be8df7e871cee956051ab9fdb
> Parents: 8806cd1
> Author: plusplusjiajia 
> Authored: Mon Jan 29 14:28:02 2018 +0800
> Committer: plusplusjiajia 
> Committed: Mon Jan 29 14:28:02 2018 +0800
>
> --
>  .../org/apache/kerby/has/common/Hadmin.java |  35 +++
>  .../kerby/has/server/admin/LocalHadmin.java | 140 
>  .../kerby/has/server/web/HostRoleType.java  |  55 +
>  .../kerby/has/server/web/rest/HadminApi.java| 215 +++
>  .../has/server/web/rest/param/HostParam.java|  45 
>  .../server/web/rest/param/HostRoleParam.java|  45 
>  6 files changed, 535 insertions(+)
> --
>
>
> http://git-wip-us.apache.org/repos/asf/directory-kerby/
> blob/2e9a8644/has-project/has-common/src/main/java/org/
> apache/kerby/has/common/Hadmin.java
> --
> diff --git 
> a/has-project/has-common/src/main/java/org/apache/kerby/has/common/Had
> min.java b/has-project/has-common/src/main/java/org/apache/kerby/
> has/common/Hadmin.java
> new file mode 100644
> index 000..882b10f
> --- /dev/null
> +++ b/has-project/has-common/src/main/java/org/apache/kerby/
> has/common/Hadmin.java
> @@ -0,0 +1,35 @@
> +/**
> + *  Licensed to the Apache Software Foundation (ASF) under one
> + *  or more contributor license agreements.  See the NOTICE file
> + *  distributed with this work for additional information
> + *  regarding copyright ownership.  The ASF licenses this file
> + *  to you under the Apache License, Version 2.0 (the
> + *  "License"); you may not use this file except in compliance
> + *  with the License.  You may obtain a copy of the License at
> + *
> + *http://www.apache.org/licenses/LICENSE-2.0
> + *
> + *  Unless required by applicable law or agreed to in writing,
> + *  software distributed under the License is distributed on an
> + *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
> + *  KIND, either express or implied.  See the License for the
> + *  specific language governing permissions and limitations
> + *  under the License.
> + *
> + */
> +package org.apache.kerby.has.common;
> +
> +import java.io.File;
> +
> +/**
> + * Server side admin facilities from remote, similar to MIT kadmin 
> +remote
> mode.
> + */
> +public interface Hadmin {
> +
> +
> +String addPrincByRole(String host, String role) throws 
> + HasException;
> +
> +File getKeytabByHostAndRole(String host, String role) throws
> HasException;
> +
> +void getHostRoles();
> +}
>
> http://git-wip-us.apache.org/repos/asf/directory-kerby/
> blob/2e9a8644/has-project/has-server/src/main/java/org/
> apache/kerby/has/server/admin/LocalHadmin.java
> --
> diff --git a/has-project/has-server/src/main/java/org/apache/kerby/
> has/server/admin/LocalHadmin.java b/has-project/has-server/src/ 
> main/java/org/apache/kerby/has/server/admin/LocalHadmin.java
> new file mode 100644
> index 000..4661d87
> --- /dev/null
> +++ b/has-project/has-server/src/main/java/org/apache/kerby/
> has/server/admin/LocalHadmin.java
> @@ -0,0 +1,140 @@
> +/**
> + *  

RE: directory-kerby git commit: DIRKRB-681 Add new LoginModule

[Li, Jiajia]

The error occurred after upgrading the mvn version to 3.5.2, I've fixed it. 
Thanks Colm.

Regards,
Jiajia

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Thursday, January 25, 2018 5:43 PM
To: Li, Jiajia 
Cc: kerby@directory.apache.org
Subject: Re: directory-kerby git commit: DIRKRB-681 Add new LoginModule

Apache Maven 3.5.2 (138edd61fd100ec658bfa2d307c43b76940a5d7d;
2017-10-18T08:58:13+01:00)
Maven home: /opt/apache-maven-3.5.2
Java version: 1.8.0_151, vendor: Oracle Corporation Java home: 
/opt/jdk1.8.0_151/jre Default locale: en_GB, platform encoding: UTF-8 OS name: 
"linux", version: "4.13.0-25-generic", arch: "amd64", family:
"unix"

Is the modernizer plugin running when you do "mvn clean install"?

Colm.

On Thu, Jan 25, 2018 at 8:13 AM, Li, Jiajia  wrote:

> Hi Colm,
>
>
>
> I can’t  reproduce this build failure, could you provide the java and 
> OS version?
>
>
>
> Thanks,
>
> Jiajia
>
>
>
> *From:* Colm O hEigeartaigh [mailto:cohei...@apache.org]
> *Sent:* Wednesday, January 24, 2018 11:30 PM
> *To:* kerby@directory.apache.org; Li, Jiajia 
> *Subject:* Re: directory-kerby git commit: DIRKRB-681 Add new 
> LoginModule
>
>
>
> Hi Jiajia,
>
> This commit is causing a build failure:
>
> [INFO] --- modernizer-maven-plugin:1.5.0:modernizer (modernizer-check) 
> @ has-client --- [ERROR] 
> /home/colm/src/apache/directory-kerby/has-project/
> has-client/src/main/java/org/apache/kerby/has/client/HasLoginModule.java:160:
> Prefer java.lang.StringBuilder
> [ERROR] /home/colm/src/apache/directory-kerby/has-project/
> has-client/src/main/java/org/apache/kerby/has/client/HasLoginModule.java:163:
> Prefer java.lang.StringBuilder
>
> Colm.
>
>
>
> On Mon, Jan 22, 2018 at 3:28 AM,  wrote:
>
> Repository: directory-kerby
> Updated Branches:
>   refs/heads/trunk a8a284d9c -> 34ccabec6
>
>
> DIRKRB-681 Add new LoginModule
>
>
> Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
> Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/
> commit/34ccabec
> Tree: 
> http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/34ccabec
> Diff: 
> http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/34ccabec
>
> Branch: refs/heads/trunk
> Commit: 34ccabec68b2b83b683240801e3929ef43eec26e
> Parents: a8a284d
> Author: plusplusjiajia 
> Authored: Mon Jan 22 11:25:06 2018 +0800
> Committer: plusplusjiajia 
> Committed: Mon Jan 22 11:25:06 2018 +0800
>
> --
>  .../apache/kerby/has/client/HasLoginModule.java | 456 
> +++
>  1 file changed, 456 insertions(+)
> --
>
>
> http://git-wip-us.apache.org/repos/asf/directory-kerby/
> blob/34ccabec/has-project/has-client/src/main/java/org/
> apache/kerby/has/client/HasLoginModule.java
> --
> diff --git 
> a/has-project/has-client/src/main/java/org/apache/kerby/has/client/Has
> LoginModule.java 
> b/has-project/has-client/src/main/java/org/apache/kerby/
> has/client/HasLoginModule.java
> new file mode 100644
> index 000..8debda5
> --- /dev/null
> +++ b/has-project/has-client/src/main/java/org/apache/kerby/
> has/client/HasLoginModule.java
> @@ -0,0 +1,456 @@
> +/**
> + * Licensed to the Apache Software Foundation (ASF) under one
> + * or more contributor license agreements.  See the NOTICE file
> + * distributed with this work for additional information
> + * regarding copyright ownership.  The ASF licenses this file
> + * to you under the Apache License, Version 2.0 (the
> + * "License"); you may not use this file except in compliance
> + * with the License.  You may obtain a copy of the License at
> + * 
> + * http://www.apache.org/licenses/LICENSE-2.0
> + * 
> + * Unless required by applicable law or agreed to in writing,
> + * software distributed under the License is distributed on an
> + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
> + * KIND, either express or implied.  See the License for the
> + * specific language governing permissions and limitations
> + * under the License.
> + */
> +package org.apache.kerby.has.client;
> +
> +import com.sun.security.auth.module.Krb5LoginModule;
> +import org.apache.kerby.has.common.HasException;
> +import org.apache.kerby.kerberos.kerb.ccache.Credential;
> +import org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket;
> +import org.slf4j.Logger;
> +import org.slf4j.LoggerFactory;
> +import sun.securi

RE: directory-kerby git commit: DIRKRB-681 Add new LoginModule

[Li, Jiajia]

Hi Colm,

I can’t  reproduce this build failure, could you provide the java and OS 
version?

Thanks,
Jiajia

From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
Sent: Wednesday, January 24, 2018 11:30 PM
To: kerby@directory.apache.org; Li, Jiajia 
Subject: Re: directory-kerby git commit: DIRKRB-681 Add new LoginModule

Hi Jiajia,
This commit is causing a build failure:

[INFO] --- modernizer-maven-plugin:1.5.0:modernizer (modernizer-check) @ 
has-client ---
[ERROR] 
/home/colm/src/apache/directory-kerby/has-project/has-client/src/main/java/org/apache/kerby/has/client/HasLoginModule.java:160:
 Prefer java.lang.StringBuilder
[ERROR] 
/home/colm/src/apache/directory-kerby/has-project/has-client/src/main/java/org/apache/kerby/has/client/HasLoginModule.java:163:
 Prefer java.lang.StringBuilder

Colm.

On Mon, Jan 22, 2018 at 3:28 AM, 
mailto:plusplusjia...@apache.org>> wrote:
Repository: directory-kerby
Updated Branches:
  refs/heads/trunk a8a284d9c -> 34ccabec6


DIRKRB-681 Add new LoginModule


Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/34ccabec
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/34ccabec
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/34ccabec

Branch: refs/heads/trunk
Commit: 34ccabec68b2b83b683240801e3929ef43eec26e
Parents: a8a284d
Author: plusplusjiajia mailto:jiajia...@intel.com>>
Authored: Mon Jan 22 11:25:06 2018 +0800
Committer: plusplusjiajia mailto:jiajia...@intel.com>>
Committed: Mon Jan 22 11:25:06 2018 +0800

--
 .../apache/kerby/has/client/HasLoginModule.java | 456 +++
 1 file changed, 456 insertions(+)
--


http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/34ccabec/has-project/has-client/src/main/java/org/apache/kerby/has/client/HasLoginModule.java
--
diff --git 
a/has-project/has-client/src/main/java/org/apache/kerby/has/client/HasLoginModule.java
 
b/has-project/has-client/src/main/java/org/apache/kerby/has/client/HasLoginModule.java
new file mode 100644
index 000..8debda5
--- /dev/null
+++ 
b/has-project/has-client/src/main/java/org/apache/kerby/has/client/HasLoginModule.java
@@ -0,0 +1,456 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ * 
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.kerby.has.client;
+
+import com.sun.security.auth.module.Krb5LoginModule;
+import org.apache.kerby.has.common.HasException;
+import org.apache.kerby.kerberos.kerb.ccache.Credential;
+import org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import sun.security.jgss.krb5.Krb5Util;
+import sun.security.krb5.Credentials;
+import sun.security.krb5.KrbException;
+import sun.security.krb5.PrincipalName;
+
+import javax.security.auth.DestroyFailedException;
+import javax.security.auth.Subject;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.kerberos.KerberosPrincipal;
+import javax.security.auth.kerberos.KerberosTicket;
+import javax.security.auth.login.LoginException;
+import javax.security.auth.spi.LoginModule;
+import java.io.IOException;
+import java.security.Principal;
+import java.util.Date;
+import java.util.Iterator;
+import java.util.Map;
+import java.util.Set;
+
+/**
+ * This LoginModule authenticates users using tgt ticket
+ * The client's TGT will be retrieved from the API of HasClient
+ */
+public class HasLoginModule implements LoginModule {
+
+public static final Logger LOG = 
LoggerFactory.getLogger(HasLoginModule.class);
+
+Krb5LoginModule krb5LoginModule;
+
+// initial state
+private Subject subject;
+
+// configurable option
+private boolean debug = false;
+private boolean doNotPrompt = false;
+private boolean useTgtTicket = false;
+private String hadoopSecurityHas = null;
+private String princName = null;
+
+private boolean refreshKrb5Config = false;
+
+// specify if initiator.
+/

RE: Create new branch for 1.1.x-fixes?

[Li, Jiajia]

+1. Thanks Colm.

Regards,
Jiajia

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Monday, January 8, 2018 7:18 PM
To: kerby@directory.apache.org
Subject: Create new branch for 1.1.x-fixes?

Hi all,

I'd like to propose creating a new 1.1.x-fixes branch (without the recent HAS 
commits), and moving master to 2.0.0-SNAPSHOT. I think the HAS work warrants a 
new major release.

Thoughts?

Colm.


--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

RE: LDAP backend

[Li, Jiajia]

Hi,
I think the kdc has been initialized from your log:

2017-12-18 10:10:11 DEBUG{LdapNetworkConnection.java:2026}> MessageType 
: SEARCH_RESULT_ENTRY
Message ID : 2
Search Result Entry
Entry
dn: uid=krbtgt/BIGDATA.COM,dc=bigdata,dc=com

Could you remove the " krbtgt/BIGDATA.COM "and" kadmin/BIGDATA.COM " entry from 
LDAP, then rerun kdcinit?

Thanks,
Jiajia

-Original Message-
From: Maslova Polina [mailto:paulina-masl...@yandex.ru] 
Sent: Monday, December 18, 2017 5:57 PM
To: kerby@directory.apache.org
Subject: Re: LDAP backend

I have attached the log of kdcinit with the results of search.
When I tuned on the debug on Apache DS I recieve this in log:

WARN [org.apache.directory.server.ldap.LdapProtocolHandler] - Unexpected 
exception forcing session to close: sending disconnect notice to client.
java.io.IOException: Соединение разорвано другой стороной (= The connection was 
shut off by the other side )
at sun.nio.ch.FileDispatcherImpl.read0(Native Method)
at sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:39)
at sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:223)
at sun.nio.ch.IOUtil.read(IOUtil.java:197)
at sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:380)
at 
org.apache.mina.transport.socket.nio.NioProcessor.read(NioProcessor.java:317)
at 
org.apache.mina.transport.socket.nio.NioProcessor.read(NioProcessor.java:45)
at 
org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:683)
at 
org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:659)
at 
org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:648)
at 
org.apache.mina.core.polling.AbstractPollingIoProcessor.access$600(AbstractPollingIoProcessor.java:68)
at 
org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:1120)
at 
org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)


18.12.2017, 12:49, "Emmanuel Lécharny" :
> Le 18/12/2017 à 09:53, Maslova Polina a écrit :
>>  Dear Jiajia!
>>
>>  In the kdcinit log I have this
>>
>>  2017-12-18 10:10:11 DEBUG{LdapNetworkConnection.java:2288}-Search 
>> successful : MessageType : SEARCH_RESULT_DONE
>>  Message ID : 2
>>  Search Result Done
>>  Ldap Result
>>  Result code : (SUCCESS) success
>>  Matched Dn : ''
>>  Diagnostic message : ''
>>
>>  2017-12-18 10:10:11 DEBUG{LdapNetworkConnection.java:511}-Removing 
>> <2, org.apache.directory.ldap.client.api.future.SearchFuture>
>>  2017-12-18 10:10:11 DEBUG{SearchCursorImpl.java:210}-Closing 
>> SearchCursorImpl 
>> org.apache.directory.ldap.client.api.SearchCursorImpl@74650e52
>>  2017-12-18 10:10:11 DEBUG{SearchCursorImpl.java:225}-Closing 
>> SearchCursorImpl 
>> org.apache.directory.ldap.client.api.SearchCursorImpl@74650e52
>>  2017-12-18 10:10:11 INFO{LdapIdentityBackend.java:129}-closed connection 
>> with LDAP.
>>  2017-12-18 10:10:11 DEBUG{AbstractIdentityBackend.java:112}-stop 
>> called
>>  2017-12-18 10:10:11 DEBUG{LdapNetworkConnection.java:777}-received a 
>> NoD, closing everything
>>
>>  at the end of the log.
>>
>>  Is it a problems with Apache Directory?
>
> Clearly, no.
>
> The server just send you a SearchResultDone, which is the normal 
> response when a search request has been processed. We don't have any 
> information about how may entries have been sent back, as the log have 
> been truncated just before the SearchResultDone (it would be 
> interesting to get the previous logs, especially the ones where the 
> searchRequest is done, and the result entries returned, if any). 
> However, again, this is an expected response.
>
> The LDAP API client then close the search cursor, as expected when the 
> search has been processed fully.
>
> What would be interesting is to know why the LdapIdentityBackend class 
> closed the LDAP connection (this is a Kerby class, it's in teh 
> doStop() method, and it seems that the close was properly handled).
>
> Jiajia ?
>
> --
> Emmanuel Lecharny
>
> Symas.com
> directory.apache.org

RE: LDAP backend

[Li, Jiajia]

java version "1.8.0_40"
apacheds-2.0.0-M24

Thanks,
Jiajia

-Original Message-
From: Maslova Polina [mailto:paulina-masl...@yandex.ru] 
Sent: Wednesday, December 20, 2017 8:51 PM
To: kerby@directory.apache.org
Subject: Re: LDAP backend

Hello Jiajia!

I have set up another machine and have the same exception again. Could you 
please tell me which version of JDK do you use?

Sincerely, Polina

18.12.2017, 06:40, "Li, Jiajia" :
> Hi Maslova,
>
> I've tested this backend, but without exception:
> sh bin/kdcinit.sh conf conf
> The keytab for kadmin principal has been exported to the specified 
> file /home /devel 
> /directory-kerby/kerby-dist/kdc-dist/conf/admin.keytab, please safely 
> keep it, in order to use kadmin tool later The keytab for protocol 
> principal has been exported to the specified file /home/ devel/ 
> directory-kerby/kerby-dist/kdc-dist/conf/protocol.keytab, please 
> safely keep it, in order to use remote kadmin tool later Finished 
> initializing the KDC backend
>
> My backend.conf:
> kdc_identity_backend = 
> org.apache.kerby.kerberos.kdc.identitybackend.LdapIdentityBackend
> host=127.0.0.1
> port=10389
> admin_dn=uid=admin,ou=system
> admin_pw=secret
> base_dn=dc=example,dc=com
>
> Thanks,
> Jiajia
>
> -Original Message-
> From: Maslova Polina [mailto:paulina-masl...@yandex.ru]
> Sent: Friday, December 15, 2017 8:13 PM
> To: kerby@directory.apache.org
> Subject: LDAP backend
>
> Hi all!
>
> After the patch https://issues.apache.org/jira/browse/DIRKRB-679 I do 
> not recieve the error Failed to load backend class: 
> org.apache.kerby.kerberos.kdc.identitybackend.LdapIdentityBackend
>
> everything goes food with the LDAP backend. Now when I make
>
> sh bin/kdcinit.sh /etc/kerby/kerby-all-1.1.0/kerby-dist/kdc-dist/conf 
> /etc/kerby/kerby-all-1.1.0/kerby-dist/kdc-dist/keytab
>
>  I recieve this:
>
> Exception in thread "main" java.lang.NullPointerException
> at 
> org.apache.kerby.kerberos.kdc.identitybackend.LdapIdentityGetHelper.ge
> tKeys(LdapIdentityGetHelper.java:71)
> at 
> org.apache.kerby.kerberos.kdc.identitybackend.LdapIdentityBackend.doGe
> tIdentity(LdapIdentityBackend.java:245)
> at 
> org.apache.kerby.kerberos.kerb.identity.backend.AbstractIdentityBacken
> d.getIdentity(AbstractIdentityBackend.java:162)
> at 
> org.apache.kerby.kerberos.kerb.admin.kadmin.local.LocalKadminImpl.crea
> teBuiltinPrincipals(LocalKadminImpl.java:136)
> at 
> org.apache.kerby.kerberos.tool.kdcinit.KdcInitTool.initKdc(KdcInitTool
> .java:53)
> at 
> org.apache.kerby.kerberos.tool.kdcinit.KdcInitTool.main(KdcInitTool.ja
> va:111)
>
> Why does it occur?
>
> Yours sincerely, Maslova Polina

RE: LDAP backend

[Li, Jiajia]

Hi Maslova,

I've tested this backend, but without exception:
sh bin/kdcinit.sh conf conf
The keytab for kadmin principal has been exported to the specified file /home 
/devel /directory-kerby/kerby-dist/kdc-dist/conf/admin.keytab, please safely 
keep it, in order to use kadmin tool later
The keytab for protocol principal  has been exported to the specified file 
/home/ devel/ directory-kerby/kerby-dist/kdc-dist/conf/protocol.keytab, please 
safely keep it, in order to use remote kadmin tool later
Finished initializing the KDC backend

My backend.conf:
kdc_identity_backend = 
org.apache.kerby.kerberos.kdc.identitybackend.LdapIdentityBackend
host=127.0.0.1
port=10389
admin_dn=uid=admin,ou=system
admin_pw=secret
base_dn=dc=example,dc=com


Thanks,
Jiajia

-Original Message-
From: Maslova Polina [mailto:paulina-masl...@yandex.ru] 
Sent: Friday, December 15, 2017 8:13 PM
To: kerby@directory.apache.org
Subject: LDAP backend

Hi all!

After the patch https://issues.apache.org/jira/browse/DIRKRB-679 I do not 
recieve the error  Failed to load backend class: 
org.apache.kerby.kerberos.kdc.identitybackend.LdapIdentityBackend

everything goes food with the LDAP backend. Now when I make

sh bin/kdcinit.sh /etc/kerby/kerby-all-1.1.0/kerby-dist/kdc-dist/conf 
/etc/kerby/kerby-all-1.1.0/kerby-dist/kdc-dist/keytab


 I recieve this:

Exception in thread "main" java.lang.NullPointerException
at 
org.apache.kerby.kerberos.kdc.identitybackend.LdapIdentityGetHelper.getKeys(LdapIdentityGetHelper.java:71)
at 
org.apache.kerby.kerberos.kdc.identitybackend.LdapIdentityBackend.doGetIdentity(LdapIdentityBackend.java:245)
at 
org.apache.kerby.kerberos.kerb.identity.backend.AbstractIdentityBackend.getIdentity(AbstractIdentityBackend.java:162)
at 
org.apache.kerby.kerberos.kerb.admin.kadmin.local.LocalKadminImpl.createBuiltinPrincipals(LocalKadminImpl.java:136)
at 
org.apache.kerby.kerberos.tool.kdcinit.KdcInitTool.initKdc(KdcInitTool.java:53)
at 
org.apache.kerby.kerberos.tool.kdcinit.KdcInitTool.main(KdcInitTool.java:111)

Why does it occur?

Yours sincerely, Maslova Polina

RE: [DISCUSS] Merge HAS to Apache Kerby

[Li, Jiajia]

Hi all,

Status update:

1. I've checked both Intel and Alibaba have signed the CCLA.
2. We have fixed dependency issues: mysql JDBC driver is replaced with Drizzle 
JDBC and some dependencies cannot find a license have been removed.
3. If there are no more questions, we will start to merge under the master 
JIRA(https://issues.apache.org/jira/browse/DIRKRB-671), please help to review 
the patches.

Thanks,
Jiajia

From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
Sent: Wednesday, December 6, 2017 11:23 PM
To: Li, Jiajia 
Cc: Apache Directory Developers List ; 
kerby@directory.apache.org
Subject: Re: [DISCUSS] Merge HAS to Apache Kerby

Hi Jiajia,
Perhaps you could get one of the Alibaba contributors to mail 
"secret...@apache.org<mailto:secret...@apache.org>" and ask if there is a CCLA 
on record?
Colm.

On Tue, Dec 5, 2017 at 1:49 AM, Li, Jiajia 
mailto:jiajia...@intel.com>> wrote:
I think Intel have provided the CCLA when contributing Kerby to Apache. But I'm 
not sure whether Alibaba already provided, is there one place we could check it?

Thanks,
Jiajia

From: Colm O hEigeartaigh 
[mailto:cohei...@apache.org<mailto:cohei...@apache.org>]
Sent: Tuesday, December 5, 2017 1:50 AM
To: kerby@directory.apache.org<mailto:kerby@directory.apache.org>
Cc: Apache Directory Developers List 
mailto:d...@directory.apache.org>>
Subject: Re: [DISCUSS] Merge HAS to Apache Kerby

Do we have both CCLAs filed for Intel and Alibaba?
Colm.

On Mon, Dec 4, 2017 at 6:36 AM, Li, Jiajia 
mailto:jiajia...@intel.com>> wrote:
Hi all,

Here with some status update, now all the contributors have provided the ICLA 
to secret...@apache.org<mailto:secret...@apache.org> and I've create the master 
JIRA(https://issues.apache.org/jira/browse/DIRKRB-671) for this merging.
Any more suggestions on how to merge?

Thanks,
Jiajia

From: Li, Jiajia [mailto:jiajia...@intel.com<mailto:jiajia...@intel.com>]
Sent: Thursday, November 30, 2017 1:38 PM
To: cohei...@apache.org<mailto:cohei...@apache.org>
Cc: kerby@directory.apache.org<mailto:kerby@directory.apache.org>; Apache 
Directory Developers List 
mailto:d...@directory.apache.org>>
Subject: RE: [DISCUSS] Merge HAS to Apache Kerby

Hi Colm,

> What I meant with the point about the backend, is that it should be 
> configurable whether to just trust the signature of the presented auth token 
> as sufficient validation, without requiring any MySQL backend. For example, 
> the token might be issued by an IdP that HAS "trusts", where the IdP has an 
> identity backend of which HAS knows nothing about.

Now I understand what you mean. There are there reasons for using backend:
1. If user using the new authentication mechanism(Kerberos-based token 
authentication), the TGT(ticket granting ticket) could be got without backend. 
But TGT is not enough to access the service, after getting the TGT, next step 
is to get SGT(Ticket for Service), in this step, the service principal is 
needed in backend.
2. The new authentication mechanism is used by the end users instead of service 
level, services are still strongly authenticated by Kerberos, they through the 
keytabs to login.
3. Users or admins sometimes want to using "kinit" to get credential cache to 
manage the cluster, for the compatibility.

> One final overall point, is that HAS looks a bit like a SecurityTokenService 
> (STS). Apache CXF ships with a STS that I am very familiar with. It is a web 
> application that supports a SOAP and REST interface to issue, validate tokens 
> etc, where you can "plug in" the tokens that are supported. It might be worth 
> exploring if the functionality of HAS could be integrated with the CXF STS.

I do not know much about SecurityTokenService, from your introduction, I think 
STS could issue token and validate token, that is exactly the existing 
authentication system HAS wants to plugin, we can write the client and server 
plugins for STS, then using STS in HAS framework. Please correct me if I'm 
wrong.

We think it's more suitable to be integrated with kerby with following reasons:
1. The new authentication mechanism ("Kerberos-based token authentication") is 
based on the "TokenPreauth" provided in Kerby, using AuthToken to exchange a 
Kerberos ticket.
2. The REST APIs not only for the new authentication, also provide some useful 
interfaces, such as:  config Kerby KDC, manage the Kerby backend, export keytab 
files. These could help Kerby KDC to be stronger.
3. HAS binds webserver and Kerby KDC very closely, they are all included in 
HasServer(we can rename it after merging), we could also think the webserver is 
one part of Kerby KDC, we using the webserver for KDC to receive some requests 
from HTTPs client.

Thanks
Jiajia
From: Colm O hEigeartaigh 
[mailto:cohei...@apache.org<mailto:cohei...@apache.org>]
Se

RE: LDAP backend config

[Li, Jiajia]

Hi Maslova,

Thanks you for reporting the issue. I've created one JIRA for this issue: 
DIRKRB-679(https://issues.apache.org/jira/browse/DIRKRB-679).
You could apply the patch in the JIRA, the patch comments the LDAP dependency 
by default, you should remove the comment.

Thanks,
Jiajia

-Original Message-
From: Maslova Polina [mailto:paulina-masl...@yandex.ru] 
Sent: Thursday, December 14, 2017 4:32 PM
To: kerby@directory.apache.org
Subject: LDAP backend config

Hello dear all!

I failed to find how to configure LDAP backend in backend.conf (we use Apache 
DS).
I have searched all the internet, but there is nothing about it. I tried to do 
it by myself, but also failed. Please help!

dc_identity_backend = 
org.apache.kerby.kerberos.kdc.identitybackend.LdapIdentityBackend
host=127.0.0.1
port=10389
admin_dn="uid=krbadmin,ou=users,dc=bigdata,dc=com"
admin_pw=pass

With this configuration I recieve the error 

sh bin/start-kdc.sh /etc/kerby/kerby-all-1.1.0/kerby-dist/kdc-dist/conf 
/etc/kerby/kerby-all-1.1.0/kerby-dist/kdc-dist
Errors occurred when starting the kdc server:  Failed to load backend class: 
org.apache.kerby.kerberos.kdc.identitybackend.LdapIdentityBackend

when trying to start KDC/

Yours sincerely, Maslova Polina.

RE: Patch to define new PA data type being used by Windows 10

[Li, Jiajia]

Hi Richard,

Thanks for your patch! It's looks good to me. I think it will be better if you 
could create a JIRA and upload the patch there. Thanks!

Regards,
Jiajia

-Original Message-
From: Richard Feezel [mailto:rfee...@gmail.com] 
Sent: Wednesday, December 13, 2017 1:54 PM
To: kerby@directory.apache.org
Subject: Patch to define new PA data type being used by Windows 10

I'm offering the following patch to add a definition of a new PA data type 
PA_PAC_OPTIONS which is being used by Windows 10 and may also be used by 
Windows 7 and Windows 8.1. The definition comes from the latest version of 
MS-KILE which describes Microsoft's extensions to the Kerberos protocol.



diff --git
a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/PaDataType.java
b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/PaDataType.java
index ecf5f95..17dbefc 100644
---
a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/PaDataType.java
+++
b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/pa/PaDataType.java
@@ -90,6 +90,7 @@
  *PA-EPAK-AS-REP 146  (ssh...@gmail.com) [RFC6113]
  *PA_PKINIT_KX   147  [RFC6112]
  *PA_PKU2U_NAME  148  [PKU2U]
+ *PA_PAC_OPTIONS 167  [Microsoft MS-KILE]
  * 
  *
  *
@@ -162,7 +163,8 @@
 PKINIT_KX   (147), // RFC 6112 : PKINIT Client
Contribution to the Ticket Session Key
 TOKEN_REQUEST   (148), // [PKU2U]
 ENCPADATA_REQ_ENC_PA_REP(149), // RFC 6806 : Negotiation of FAST
and Detecting Modified Requests
-TOKEN_CHALLENGE (149); // ???
+TOKEN_CHALLENGE (149), // ???
+PAC_OPTIONS (167); // Microsoft MS-KILE

 /** The inner value */
 private final int value;


--
Richard M Feezel
rfee...@gmail.com

RE: [DISCUSS] Merge HAS to Apache Kerby

[Li, Jiajia]

Hi Colm,

> I still think we should make it optional (by configuration) whether the users 
> need to be in the backend or not. If it is optional we can support 
> authentication using tokens from other IdPs. A more advanced use-case is to 
> translate identities from a token issued by an IdP in another realm to the 
> identities stored in the backend.

It's a good idea to make it optional, that will let it be more lightweight and 
scalable. Just with one minor issue, if there is no backend, how to store the 
krbtgt/REALM@REALM, this principal is used for issuing TGT(ticket granting 
ticket), and now is created by kdcinit tool.


> Yep that would be cool. I can help out with this as I'm a committer on Apache 
> CXF. Here's a blog post I wrote on the REST interface of the STS:
> http://coheigea.blogspot.ie/2016/06/a-new-rest-interface-for-apache-cxf.html
> This is something we can look at in the future anyway once the code is merged.

It's really great if you could help with this, that will make this solution 
more powerful.


Thanks,
Jiajia


-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Tuesday, December 5, 2017 1:55 AM
To: kerby@directory.apache.org
Cc: Apache Directory Developers List 
Subject: Re: [DISCUSS] Merge HAS to Apache Kerby

Hi Jiajia,

Answers inline.

On Thu, Nov 30, 2017 at 5:38 AM, Li, Jiajia  wrote:

>
>
> Now I understand what you mean. There are there reasons for using backend:
> 1. If user using the new authentication mechanism(Kerberos-based token 
> authentication), the TGT(ticket granting ticket) could be got without 
> backend. But TGT is not enough to access the service, after getting 
> the TGT, next step is to get SGT(Ticket for Service), in this step, 
> the service principal is needed in backend.
> 2. The new authentication mechanism is used by the end users instead 
> of service level, services are still strongly authenticated by 
> Kerberos, they through the keytabs to login.
> 3. Users or admins sometimes want to using "kinit" to get credential 
> cache to manage the cluster, for the compatibility.
>

I still think we should make it optional (by configuration) whether the users 
need to be in the backend or not. If it is optional we can support 
authentication using tokens from other IdPs. A more advanced use-case is to 
translate identities from a token issued by an IdP in another realm to the 
identities stored in the backend.


>
> I do not know much about SecurityTokenService, from your introduction, 
> I think STS could issue token and validate token, that is exactly the 
> existing authentication system HAS wants to plugin, we can write the 
> client and server plugins for STS, then using STS in HAS framework. 
> Please correct me if I'm wrong.
>

 Yep that would be cool. I can help out with this as I'm a committer on Apache 
CXF. Here's a blog post I wrote on the REST interface of the STS:

http://coheigea.blogspot.ie/2016/06/a-new-rest-interface-for-apache-cxf.html

This is something we can look at in the future anyway once the code is merged.


> We think it's more suitable to be integrated with kerby with following
> reasons:
> 1. The new authentication mechanism ("Kerberos-based token
> authentication") is based on the "TokenPreauth" provided in Kerby, 
> using AuthToken to exchange a Kerberos ticket.
> 2. The REST APIs not only for the new authentication, also provide 
> some useful interfaces, such as:  config Kerby KDC, manage the Kerby 
> backend, export keytab files. These could help Kerby KDC to be stronger.
> 3. HAS binds webserver and Kerby KDC very closely, they are all 
> included in HasServer(we can rename it after merging), we could also 
> think the webserver is one part of Kerby KDC, we using the webserver 
> for KDC to receive some requests from HTTPs client.
>

Yes +1 from me on merging to Kerby, once the legal stuff is sorted out.

Colm.


>
> Thanks
> Jiajia
> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> Sent: Wednesday, November 29, 2017 10:58 PM
> To: Li, Jiajia 
> Cc: kerby@directory.apache.org; Apache Directory Developers List < 
> d...@directory.apache.org>
> Subject: Re: [DISCUSS] Merge HAS to Apache Kerby
>
> Hi Jiajia,
> What I meant with the point about the backend, is that it should be 
> configurable whether to just trust the signature of the presented auth 
> token as sufficient validation, without requiring any MySQL backend. 
> For example, the token might be issued by an IdP that HAS "trusts", 
> where the IdP has an identity backend of which HAS knows nothing about.
>
> One final overall point, is that HAS looks a bit like a 
> SecurityTokenService (STS). Apache CXF ships with a STS that I am very 
> f

RE: [DISCUSS] Merge HAS to Apache Kerby

[Li, Jiajia]

I think Intel have provided the CCLA when contributing Kerby to Apache. But I'm 
not sure whether Alibaba already provided, is there one place we could check it?

Thanks,
Jiajia

From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
Sent: Tuesday, December 5, 2017 1:50 AM
To: kerby@directory.apache.org
Cc: Apache Directory Developers List 
Subject: Re: [DISCUSS] Merge HAS to Apache Kerby

Do we have both CCLAs filed for Intel and Alibaba?
Colm.

On Mon, Dec 4, 2017 at 6:36 AM, Li, Jiajia 
mailto:jiajia...@intel.com>> wrote:
Hi all,

Here with some status update, now all the contributors have provided the ICLA 
to secret...@apache.org<mailto:secret...@apache.org> and I've create the master 
JIRA(https://issues.apache.org/jira/browse/DIRKRB-671) for this merging.
Any more suggestions on how to merge?

Thanks,
Jiajia

From: Li, Jiajia [mailto:jiajia...@intel.com<mailto:jiajia...@intel.com>]
Sent: Thursday, November 30, 2017 1:38 PM
To: cohei...@apache.org<mailto:cohei...@apache.org>
Cc: kerby@directory.apache.org<mailto:kerby@directory.apache.org>; Apache 
Directory Developers List 
mailto:d...@directory.apache.org>>
Subject: RE: [DISCUSS] Merge HAS to Apache Kerby

Hi Colm,

> What I meant with the point about the backend, is that it should be 
> configurable whether to just trust the signature of the presented auth token 
> as sufficient validation, without requiring any MySQL backend. For example, 
> the token might be issued by an IdP that HAS "trusts", where the IdP has an 
> identity backend of which HAS knows nothing about.

Now I understand what you mean. There are there reasons for using backend:
1. If user using the new authentication mechanism(Kerberos-based token 
authentication), the TGT(ticket granting ticket) could be got without backend. 
But TGT is not enough to access the service, after getting the TGT, next step 
is to get SGT(Ticket for Service), in this step, the service principal is 
needed in backend.
2. The new authentication mechanism is used by the end users instead of service 
level, services are still strongly authenticated by Kerberos, they through the 
keytabs to login.
3. Users or admins sometimes want to using "kinit" to get credential cache to 
manage the cluster, for the compatibility.

> One final overall point, is that HAS looks a bit like a SecurityTokenService 
> (STS). Apache CXF ships with a STS that I am very familiar with. It is a web 
> application that supports a SOAP and REST interface to issue, validate tokens 
> etc, where you can "plug in" the tokens that are supported. It might be worth 
> exploring if the functionality of HAS could be integrated with the CXF STS.

I do not know much about SecurityTokenService, from your introduction, I think 
STS could issue token and validate token, that is exactly the existing 
authentication system HAS wants to plugin, we can write the client and server 
plugins for STS, then using STS in HAS framework. Please correct me if I'm 
wrong.

We think it's more suitable to be integrated with kerby with following reasons:
1. The new authentication mechanism ("Kerberos-based token authentication") is 
based on the "TokenPreauth" provided in Kerby, using AuthToken to exchange a 
Kerberos ticket.
2. The REST APIs not only for the new authentication, also provide some useful 
interfaces, such as:  config Kerby KDC, manage the Kerby backend, export keytab 
files. These could help Kerby KDC to be stronger.
3. HAS binds webserver and Kerby KDC very closely, they are all included in 
HasServer(we can rename it after merging), we could also think the webserver is 
one part of Kerby KDC, we using the webserver for KDC to receive some requests 
from HTTPs client.

Thanks
Jiajia
From: Colm O hEigeartaigh 
[mailto:cohei...@apache.org<mailto:cohei...@apache.org>]
Sent: Wednesday, November 29, 2017 10:58 PM
To: Li, Jiajia 
mailto:jiajia...@intel.com><mailto:jiajia...@intel.com<mailto:jiajia...@intel.com>>>
Cc: 
kerby@directory.apache.org<mailto:kerby@directory.apache.org><mailto:kerby@directory.apache.org<mailto:kerby@directory.apache.org>>;
 Apache Directory Developers List 
mailto:d...@directory.apache.org><mailto:d...@directory.apache.org<mailto:d...@directory.apache.org>>>
Subject: Re: [DISCUSS] Merge HAS to Apache Kerby

Hi Jiajia,
What I meant with the point about the backend, is that it should be 
configurable whether to just trust the signature of the presented auth token as 
sufficient validation, without requiring any MySQL backend. For example, the 
token might be issued by an IdP that HAS "trusts", where the IdP has an 
identity backend of which HAS knows nothing about.

One final overall point, is that HAS looks a bit like a SecurityTokenService 
(STS). Apache CXF ships with a STS that I am very familiar with. It is a web

RE: [DISCUSS] Merge HAS to Apache Kerby

[Li, Jiajia]

Hi all,

Here with some status update, now all the contributors have provided the ICLA 
to secret...@apache.org and I've create the master 
JIRA(https://issues.apache.org/jira/browse/DIRKRB-671) for this merging.
Any more suggestions on how to merge?

Thanks,
Jiajia

From: Li, Jiajia [mailto:jiajia...@intel.com]
Sent: Thursday, November 30, 2017 1:38 PM
To: cohei...@apache.org
Cc: kerby@directory.apache.org; Apache Directory Developers List 

Subject: RE: [DISCUSS] Merge HAS to Apache Kerby

Hi Colm,

> What I meant with the point about the backend, is that it should be 
> configurable whether to just trust the signature of the presented auth token 
> as sufficient validation, without requiring any MySQL backend. For example, 
> the token might be issued by an IdP that HAS "trusts", where the IdP has an 
> identity backend of which HAS knows nothing about.

Now I understand what you mean. There are there reasons for using backend:
1. If user using the new authentication mechanism(Kerberos-based token 
authentication), the TGT(ticket granting ticket) could be got without backend. 
But TGT is not enough to access the service, after getting the TGT, next step 
is to get SGT(Ticket for Service), in this step, the service principal is 
needed in backend.
2. The new authentication mechanism is used by the end users instead of service 
level, services are still strongly authenticated by Kerberos, they through the 
keytabs to login.
3. Users or admins sometimes want to using "kinit" to get credential cache to 
manage the cluster, for the compatibility.

> One final overall point, is that HAS looks a bit like a SecurityTokenService 
> (STS). Apache CXF ships with a STS that I am very familiar with. It is a web 
> application that supports a SOAP and REST interface to issue, validate tokens 
> etc, where you can "plug in" the tokens that are supported. It might be worth 
> exploring if the functionality of HAS could be integrated with the CXF STS.

I do not know much about SecurityTokenService, from your introduction, I think 
STS could issue token and validate token, that is exactly the existing 
authentication system HAS wants to plugin, we can write the client and server 
plugins for STS, then using STS in HAS framework. Please correct me if I'm 
wrong.

We think it's more suitable to be integrated with kerby with following reasons:
1. The new authentication mechanism ("Kerberos-based token authentication") is 
based on the "TokenPreauth" provided in Kerby, using AuthToken to exchange a 
Kerberos ticket.
2. The REST APIs not only for the new authentication, also provide some useful 
interfaces, such as:  config Kerby KDC, manage the Kerby backend, export keytab 
files. These could help Kerby KDC to be stronger.
3. HAS binds webserver and Kerby KDC very closely, they are all included in 
HasServer(we can rename it after merging), we could also think the webserver is 
one part of Kerby KDC, we using the webserver for KDC to receive some requests 
from HTTPs client.

Thanks
Jiajia
From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
Sent: Wednesday, November 29, 2017 10:58 PM
To: Li, Jiajia mailto:jiajia...@intel.com>>
Cc: kerby@directory.apache.org<mailto:kerby@directory.apache.org>; Apache 
Directory Developers List 
mailto:d...@directory.apache.org>>
Subject: Re: [DISCUSS] Merge HAS to Apache Kerby

Hi Jiajia,
What I meant with the point about the backend, is that it should be 
configurable whether to just trust the signature of the presented auth token as 
sufficient validation, without requiring any MySQL backend. For example, the 
token might be issued by an IdP that HAS "trusts", where the IdP has an 
identity backend of which HAS knows nothing about.

One final overall point, is that HAS looks a bit like a SecurityTokenService 
(STS). Apache CXF ships with a STS that I am very familiar with. It is a web 
application that supports a SOAP and REST interface to issue, validate tokens 
etc, where you can "plug in" the tokens that are supported. It might be worth 
exploring if the functionality of HAS could be integrated with the CXF STS.

Colm.


Thanks,
Jiajia

-Original Message-----
From: Colm O hEigeartaigh 
[mailto:cohei...@apache.org<mailto:cohei...@apache.org>]
Sent: Tuesday, November 28, 2017 9:12 PM
To: Li, Jiajia mailto:jiajia...@intel.com>>
Cc: kerby@directory.apache.org<mailto:kerby@directory.apache.org>; Apache 
Directory Developers List 
mailto:d...@directory.apache.org>>
Subject: Re: [DISCUSS] Merge HAS to Apache Kerby
Thanks Jiajia, that was very helpful. I have some questions:

There are no HasClientPlugin implementations in the commit (unless I missed 
them). Is the plan to provide some later on, or is the user supposed to 
implement their own?

If we want to get Kerby to issue a TGT using an AuthToken currently, we have to 
use a tok

RE: [DISCUSS] Merge HAS to Apache Kerby

[Li, Jiajia]

Hi Colm,

> What I meant with the point about the backend, is that it should be 
> configurable whether to just trust the signature of the presented auth token 
> as sufficient validation, without requiring any MySQL backend. For example, 
> the token might be issued by an IdP that HAS "trusts", where the IdP has an 
> identity backend of which HAS knows nothing about.

Now I understand what you mean. There are there reasons for using backend:
1. If user using the new authentication mechanism(Kerberos-based token 
authentication), the TGT(ticket granting ticket) could be got without backend. 
But TGT is not enough to access the service, after getting the TGT, next step 
is to get SGT(Ticket for Service), in this step, the service principal is 
needed in backend.
2. The new authentication mechanism is used by the end users instead of service 
level, services are still strongly authenticated by Kerberos, they through the 
keytabs to login.
3. Users or admins sometimes want to using "kinit" to get credential cache to 
manage the cluster, for the compatibility.

> One final overall point, is that HAS looks a bit like a SecurityTokenService 
> (STS). Apache CXF ships with a STS that I am very familiar with. It is a web 
> application that supports a SOAP and REST interface to issue, validate tokens 
> etc, where you can "plug in" the tokens that are supported. It might be worth 
> exploring if the functionality of HAS could be integrated with the CXF STS.

I do not know much about SecurityTokenService, from your introduction, I think 
STS could issue token and validate token, that is exactly the existing 
authentication system HAS wants to plugin, we can write the client and server 
plugins for STS, then using STS in HAS framework. Please correct me if I'm 
wrong.

We think it's more suitable to be integrated with kerby with following reasons:
1. The new authentication mechanism ("Kerberos-based token authentication") is 
based on the "TokenPreauth" provided in Kerby, using AuthToken to exchange a 
Kerberos ticket.
2. The REST APIs not only for the new authentication, also provide some useful 
interfaces, such as:  config Kerby KDC, manage the Kerby backend, export keytab 
files. These could help Kerby KDC to be stronger.
3. HAS binds webserver and Kerby KDC very closely, they are all included in 
HasServer(we can rename it after merging), we could also think the webserver is 
one part of Kerby KDC, we using the webserver for KDC to receive some requests 
from HTTPs client.

Thanks
Jiajia
From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
Sent: Wednesday, November 29, 2017 10:58 PM
To: Li, Jiajia 
Cc: kerby@directory.apache.org; Apache Directory Developers List 

Subject: Re: [DISCUSS] Merge HAS to Apache Kerby

Hi Jiajia,
What I meant with the point about the backend, is that it should be 
configurable whether to just trust the signature of the presented auth token as 
sufficient validation, without requiring any MySQL backend. For example, the 
token might be issued by an IdP that HAS "trusts", where the IdP has an 
identity backend of which HAS knows nothing about.

One final overall point, is that HAS looks a bit like a SecurityTokenService 
(STS). Apache CXF ships with a STS that I am very familiar with. It is a web 
application that supports a SOAP and REST interface to issue, validate tokens 
etc, where you can "plug in" the tokens that are supported. It might be worth 
exploring if the functionality of HAS could be integrated with the CXF STS.

Colm.


Thanks,
Jiajia

-Original Message-
From: Colm O hEigeartaigh 
[mailto:cohei...@apache.org<mailto:cohei...@apache.org>]
Sent: Tuesday, November 28, 2017 9:12 PM
To: Li, Jiajia mailto:jiajia...@intel.com>>
Cc: kerby@directory.apache.org<mailto:kerby@directory.apache.org>; Apache 
Directory Developers List 
mailto:d...@directory.apache.org>>
Subject: Re: [DISCUSS] Merge HAS to Apache Kerby
Thanks Jiajia, that was very helpful. I have some questions:

There are no HasClientPlugin implementations in the commit (unless I missed 
them). Is the plan to provide some later on, or is the user supposed to 
implement their own?

If we want to get Kerby to issue a TGT using an AuthToken currently, we have to 
use a token armor cache. In HAS, when it queries Kerby to get a TGT using the 
verified AuthToken, is this just an "internal" call so we can avoid this step?

I'm not sure why we need to verify the user information in the SQL backend.
If the received AuthToken is signed by a trusted IdP, can we not just accept 
the identity of the user "as is" and skip this step?

KinitTool and KinitOption in has-client-tool duplicate the Kerby versions with 
just a few changes. Can the changes be rolled into Kerby to prevent code 
duplication?

Colm.

On Tue, Nov 28, 2017 at 2:16 AM, Li, Jiajia 
mailto:ji

RE: [DISCUSS] Merge HAS to Apache Kerby

[Li, Jiajia]

Thanks Colm for taking time to review.

> There are no HasClientPlugin implementations in the commit (unless I missed 
> them). Is the plan to provide some later on, or is the user supposed to 
> implement their own?

Users should implement their own plugins, they could customize their own 
plugins, and we plan to provide the default implementation as an example in the 
future work. 


> If we want to get Kerby to issue a TGT using an AuthToken currently, we have 
> to use a token armor cache. In HAS, when it queries Kerby to get a TGT using 
> the verified AuthToken, is this just an "internal" call so we can avoid this 
> step?

You are right, in HAS, AuthToken and TGT are transfered by HTTPS between client 
and server, so we skip the step using the armor cache.


> I'm not sure why we need to verify the user information in the SQL backend.
> If the received AuthToken is signed by a trusted IdP, can we not just accept 
> the identity of the user "as is" and skip this step?

The MySQL in design is not used as the backend, it's an example of existing 
user authentication system.


> KinitTool and KinitOption in has-client-tool duplicate the Kerby versions 
> with just a few changes. Can the changes be rolled into Kerby to prevent code 
> duplication?

Sure, we will merge these tools.

Thanks,
Jiajia

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Tuesday, November 28, 2017 9:12 PM
To: Li, Jiajia 
Cc: kerby@directory.apache.org; Apache Directory Developers List 

Subject: Re: [DISCUSS] Merge HAS to Apache Kerby

Thanks Jiajia, that was very helpful. I have some questions:

There are no HasClientPlugin implementations in the commit (unless I missed 
them). Is the plan to provide some later on, or is the user supposed to 
implement their own?

If we want to get Kerby to issue a TGT using an AuthToken currently, we have to 
use a token armor cache. In HAS, when it queries Kerby to get a TGT using the 
verified AuthToken, is this just an "internal" call so we can avoid this step?

I'm not sure why we need to verify the user information in the SQL backend.
If the received AuthToken is signed by a trusted IdP, can we not just accept 
the identity of the user "as is" and skip this step?

KinitTool and KinitOption in has-client-tool duplicate the Kerby versions with 
just a few changes. Can the changes be rolled into Kerby to prevent code 
duplication?

Colm.

On Tue, Nov 28, 2017 at 2:16 AM, Li, Jiajia  wrote:

> Thanks Colm.
>
> > It sounds like a really interesting project.
> I'm glad to here that.
>
> > Have you got any feedback from the Hadoop project about it?
> We haven't proposed this solution in the hadoop community.
>
> > I'm finding it hard to understand exactly how it works though based 
> > on
> the README. Could you describe how it works from a really basic point 
> of view for say a simple Hadoop client? Normally I just have to use 
> "kinit" to get a kerberos ticket and then I am authenticated to invoke 
> on HDFS. How does HAS work differently? Where does the token pre-auth stuff 
> fit in?
>
> Following are the steps of user accessing HDFS service, taking the cmd 
> "hadoop fs -ls /" as an example:
> 1. user runs the command "hadoop fs -ls /"
> 2. Hadoop client will call the "HasLoginModule",
> https://github.com/apache/directory-kerby/blob/has-
> project/has/has-client/src/main/java/org/apache/hadoop/
> has/client/HasLoginModule.java
> 3. "HasLoginModule" will call the "HasClient", 
> https://github.com/apache/ 
> directory-kerby/blob/438904f7e557a085c8c336efd2d2be
> 304291d246/has/has-client/src/main/java/org/apache/hadoop/
> has/client/HasLoginModule.java#L237
> 4. "HasClient" will get the plugin type from config, then choose the 
> right client plugin, the client plugin will collect and add some user 
> info to "AuthToken", the following is the client plugin interface:
>
> // Get the login module type ID, used to distinguish this module from 
> others.
> // Should correspond to the server side module.
> String getLoginType()
>
> // Perform all the client side login logics, the results wrapped in an 
> AuthToken, // will be validated by HAS server.
> AuthToken login(Conf loginConf) throws HasLoginException
>
> 5. Then "HasClient" sends the "AuthToken" to HAS Server through HTTPS; 
> 6. After HAS server receives the message, it will call the server 
> plugin, server plugin will verify the user info in AuthToken, the 
> following is the server plugin interface:
>
> // Get the login module type ID, used to distinguish this module from 
> others.
> // Should correspond to the client side mod

RE: [DISCUSS] Merge HAS to Apache Kerby

[Li, Jiajia]

Thanks Colm.

> It sounds like a really interesting project. 
I'm glad to here that.

> Have you got any feedback from the Hadoop project about it?
We haven't proposed this solution in the hadoop community.

> I'm finding it hard to understand exactly how it works though based on the 
> README. Could you describe how it works from a really basic point of view for 
> say a simple Hadoop client? Normally I just have to use "kinit" to get a 
> kerberos ticket and then I am authenticated to invoke on HDFS. How does HAS 
> work differently? Where does the token pre-auth stuff fit in?

Following are the steps of user accessing HDFS service, taking the cmd "hadoop 
fs -ls /" as an example:
1. user runs the command "hadoop fs -ls /"
2. Hadoop client will call the "HasLoginModule", 
https://github.com/apache/directory-kerby/blob/has-project/has/has-client/src/main/java/org/apache/hadoop/has/client/HasLoginModule.java
3. "HasLoginModule" will call the "HasClient", 
https://github.com/apache/directory-kerby/blob/438904f7e557a085c8c336efd2d2be304291d246/has/has-client/src/main/java/org/apache/hadoop/has/client/HasLoginModule.java#L237
4. "HasClient" will get the plugin type from config, then choose the right 
client plugin, the client plugin will collect and add some user info to 
"AuthToken", the following is the client plugin interface:

// Get the login module type ID, used to distinguish this module from others. 
// Should correspond to the server side module.
String getLoginType()

// Perform all the client side login logics, the results wrapped in an 
AuthToken, 
// will be validated by HAS server.
AuthToken login(Conf loginConf) throws HasLoginException

5. Then "HasClient" sends the "AuthToken" to HAS Server through HTTPS;
6. After HAS server receives the message, it will call the server plugin, 
server plugin will verify the user info in AuthToken, the following is the 
server plugin interface:

// Get the login module type ID, used to distinguish this module from others. 
// Should correspond to the client side module.
String getLoginType()

// Perform all the server side authentication logics, the results wrapped in an 
"AuthToken", 
// will be used to exchange a Kerberos ticket.
AuthToken authenticate(AuthToken userToken) throws HasAuthenException

7. If the user info is verified in existing user authentication system, server 
plugin will return the verified "AuthToken" to Kerby KDC
8. Kerby KDC will issue the TGT ticket using the TokenPreauth, then send the 
TGT to HasClient through HTTPS
9. Now user login successful, could continue the others steps, such as: getting 
SGT ticket.

We replace the step through "kinit" to get Kerberos Ticket. There are two 
important benefits:
1. The user's principal may not be in the backend, security admins won't have 
to migrate and sync up their user accounts to Kerberos back and forth.
2. Multiple users could run the job at the same time and in the same machine, 
through collecting user info from environment variables in step4.


Thanks,
Jiajia

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Monday, November 27, 2017 6:54 PM
To: kerby@directory.apache.org
Cc: Apache Directory Developers List 
Subject: Re: [DISCUSS] Merge HAS to Apache Kerby

Hi Jiajia,

It sounds like a really interesting project. Have you got any feedback from the 
Hadoop project about it?

I'm finding it hard to understand exactly how it works though based on the 
README. Could you describe how it works from a really basic point of view for 
say a simple Hadoop client? Normally I just have to use "kinit" to get a 
kerberos ticket and then I am authenticated to invoke on HDFS. How does HAS 
work differently? Where does the token pre-auth stuff fit in?

Colm.


On Fri, Nov 24, 2017 at 3:30 AM, Li, Jiajia  wrote:

> Hi all,
>
> I would like to post a proposal about merging a new project HAS 
> (Hadoop Authentication Service) to Apache Kerby. HAS is led by Intel 
> and Alibaba, it is a solution to support the authentication of open 
> source big data ecosystem in cloud computing platforms. I've created a 
> new branch "has-project" in Kerby, HAS is under "has" folder. Please 
> look at https://github.com/apache/directory-kerby/tree/has-project/has 
> for details.
>
> Background and motivation:
> At present, the open source big data ecosystems (Hadoop/Spark) only 
> has the built-in Kerberos support on the security authentication. HAS 
> aims to build a standalone authentication service for the big data 
> ecosystem that simplifies the support of Kerberos and allows to use 
> more authentication methods.
>
> Targets users:
> HAS supports various authentication mechanisms other than just 
> Ke

RE: [DISCUSS] Merge HAS to Apache Kerby

[Li, Jiajia]

DC via REST and to be able to plugin other authentication providers, am 
I right? Then it totally makes sense to include it into Kerby. But in that case 
I'd suggest to change the names.

Kind Regards,
Stefan



On 11/24/2017 04:30 AM, Li, Jiajia wrote:
> Hi all,
> 
> I would like to post a proposal about merging a new project HAS (Hadoop 
> Authentication Service) to Apache Kerby. HAS is led by Intel and Alibaba, it 
> is a solution to support the authentication of open source big data ecosystem 
> in cloud computing platforms. I've created a new branch "has-project" in 
> Kerby, HAS is under "has" folder. Please look at 
> https://github.com/apache/directory-kerby/tree/has-project/has for details.
> 
> Background and motivation:
> At present, the open source big data ecosystems (Hadoop/Spark) only has the 
> built-in Kerberos support on the security authentication. HAS aims to build a 
> standalone authentication service for the big data ecosystem that simplifies 
> the support of Kerberos and allows to use more authentication methods.
> 
> Targets users:
> HAS supports various authentication mechanisms other than just Kerberos, and 
> it provides a new authentication mechanism can be easy customized and plugin 
> with existing user authentication and authorization system, and security 
> admins won't have to migrate and sync up their user accounts to Kerberos back 
> and forth.
> 
> Architecture & Design:
> HAS provides a new authentication mechanism ("Kerberos-based token 
> authentication"), depending on the "TokenPreauth" provided by Apache Kerby. 
> Please look at 
> https://github.com/apache/directory-kerby/blob/has-project/has/README.md for 
> details.
> 
> Features:
> 1.  Provides new authentication mechanism plugin APIs to customize and 
> plugin with existing user authentication and authorization system. Please 
> look at 
> https://github.com/apache/directory-kerby/blob/has-project/has/README.md for 
> details.
> 2.  Provides lots of REST APIs and facility tools to simplify the support 
> of Kerberos. Kerberos is essentially a protocol, or secure channel, doesn't 
> have to be that complex to users. Please look at 
> https://github.com/apache/directory-kerby/blob/has-project/has/doc/rest-api.md
>  for details.
> 3.  Provides MySQL backend for High Availability. Please look at 
> https://github.com/apache/directory-kerby/blob/has-project/has/doc/mysql-backend.md
>  for details.
> 4.  New authentication mechanism now supports most of the components of 
> open source big data ecosystem with little or no changes to components, 
> including HDFS, HBase, Zookeeper, Hive, Spark Please look at 
> https://github.com/apache/directory-kerby/tree/has-project/has/supports for 
> details.
> 
> Practice
> This solution has been deployed in Alibaba Cloud E-MapReduce production.
> 
> Why to merge?
> HAS provides a complete Hadoop/Spark authentication framework and solution 
> based on Kerberos, HAS can help to upgrade Kerby KDC, make it more solid and 
> stronger. And if HAS can be merged to Apache Kerby, community will help HAS 
> grow faster and users can more easily using this solution in their own 
> production. We have two suggestions about how to merge:
> - Option1:
> Create a standalone module "kerby-has", putting HAS project under this module.
> - Option2:
> Suggest replacing kerby-kdc module with HAS, upgrade the Kerby KDC.
> 
> Contributors:
> Jiajia, Li (Intel)
> Lin, Zeng (Intel)
> Zhiqiang, Zhang (Intel)
> Kai, Zheng (Intel)
> Wei, Wu (Alibaba)
> Jun, Song (Alibaba)
> Long, Cao (Alibaba)
> Zhenyuan, Wei (Alibaba)
> 
> Your review efforts are truly appreciated, please feel free to provide us 
> your feedback.
> 
> Regards,
> Jiajia
> 
> 
> 
> 

RE: [DISCUSS] Merge HAS to Apache Kerby

[Li, Jiajia]

Thanks Emmanuel.

> Is there some information on HAS, before it was added in a branch ?
> Typically, where does it come from (ie, the history), specs, documentation, 
> etc ?

HAS is a private repo under https://github.com/Intel-bigdata, and I've moved 
all the specs and docs to  
https://github.com/apache/directory-kerby/tree/has-project/has/doc 


> We would really need ICLA for each of those contributors who haven't already 
> sent one, and most certain a CCLA from Intel and Alibaba.

Yes, all the contributors can provide the ICLA,  I thinks Kai, Lin and me 
already sent one.


> Otherwise, assuming we check teh code base is 'safe ' (ie no problem with any 
> of its dependency, and clean copyright), I would say I won't oppose to such a 
> move.

We will take some time to check the license and copyright ASAP.


Thanks,
Jiajia



-Original Message-
From: Emmanuel Lécharny [mailto:elecha...@gmail.com] 
Sent: Saturday, November 25, 2017 9:14 PM
To: kerby@directory.apache.org
Subject: Re: [DISCUSS] Merge HAS to Apache Kerby

Hi Jiajia,


Le 24/11/2017 à 04:30, Li, Jiajia a écrit :
> Hi all,
>
> I would like to post a proposal about merging a new project HAS (Hadoop 
> Authentication Service) to Apache Kerby. HAS is led by Intel and Alibaba, it 
> is a solution to support the authentication of open source big data ecosystem 
> in cloud computing platforms. I've created a new branch "has-project" in 
> Kerby, HAS is under "has" folder. Please look at 
> https://github.com/apache/directory-kerby/tree/has-project/has for details.

Is there some information on HAS, before it was added in a branch ?
Typically, where does it come from (ie, the history), specs, documentation, etc 
?
>
> Background and motivation:
> At present, the open source big data ecosystems (Hadoop/Spark) only has the 
> built-in Kerberos support on the security authentication. HAS aims to build a 
> standalone authentication service for the big data ecosystem that simplifies 
> the support of Kerberos and allows to use more authentication methods.
>
> Targets users:
> HAS supports various authentication mechanisms other than just Kerberos, and 
> it provides a new authentication mechanism can be easy customized and plugin 
> with existing user authentication and authorization system, and security 
> admins won't have to migrate and sync up their user accounts to Kerberos back 
> and forth.
>
> Architecture & Design:
> HAS provides a new authentication mechanism ("Kerberos-based token 
> authentication"), depending on the "TokenPreauth" provided by Apache Kerby. 
> Please look at 
> https://github.com/apache/directory-kerby/blob/has-project/has/README.md for 
> details.
>
> Features:
> 1.  Provides new authentication mechanism plugin APIs to customize and 
> plugin with existing user authentication and authorization system. Please 
> look at 
> https://github.com/apache/directory-kerby/blob/has-project/has/README.md for 
> details.
> 2.  Provides lots of REST APIs and facility tools to simplify the support 
> of Kerberos. Kerberos is essentially a protocol, or secure channel, doesn't 
> have to be that complex to users. Please look at 
> https://github.com/apache/directory-kerby/blob/has-project/has/doc/rest-api.md
>  for details.
> 3.  Provides MySQL backend for High Availability. Please look at 
> https://github.com/apache/directory-kerby/blob/has-project/has/doc/mysql-backend.md
>  for details.
> 4.  New authentication mechanism now supports most of the components of 
> open source big data ecosystem with little or no changes to components, 
> including HDFS, HBase, Zookeeper, Hive, Spark Please look at 
> https://github.com/apache/directory-kerby/tree/has-project/has/supports for 
> details.
>
> Practice
> This solution has been deployed in Alibaba Cloud E-MapReduce production.
>
> Why to merge?
> HAS provides a complete Hadoop/Spark authentication framework and solution 
> based on Kerberos, HAS can help to upgrade Kerby KDC, make it more solid and 
> stronger. And if HAS can be merged to Apache Kerby, community will help HAS 
> grow faster and users can more easily using this solution in their own 
> production. We have two suggestions about how to merge:
> - Option1:
> Create a standalone module "kerby-has", putting HAS project under this module.
> - Option2:
> Suggest replacing kerby-kdc module with HAS, upgrade the Kerby KDC.
>
> Contributors:
> Jiajia, Li (Intel)
> Lin, Zeng (Intel)
> Zhiqiang, Zhang (Intel)
> Kai, Zheng (Intel)
> Wei, Wu (Alibaba)
> Jun, Song (Alibaba)
> Long, Cao (Alibaba)
> Zhenyuan, Wei (Alibaba)

We would really need ICLA for each of those controbutors who 

[DISCUSS] Merge HAS to Apache Kerby

[Li, Jiajia]

Hi all,

I would like to post a proposal about merging a new project HAS (Hadoop 
Authentication Service) to Apache Kerby. HAS is led by Intel and Alibaba, it is 
a solution to support the authentication of open source big data ecosystem in 
cloud computing platforms. I've created a new branch "has-project" in Kerby, 
HAS is under "has" folder. Please look at 
https://github.com/apache/directory-kerby/tree/has-project/has for details.

Background and motivation:
At present, the open source big data ecosystems (Hadoop/Spark) only has the 
built-in Kerberos support on the security authentication. HAS aims to build a 
standalone authentication service for the big data ecosystem that simplifies 
the support of Kerberos and allows to use more authentication methods.

Targets users:
HAS supports various authentication mechanisms other than just Kerberos, and it 
provides a new authentication mechanism can be easy customized and plugin with 
existing user authentication and authorization system, and security admins 
won't have to migrate and sync up their user accounts to Kerberos back and 
forth.

Architecture & Design:
HAS provides a new authentication mechanism ("Kerberos-based token 
authentication"), depending on the "TokenPreauth" provided by Apache Kerby. 
Please look at 
https://github.com/apache/directory-kerby/blob/has-project/has/README.md for 
details.

Features:
1.  Provides new authentication mechanism plugin APIs to customize and 
plugin with existing user authentication and authorization system. Please look 
at https://github.com/apache/directory-kerby/blob/has-project/has/README.md for 
details.
2.  Provides lots of REST APIs and facility tools to simplify the support 
of Kerberos. Kerberos is essentially a protocol, or secure channel, doesn't 
have to be that complex to users. Please look at 
https://github.com/apache/directory-kerby/blob/has-project/has/doc/rest-api.md 
for details.
3.  Provides MySQL backend for High Availability. Please look at 
https://github.com/apache/directory-kerby/blob/has-project/has/doc/mysql-backend.md
 for details.
4.  New authentication mechanism now supports most of the components of 
open source big data ecosystem with little or no changes to components, 
including HDFS, HBase, Zookeeper, Hive, Spark Please look at 
https://github.com/apache/directory-kerby/tree/has-project/has/supports for 
details.

Practice
This solution has been deployed in Alibaba Cloud E-MapReduce production.

Why to merge?
HAS provides a complete Hadoop/Spark authentication framework and solution 
based on Kerberos, HAS can help to upgrade Kerby KDC, make it more solid and 
stronger. And if HAS can be merged to Apache Kerby, community will help HAS 
grow faster and users can more easily using this solution in their own 
production. We have two suggestions about how to merge:
- Option1:
Create a standalone module "kerby-has", putting HAS project under this module.
- Option2:
Suggest replacing kerby-kdc module with HAS, upgrade the Kerby KDC.

Contributors:
Jiajia, Li (Intel)
Lin, Zeng (Intel)
Zhiqiang, Zhang (Intel)
Kai, Zheng (Intel)
Wei, Wu (Alibaba)
Jun, Song (Alibaba)
Long, Cao (Alibaba)
Zhenyuan, Wei (Alibaba)

Your review efforts are truly appreciated, please feel free to provide us your 
feedback.

Regards,
Jiajia

RE: [VOTE] - Release Apache Kerby 1.1.0

[Li, Jiajia]

+1
Build successfully, all tests are passed, with Java8 on Centos6.

Regards,
Jiajia

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Tuesday, November 21, 2017 7:30 PM
To: Apache Directory Developers List ; 
kerby@directory.apache.org
Subject: [VOTE] - Release Apache Kerby 1.1.0

This is a vote to release Apache Kerby 1.1.0. This is a new major release of 
Apache Kerby, which implements cross-realm support, and also includes a GSSAPI 
module.

The list of issues fixed is here:

https://issues.apache.org/jira/projects/DIRKRB/versions/12341144

Maven artifacts:

https://repository.apache.org/content/repositories/orgapachedirectory-1150/

In particular, the source distribution:

https://repository.apache.org/content/repositories/
orgapachedirectory-1150/org/apache/kerby/kerby-all/1.1.0/

+1 from me.


--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

RE: Kerby Update

[Li, Jiajia]

Hi Colm,

Have you added the same krbtgt/b.example@a.example.com principal in in kdc1 
and kdc2.

Thanks,
Jiajia

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Monday, November 6, 2017 7:15 PM
To: kerby@directory.apache.org
Subject: Re: Kerby Update

Hi Jiajia,

Thanks for your reply, I can't get it working though. I'm using two Kerby 
distributions (kdc1 and kdc2) as well as the tool dist. Is this feature fully 
implemented on the Kerby side for kdc2, or is it only tested with an MIT KDC by 
any chance?

sh bin/kinit.sh -conf conf al...@a.example.com Password for al...@a.example.com:
Successfully requested and stored ticket in /tmp/krb5cc_1000

sh bin/kinit.sh -conf conf -c /tmp/krb5cc_1000 -S serv...@b.example.com
Kinit: get service ticket failed: Fail to get the tgs entry for remote
realm: A.EXAMPLE.COM with error code: UNKNOWN_ERR

Colm.


On Mon, Nov 6, 2017 at 1:46 AM, Li, Jiajia  wrote:

> Hi Colm,
>
> >>>a) What information is required in the krb5.conf of the tool-dist?
> The capaths, realms, domain_realm sections are required, the same as 
> the MIT Kerberos.
>
>
> >>>b) Could you give an example (using the A.EXAMPLE.COM + 
> >>>B.EXAMPLE.COM
> >>>realms) for the "Validate" section of the docs (
> https://github.com/apache/directory-kerby/blob/trunk/docs/cross-realm.md)?
>
> To validate the user("test") within realm A.EXAMPLE.COM is trusted to 
> access the resource("hdfs") in another realm B.EXAMPLE.COM, doing the 
> following steps, the conf dir is "conf":
> 1. sh bin/kinit.sh -conf conf t...@a.example.com We will  get the 
> credential cache( "/tmp/krb5cc_0") 2. sh bin/kinit.sh -conf conf -c 
> /tmp/krb5cc_0 -S h...@b.example.com Then we will get the service tgt, 
> MIT Kerberos using  "kvno" to get service tgt in this step.
>
>
> Thanks,
> Jiajia
>
> -Original Message-
> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> Sent: Friday, November 3, 2017 7:04 PM
> To: kerby@directory.apache.org
> Subject: Re: Kerby Update
>
> Hi Jiajia,
>
> I've been trying to get this new feature working, but unsuccessfully 
> so far
> - I get an error:
>
> 2017-11-03 10:58:41  INFO{DefaultInternalKrbClient.java:82}-Send to 
> kdc success.
> 2017-11-03 10:58:41  INFO{KrbHandler.java:120}-KDC server response 
> with
> message: Unknown error
> 2017-11-03 10:58:41  INFO{KrbHandler.java:142}-Unknown error
>
> Could you clarify a few points for me please...
>
> a) What information is required in the krb5.conf of the tool-dist?
> b) Could you give an example (using the A.EXAMPLE.COM + B.EXAMPLE.COM
> realms) for the "Validate" section of the docs ( 
> https://github.com/apache/directory-kerby/blob/trunk/docs/cross-realm.md)?
> It's a little unclear as to how exactly it should be used.
>
> Colm.
>
> On Mon, Oct 23, 2017 at 2:22 AM, Li, Jiajia  wrote:
>
> > Hi all,
> >
> > Recently we have implemented the cross-realm authentication support, 
> > KDC in one realm can authenticate users in a different realm, so it 
> > allows client from another realm to access the cluster. Cross-realm 
> > authentication is accomplished by sharing a secret key between the 
> > two realms. In both backends should have the krbtgt service 
> > principals for realms with same passwords, key version numbers, and 
> > encryption types.
> > We have used this feature in Hadoop cluster, after establishing 
> > cross realm trust between two secure Hadoop clusters with their own 
> > realms, copying data between two secure clusters can work now. And 
> > this support also can be used to build trust relationship with MIT 
> > Kerberos
> KDC and we have tested compatibility.
> >
> > Here is the document about setting up cross realm:
> > https://github.com/apache/directory-kerby/blob/trunk/docs/cross-realm.
> > md
> >
> > Thanks,
> > Jiajia
> >
> >
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

RE: Transitive dependencies in the distributions

[Li, Jiajia]

Hi Colm,

Which commit or patch lead to this issue?

Thanks,
Jiajia

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Friday, November 3, 2017 7:06 PM
To: kerby@directory.apache.org
Subject: Transitive dependencies in the distributions

Hi all,

We are excluding transitive dependencies when copying the dependencies to the 
target/lib directory in the distributions. I'm wondering why? For example, I 
get an error due to the common jar not being present:

  Caused by: java.lang.ClassNotFoundException:
org.apache.kerby.kerberos.kerb.KrbException
at java.net.URLClassLoader.findClass(URLClassLoader.java:381)

Colm.


--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

RE: Kerby Update

[Li, Jiajia]

Hi Colm,

>>>a) What information is required in the krb5.conf of the tool-dist?
The capaths, realms, domain_realm sections are required, the same as the MIT 
Kerberos.


>>>b) Could you give an example (using the A.EXAMPLE.COM + B.EXAMPLE.COM
>>>realms) for the "Validate" section of the docs ( 
>>>https://github.com/apache/directory-kerby/blob/trunk/docs/cross-realm.md)?

To validate the user("test") within realm A.EXAMPLE.COM is trusted to access 
the resource("hdfs") in another realm B.EXAMPLE.COM, doing the following steps, 
the conf dir is "conf":
1. sh bin/kinit.sh -conf conf t...@a.example.com
We will  get the credential cache( "/tmp/krb5cc_0")
2. sh bin/kinit.sh -conf conf -c /tmp/krb5cc_0 -S h...@b.example.com
Then we will get the service tgt, MIT Kerberos using  "kvno" to get service tgt 
in this step.


Thanks,
Jiajia

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Friday, November 3, 2017 7:04 PM
To: kerby@directory.apache.org
Subject: Re: Kerby Update

Hi Jiajia,

I've been trying to get this new feature working, but unsuccessfully so far
- I get an error:

2017-11-03 10:58:41  INFO{DefaultInternalKrbClient.java:82}-Send to kdc success.
2017-11-03 10:58:41  INFO{KrbHandler.java:120}-KDC server response with
message: Unknown error
2017-11-03 10:58:41  INFO{KrbHandler.java:142}-Unknown error

Could you clarify a few points for me please...

a) What information is required in the krb5.conf of the tool-dist?
b) Could you give an example (using the A.EXAMPLE.COM + B.EXAMPLE.COM
realms) for the "Validate" section of the docs ( 
https://github.com/apache/directory-kerby/blob/trunk/docs/cross-realm.md)?
It's a little unclear as to how exactly it should be used.

Colm.

On Mon, Oct 23, 2017 at 2:22 AM, Li, Jiajia  wrote:

> Hi all,
>
> Recently we have implemented the cross-realm authentication support, 
> KDC in one realm can authenticate users in a different realm, so it 
> allows client from another realm to access the cluster. Cross-realm 
> authentication is accomplished by sharing a secret key between the two 
> realms. In both backends should have the krbtgt service principals for 
> realms with same passwords, key version numbers, and encryption types. 
> We have used this feature in Hadoop cluster, after establishing cross 
> realm trust between two secure Hadoop clusters with their own realms, 
> copying data between two secure clusters can work now. And this 
> support also can be used to build trust relationship with MIT Kerberos KDC 
> and we have tested compatibility.
>
> Here is the document about setting up cross realm:
> https://github.com/apache/directory-kerby/blob/trunk/docs/cross-realm.
> md
>
> Thanks,
> Jiajia
>
>


--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Kerby Update

[Li, Jiajia]

Hi all,

Recently we have implemented the cross-realm authentication support, KDC in one 
realm can authenticate users in a different realm, so it allows client from 
another realm to access the cluster. Cross-realm authentication is accomplished 
by sharing a secret key between the two realms. In both backends should have 
the krbtgt service principals for realms with same passwords, key version 
numbers, and encryption types. We have used this feature in Hadoop cluster, 
after establishing cross realm trust between two secure Hadoop clusters with 
their own realms, copying data between two secure clusters can work now. And 
this support also can be used to build trust relationship with MIT Kerberos KDC 
and we have tested compatibility.

Here is the document about setting up cross realm:
https://github.com/apache/directory-kerby/blob/trunk/docs/cross-realm.md

Thanks,
Jiajia

RE: [VOTE] - Release Apache Kerby 1.0.1

[Li, Jiajia]

Hi Colm,
Has the 1.0.1 released? Could I use the 1.0.1 release version now?

Thanks,
Jiajia

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Monday, September 4, 2017 6:48 PM
To: kerby@directory.apache.org
Subject: Re: [VOTE] - Release Apache Kerby 1.0.1

Thanks to everyone who voted. We have 6 binding +1 votes, and one non-binding 
+1 vote, and so this vote passes - I'll do the release.

Colm.

On Mon, Sep 4, 2017 at 7:49 AM, Emmanuel Lécharny 
wrote:

> Finaly whipped it :-)
>
>
> Built from tag and package, N&L checked : all is good
>
>
> +1 !
>
>
> Le 30/08/2017 à 12:30, Colm O hEigeartaigh a écrit :
> > This is a vote to release Apache Kerby 1.0.1.
> >
> > Issues fixed:
> >
> > https://issues.apache.org/jira/projects/DIRKRB/versions/12340574
> >
> > Git tag:
> >
> > https://github.com/apache/directory-kerby/tree/kerby-all-1.0.1
> >
> > Artifacts:
> >
> > https://repository.apache.org/content/repositories/
> orgapachedirectory-1146/
> >
> > In particular, the source artifacts:
> >
> > https://repository.apache.org/content/repositories/
> orgapachedirectory-1146/org/apache/kerby/kerby-all/1.0.1/
> >
> > +1 from me.
> >
> > Colm.
> >
> >
>
> --
> Emmanuel Lecharny
>
> Symas.com
> directory.apache.org
>
>


--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

RE: [VOTE] - Release Apache Kerby 1.0.1

[Li, Jiajia]

+1.

Build successfully with java7 and java8, all tests are passed, and have checked 
the tools.

Thanks
Jiajia

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Wednesday, August 30, 2017 6:31 PM
To: kerby@directory.apache.org; Apache Directory Developers List 

Subject: [VOTE] - Release Apache Kerby 1.0.1

This is a vote to release Apache Kerby 1.0.1.

Issues fixed:

https://issues.apache.org/jira/projects/DIRKRB/versions/12340574

Git tag:

https://github.com/apache/directory-kerby/tree/kerby-all-1.0.1

Artifacts:

https://repository.apache.org/content/repositories/orgapachedirectory-1146/

In particular, the source artifacts:

https://repository.apache.org/content/repositories/orgapachedirectory-1146/org/apache/kerby/kerby-all/1.0.1/

+1 from me.

Colm.


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

RE: Kerby 1.0.1 release

[Li, Jiajia]

Hi Colm,
It's great if you could take this work.

Thanks,
Jiajia

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Monday, August 28, 2017 5:15 PM
To: kerby@directory.apache.org
Subject: Re: Kerby 1.0.1 release

Yes, let's get 1.0.1 done. Will I take care of calling the vote, or does 
someone else want to do it?

Colm.

On Fri, Aug 18, 2017 at 1:21 PM, Gerard Gagliano 
wrote:

> Agreed, 1.0.1
>
> --
> > On Aug 17, 2017, at 11:25 PM, Zheng, Kai  wrote:
> >
> > IMO we should go for the 1.0.1 release since the previous 1.0.0 
> > major
> release had passed some time. The minor release did fix some important 
> bugs and we should suggest users use this minor release instead.
> >
> > Are there any critical issues we want to target for the minor release?
> >
> > Kerby users/committers, any comment? Thanks!
> >
> > Regards,
> > Kai
> >
> > -Original Message-
> > From: Li, Jiajia [mailto:jiajia...@intel.com]
> > Sent: Friday, August 18, 2017 11:32 AM
> > To: kerby@directory.apache.org
> > Subject: Kerby new minor release
> >
> > Hi all,
> >
> > After Kerby 1.0.0 released, 12 issues were resolved, including 
> > following
> bug fix and improvement:
> > Fix the issue not compatible with MIT Kerberos: DIRKRB-614<
> https://issues.apache.org/jira/browse/DIRKRB-614>, DIRKRB-631< 
> https://issues.apache.org/jira/browse/DIRKRB-631>;
> > Fix the network related issue: DIRKRB-629<https://issues.
> apache.org/jira/browse/DIRKRB-629>;
> > And with some improvements in token preauth and kinit;
> >
> > I suggest we can make the new minor release. How do you think about it?
> >
> > Thanks,
> > Jiajia
> >
> >
> >
>
>


--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Kerby new minor release

[Li, Jiajia]

Hi all,

After Kerby 1.0.0 released, 12 issues were resolved, including following bug 
fix and improvement:
Fix the issue not compatible with MIT Kerberos: 
DIRKRB-614, 
DIRKRB-631;
Fix the network related issue: 
DIRKRB-629;
And with some improvements in token preauth and kinit;

I suggest we can make the new minor release. How do you think about it?

Thanks,
Jiajia

RE: directory-kerby git commit: DIRKRB-640 mplement renew ticket in kinit tool.

[Li, Jiajia]

Hi Colm,
Thanks for your reminder, I've merged it to 1.0.x-fixes branch.

Thanks,
Jiajia

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Tuesday, August 1, 2017 4:42 PM
To: Li, Jiajia ; kerby@directory.apache.org
Subject: Re: directory-kerby git commit: DIRKRB-640 mplement renew ticket in 
kinit tool.

Hi Jiajia,

Just a reminder that you need to git cherry-pick this merge on the 1.0.x-fixes 
branch as well..

Thanks,

Colm.

On Tue, Aug 1, 2017 at 5:51 AM,  wrote:

> Repository: directory-kerby
> Updated Branches:
>   refs/heads/trunk f8f95ab14 -> 05be35035
>
>
> DIRKRB-640 mplement renew ticket in kinit tool.
>
>
> Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
> Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/
> commit/05be3503
> Tree: 
> http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/05be3503
> Diff: 
> http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/05be3503
>
> Branch: refs/heads/trunk
> Commit: 05be350353af3d2dad957314c9e82adc27674bff
> Parents: f8f95ab
> Author: plusplusjiajia 
> Authored: Tue Aug 1 12:51:27 2017 +0800
> Committer: plusplusjiajia 
> Committed: Tue Aug 1 12:51:27 2017 +0800
>
> --
>  .../kerberos/kerb/client/KrbClientBase.java | 96 
>  .../kerb/client/request/ArmoredRequest.java |  2 +-
>  .../kerberos/kerb/client/request/AsRequest.java |  2 +-  
> .../kerb/client/request/AsRequestWithCert.java  |  2 +-
>  .../kerb/client/request/KdcRequest.java | 21 +++--
>  .../kerb/client/request/TgsRequest.java |  4 +-
>  .../kerb/client/request/TgsRequestWithTgt.java  |  8 +-
>  .../kerberos/kerb/type/ticket/SgtTicket.java| 11 +++
>  .../kerberos/kerb/ccache/CredentialCache.java   |  7 ++
>  .../kerby/kerberos/tool/kinit/KinitTool.java| 58 +---
>  10 files changed, 182 insertions(+), 29 deletions(-)
> --
>
>
> http://git-wip-us.apache.org/repos/asf/directory-kerby/
> blob/05be3503/kerby-kerb/kerb-client/src/main/java/org/
> apache/kerby/kerberos/kerb/client/KrbClientBase.java
> --
> diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/KrbClientBase.java b/kerby-kerb/kerb-client/src/ 
> main/java/org/apache/kerby/kerberos/kerb/client/KrbClientBase.java
> index 959f38b..d05fee2 100644
> --- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/KrbClientBase.java
> +++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/KrbClientBase.java
> @@ -21,9 +21,11 @@ package org.apache.kerby.kerberos.kerb.client;
>
>  import org.apache.kerby.KOptions;
>  import org.apache.kerby.kerberos.kerb.KrbException;
> +import org.apache.kerby.kerberos.kerb.ccache.Credential;
>  import org.apache.kerby.kerberos.kerb.ccache.CredentialCache;
>  import org.apache.kerby.kerberos.kerb.client.impl.
> DefaultInternalKrbClient;
>  import org.apache.kerby.kerberos.kerb.client.impl.InternalKrbClient;
> +import org.apache.kerby.kerberos.kerb.type.kdc.EncAsRepPart;
>  import org.apache.kerby.kerberos.kerb.type.ticket.SgtTicket;
>  import org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket;
>  import org.slf4j.Logger;
> @@ -211,6 +213,27 @@ public class KrbClientBase {
>  }
>
>  /**
> + * Request a service ticket
> + * @param ccFile The credential cache file
> + * @return service ticket
> + * @throws KrbException e
> + */
> +public SgtTicket requestSgt(File ccFile) throws KrbException {
> +Credential credential = getCredentialFromFile(ccFile);
> +String servicePrincipal = credential.
> getServicePrincipal().getName();
> +TgtTicket tgt = getTgtTicketFromCredential(credential);
> +
> +KOptions requestOptions = new KOptions();
> +requestOptions.add(KrbKdcOption.RENEW);
> +requestOptions.add(KrbOption.USE_TGT, tgt);
> +requestOptions.add(KrbOption.SERVER_PRINCIPAL, servicePrincipal);
> +SgtTicket sgtTicket = innerClient.requestSgt(requestOptions);
> +sgtTicket.setClientPrincipal(tgt.getClientPrincipal());
> +return sgtTicket;
> +}
> +
> +
> +/**
>   * Store tgt into the specified credential cache file.
>   * @param tgtTicket The tgt ticket
>   * @param ccacheFile The credential cache file @@ -248,4 +271,77 
> @@ public class KrbClientBase {
>  + "not exist or writable: " + 
> ccacheFile.getAbsolutePath());
> 

RE: Kerby JWT support

[Li, Jiajia]

> Maybe we could create a new class in kerb-core that encapsulates some of 
> these things that could 
> be used instead?

It's a good idea.

Thanks
Jiajia

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Tuesday, July 4, 2017 9:54 PM
To: kerby@directory.apache.org
Subject: Re: Kerby JWT support

The problem with this is that it might be too restrictive. What if you wanted 
access to the client principal or the client address etc. when creating the 
AuthorizationData? Maybe we could create a new class in kerb-core that 
encapsulates some of these things that could be used instead?

Colm.

On Tue, Jul 4, 2017 at 1:38 PM, Li, Jiajia  wrote:

> > Currently I'm using "kdcRequest.isToken()" and "kdcRequest.getToken()".
> I guess we could change
> > the method to just take the kdcRequest.getToken()?
>
> Yes, set the AuthToken as the parameter of 
> getIdentityAuthorizationData is a good choice.
>
> Thanks
> Jiajia
>
> -Original Message-
> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> Sent: Tuesday, July 4, 2017 4:03 PM
> To: kerby@directory.apache.org
> Subject: Re: Kerby JWT support
>
> On Tue, Jul 4, 2017 at 3:16 AM, Li, Jiajia  wrote:
>
> >
> > Which information in KdcRequest is used? I think the KdcRequest can 
> > be replaced by some class really used in getting AuthorizationData.
> >
>
> Currently I'm using "kdcRequest.isToken()" and 
> "kdcRequest.getToken()". I guess we could change the method to just take the 
> kdcRequest.getToken()?
>
> Colm.
>
>
> >
> > >b) In my tests, I'm just defining a custom AuthorizationType
> > (AD_TOKEN(256)). What should I use here instead? I don't think the 
> > spec defines what it should be...
> >
> > I think the AD token type is a new type which undefined in 
> > spec(RFC4120->7.5.4.  Authorization Data Types), I think this new 
> > type name is ok.
> >
> > Thanks
> > Jiajia
> >
> >
> > -Original Message-
> > From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> > Sent: Monday, July 3, 2017 6:18 PM
> > To: kerby@directory.apache.org
> > Subject: Re: Kerby JWT support
> >
> > OK thanks, I managed to figure it out anyway. I have two more 
> > questions on this topic WRT DIRKRB-632:
> >
> > a) I want to add the authorization data in the relevant method in 
> > AbstractIdentityBackend. However, the problem here is that the 
> > kerb-identity module does not have kerb-server as a dependency, and 
> > hence I can't reference KdcRequest. The AbstractIdentityBackend gets 
> > around this by using "Object" instead of KdcRequest in the method 
> > signature, which is not a great idea really.
> >
> > What is the best way of handling this?
> >
> > b) In my tests, I'm just defining a custom AuthorizationType 
> > (AD_TOKEN(256)). What should I use here instead? I don't think the 
> > spec defines what it should be...
> >
> > Colm.
> >
> >
> > On Mon, Jul 3, 2017 at 1:49 AM, Li, Jiajia  wrote:
> >
> > > >The question I have here is that the KrbToken needs to call the 
> > > >following
> > > code internally somehow:
> > >
> > > >this.innerToken =
> > > >getTokenDecoder().decodeFromBytes(getTokenValue());
> > > >setTokenType();
> > >
> > > >There is a commented out "decode(ByteBuffer)" method that 
> > > >contains code
> > > that does this for a supplied ByteBuffer value. Should this method 
> > > be called implicitly by
> > > >the AdToken code somehow? Or is it up to the client code to call 
> > > >decode
> > > on KrbToken?
> > >
> > > I'm not very sure, I think it's up to the client code to call to 
> > > decode the KrbToken.
> > >
> > > Thanks
> > > Jiajia
> > >
> > >
> > > -Original Message-
> > > From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> > > Sent: Friday, June 30, 2017 5:46 PM
> > > To: kerby@directory.apache.org
> > > Subject: Re: Kerby JWT support
> > >
> > > On Fri, Jun 30, 2017 at 4:16 AM, Li, Jiajia 
> wrote:
> > >
> > > >
> > > > Yes, agree with you, credential cache it not really needed.
> > > >
> > > >
> > > OK I have committed this fix.
> > >
> > >
> > > > The EncTicketPart should be unseal, I think the following 

RE: Kerby JWT support

[Li, Jiajia]

> Currently I'm using "kdcRequest.isToken()" and "kdcRequest.getToken()". I 
> guess we could change 
> the method to just take the kdcRequest.getToken()?

Yes, set the AuthToken as the parameter of getIdentityAuthorizationData is a 
good choice.

Thanks
Jiajia

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Tuesday, July 4, 2017 4:03 PM
To: kerby@directory.apache.org
Subject: Re: Kerby JWT support

On Tue, Jul 4, 2017 at 3:16 AM, Li, Jiajia  wrote:

>
> Which information in KdcRequest is used? I think the KdcRequest can be 
> replaced by some class really used in getting AuthorizationData.
>

Currently I'm using "kdcRequest.isToken()" and "kdcRequest.getToken()". I guess 
we could change the method to just take the kdcRequest.getToken()?

Colm.


>
> >b) In my tests, I'm just defining a custom AuthorizationType
> (AD_TOKEN(256)). What should I use here instead? I don't think the 
> spec defines what it should be...
>
> I think the AD token type is a new type which undefined in 
> spec(RFC4120->7.5.4.  Authorization Data Types), I think this new type 
> name is ok.
>
> Thanks
> Jiajia
>
>
> -Original Message-
> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> Sent: Monday, July 3, 2017 6:18 PM
> To: kerby@directory.apache.org
> Subject: Re: Kerby JWT support
>
> OK thanks, I managed to figure it out anyway. I have two more 
> questions on this topic WRT DIRKRB-632:
>
> a) I want to add the authorization data in the relevant method in 
> AbstractIdentityBackend. However, the problem here is that the 
> kerb-identity module does not have kerb-server as a dependency, and 
> hence I can't reference KdcRequest. The AbstractIdentityBackend gets 
> around this by using "Object" instead of KdcRequest in the method 
> signature, which is not a great idea really.
>
> What is the best way of handling this?
>
> b) In my tests, I'm just defining a custom AuthorizationType 
> (AD_TOKEN(256)). What should I use here instead? I don't think the 
> spec defines what it should be...
>
> Colm.
>
>
> On Mon, Jul 3, 2017 at 1:49 AM, Li, Jiajia  wrote:
>
> > >The question I have here is that the KrbToken needs to call the 
> > >following
> > code internally somehow:
> >
> > >this.innerToken = 
> > >getTokenDecoder().decodeFromBytes(getTokenValue());
> > >setTokenType();
> >
> > >There is a commented out "decode(ByteBuffer)" method that contains 
> > >code
> > that does this for a supplied ByteBuffer value. Should this method 
> > be called implicitly by
> > >the AdToken code somehow? Or is it up to the client code to call 
> > >decode
> > on KrbToken?
> >
> > I'm not very sure, I think it's up to the client code to call to 
> > decode the KrbToken.
> >
> > Thanks
> > Jiajia
> >
> >
> > -Original Message-
> > From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> > Sent: Friday, June 30, 2017 5:46 PM
> > To: kerby@directory.apache.org
> > Subject: Re: Kerby JWT support
> >
> > On Fri, Jun 30, 2017 at 4:16 AM, Li, Jiajia  wrote:
> >
> > >
> > > Yes, agree with you, credential cache it not really needed.
> > >
> > >
> > OK I have committed this fix.
> >
> >
> > > The EncTicketPart should be unseal, I think the following code 
> > > could help you.
> > >
> > >Ticket ticket = apReq.getTicket();
> > > EncTicketPart encPart = EncryptionUtil.unseal(ticket.g 
> > > etEncryptedEncPart(),
> > > encKey, KeyUsage.KDC_REP_TICKET, EncTicketPart.class);
> > > ticket.setEncPart(encPart);
> > >
> >
> > It does, thanks! I have it kind of working now with a few hacks. I 
> > can get the KrbToken from the AuthorizationData now as follows:
> >
> > AuthorizationData authzData = encPart.getAuthorizationData(); 
> > AuthorizationDataEntry dataEntry = authzData.getElements().
> > iterator().next();
> > AdToken token = dataEntry.getAuthzDataAs(AdToken.class);
> > KrbToken decodedKrbToken = token.getToken();
> >
> > The question I have here is that the KrbToken needs to call the 
> > following code internally somehow:
> >
> > this.innerToken = 
> > getTokenDecoder().decodeFromBytes(getTokenValue());
> > setTokenType();
> >
> > There is a commented out "decode(ByteBuffer)" method that contains 
> > code that does this for a supplied 

RE: Kerby JWT support

[Li, Jiajia]

>a) I want to add the authorization data in the relevant method in 
>AbstractIdentityBackend. However, the problem here is that the kerb-identity 
>module does not 
>have kerb-server as a dependency, and hence I can't reference KdcRequest. The 
>AbstractIdentityBackend gets around this by using "Object" instead of 
>KdcRequest in 
>the method signature, which is not a great idea really.
>What is the best way of handling this?

Which information in KdcRequest is used? I think the KdcRequest can be replaced 
by some class really used in getting AuthorizationData.

>b) In my tests, I'm just defining a custom AuthorizationType (AD_TOKEN(256)). 
>What should I use here instead? I don't think the spec defines what it should 
>be...

I think the AD token type is a new type which undefined in spec(RFC4120->7.5.4. 
 Authorization Data Types), I think this new type name is ok.

Thanks
Jiajia


-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Monday, July 3, 2017 6:18 PM
To: kerby@directory.apache.org
Subject: Re: Kerby JWT support

OK thanks, I managed to figure it out anyway. I have two more questions on this 
topic WRT DIRKRB-632:

a) I want to add the authorization data in the relevant method in 
AbstractIdentityBackend. However, the problem here is that the kerb-identity 
module does not have kerb-server as a dependency, and hence I can't reference 
KdcRequest. The AbstractIdentityBackend gets around this by using "Object" 
instead of KdcRequest in the method signature, which is not a great idea really.

What is the best way of handling this?

b) In my tests, I'm just defining a custom AuthorizationType (AD_TOKEN(256)). 
What should I use here instead? I don't think the spec defines what it should 
be...

Colm.


On Mon, Jul 3, 2017 at 1:49 AM, Li, Jiajia  wrote:

> >The question I have here is that the KrbToken needs to call the 
> >following
> code internally somehow:
>
> >this.innerToken = getTokenDecoder().decodeFromBytes(getTokenValue());
> >setTokenType();
>
> >There is a commented out "decode(ByteBuffer)" method that contains 
> >code
> that does this for a supplied ByteBuffer value. Should this method be 
> called implicitly by
> >the AdToken code somehow? Or is it up to the client code to call 
> >decode
> on KrbToken?
>
> I'm not very sure, I think it's up to the client code to call to 
> decode the KrbToken.
>
> Thanks
> Jiajia
>
>
> -Original Message-
> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> Sent: Friday, June 30, 2017 5:46 PM
> To: kerby@directory.apache.org
> Subject: Re: Kerby JWT support
>
> On Fri, Jun 30, 2017 at 4:16 AM, Li, Jiajia  wrote:
>
> >
> > Yes, agree with you, credential cache it not really needed.
> >
> >
> OK I have committed this fix.
>
>
> > The EncTicketPart should be unseal, I think the following code could 
> > help you.
> >
> >Ticket ticket = apReq.getTicket();
> > EncTicketPart encPart = EncryptionUtil.unseal(ticket.g 
> > etEncryptedEncPart(),
> > encKey, KeyUsage.KDC_REP_TICKET, EncTicketPart.class);
> > ticket.setEncPart(encPart);
> >
>
> It does, thanks! I have it kind of working now with a few hacks. I can 
> get the KrbToken from the AuthorizationData now as follows:
>
> AuthorizationData authzData = encPart.getAuthorizationData(); 
> AuthorizationDataEntry dataEntry = authzData.getElements().
> iterator().next();
> AdToken token = dataEntry.getAuthzDataAs(AdToken.class);
> KrbToken decodedKrbToken = token.getToken();
>
> The question I have here is that the KrbToken needs to call the 
> following code internally somehow:
>
> this.innerToken = getTokenDecoder().decodeFromBytes(getTokenValue());
> setTokenType();
>
> There is a commented out "decode(ByteBuffer)" method that contains 
> code that does this for a supplied ByteBuffer value. Should this 
> method be called implicitly by the AdToken code somehow? Or is it up 
> to the client code to call decode on KrbToken?
>
> Colm.
>
>
>
> >
> > Thanks
> > Jiajia
> >
> > -Original Message-
> > From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> > Sent: Wednesday, June 28, 2017 5:41 PM
> > To: Li, Jiajia 
> > Cc: kerby@directory.apache.org
> > Subject: Re: Kerby JWT support
> >
> > Hi Jiajia,
> >
> > On Tue, Jun 27, 2017 at 9:37 AM, Li, Jiajia  wrote:
> >
> > >
> > > 2) Do you mean if the credential cache is null or not set, we can 
> > > skip the step to store the TGT ticket to credential cache?
> > 

RE: Kerby JWT support

[Li, Jiajia]

>The question I have here is that the KrbToken needs to call the following code 
>internally somehow:

>this.innerToken = getTokenDecoder().decodeFromBytes(getTokenValue());
>setTokenType();

>There is a commented out "decode(ByteBuffer)" method that contains code that 
>does this for a supplied ByteBuffer value. Should this method be called 
>implicitly by 
>the AdToken code somehow? Or is it up to the client code to call decode on 
>KrbToken?

I'm not very sure, I think it's up to the client code to call to decode the 
KrbToken.

Thanks
Jiajia


-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Friday, June 30, 2017 5:46 PM
To: kerby@directory.apache.org
Subject: Re: Kerby JWT support

On Fri, Jun 30, 2017 at 4:16 AM, Li, Jiajia  wrote:

>
> Yes, agree with you, credential cache it not really needed.
>
>
OK I have committed this fix.


> The EncTicketPart should be unseal, I think the following code could 
> help you.
>
>Ticket ticket = apReq.getTicket();
> EncTicketPart encPart = EncryptionUtil.unseal(ticket.g 
> etEncryptedEncPart(),
> encKey, KeyUsage.KDC_REP_TICKET, EncTicketPart.class);
> ticket.setEncPart(encPart);
>

It does, thanks! I have it kind of working now with a few hacks. I can get the 
KrbToken from the AuthorizationData now as follows:

AuthorizationData authzData = encPart.getAuthorizationData(); 
AuthorizationDataEntry dataEntry = authzData.getElements().iterator().next();
AdToken token = dataEntry.getAuthzDataAs(AdToken.class);
KrbToken decodedKrbToken = token.getToken();

The question I have here is that the KrbToken needs to call the following code 
internally somehow:

this.innerToken = getTokenDecoder().decodeFromBytes(getTokenValue());
setTokenType();

There is a commented out "decode(ByteBuffer)" method that contains code that 
does this for a supplied ByteBuffer value. Should this method be called 
implicitly by the AdToken code somehow? Or is it up to the client code to call 
decode on KrbToken?

Colm.



>
> Thanks
> Jiajia
>
> -Original Message-----
> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> Sent: Wednesday, June 28, 2017 5:41 PM
> To: Li, Jiajia 
> Cc: kerby@directory.apache.org
> Subject: Re: Kerby JWT support
>
> Hi Jiajia,
>
> On Tue, Jun 27, 2017 at 9:37 AM, Li, Jiajia  wrote:
>
> >
> > 2) Do you mean if the credential cache is null or not set, we can 
> > skip the step to store the TGT ticket to credential cache?
> >
>
>  Yes exactly. "tgtTicket" is stored as a variable in the 
> TokenAuthLoginModule so we may not need the credential cache at all. 
> If you agree I will fix this.
>
>
> > 3) We get the armor key from armor cache, do you mean to set the 
> > armor key in client and KDC to replace the armor cache?
> >
>
> No, I want to find a way to avoid having an armor key at all. If the 
> purpose of the armor key is to encrypt the communication with the KDC, 
> then if the JWT token is encrypted this requirement is not necessary. 
> But perhaps it's not possible to skip this step?
>
>
> >
> > 4) I thinks it's great to put claims from the JWT token into the 
> > authorization data of the ticket, that will be an important feature.
> >
>
> OK I have created a JIRA for this.
>
>
> >
> > 5) Actually,  AuthorizationData is not really set in the 
> > EncTicketPart, in AbstractIdentityBackend with the following
> implementation:
> > protected AuthorizationData doGetIdentityAuthorizationData(
> > Object kdcRequest, EncTicketPart encTicketPart)
> > throws KrbException {
> > return null;
> > }
> >
>
> Right, but I am doing this locally. The problem is on the client side 
> that "tkt.getTicket().getEncPart()" is null. How can I see what the 
> authorization data of the ticket is on the client side, so that I can 
> test that it was inserted correctly?
>
> Colm.
>
>
> >
> > Thanks
> > Jiajia
> >
> > -Original Message-
> > From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> > Sent: Monday, June 19, 2017 8:24 PM
> > To: kerby@directory.apache.org
> > Subject: Kerby JWT support
> >
> > Hi all,
> >
> > I'd like to resurrect some of the issues surrounding the JWT support 
> > in Kerby. If nothing else we can hopefully agree on what the 
> > outstanding issues are and then put them into JIRA so that we have a 
> > record of what needs to be done. Some of the tasks are fairly 
> > trivial and could be addressed for the next release.
> >
> > 1) T

RE: Kerby JWT support

[Li, Jiajia]

>>
>> 2) Do you mean if the credential cache is null or not set, we can skip 
>> the step to store the TGT ticket to credential cache?
>>

 > Yes exactly. "tgtTicket" is stored as a variable in the TokenAuthLoginModule 
 > so we may not need the credential cache at all. If you agree I will fix this.

Yes, agree with you, credential cache it not really needed.


>> 3) We get the armor key from armor cache, do you mean to set the armor 
>> key in client and KDC to replace the armor cache?
>>

> No, I want to find a way to avoid having an armor key at all. If the purpose 
> of the armor key is to encrypt the communication with the KDC, 
> then if the JWT token is encrypted this requirement is not necessary. But 
> perhaps it's not possible to skip this step?

The armor credential's key with two usages:
1.  Used as the client key:
line194#ArmoredRequest:
EncryptedData authnData = EncryptionUtil.seal(authenticator,
credential.getKey(), KeyUsage.AP_REQ_AUTH);
2. Used as armor key for FX_FAST padata:
Line205#ArmoredRequest:
private EncryptionKey makeArmorKey(EncryptionKey subKey, EncryptionKey 
armorCacheKey)
throws KrbException {
EncryptionKey armorKey = FastUtil.makeArmorKey(subKey, armorCacheKey);
return armorKey;
In my opinion, the encrypted JWT token can be used in second usage, we can 
create one new type padata, such as "EncryptedToken" padata, and set the 
encrypted JWT token in to the new type padata entry. When the kdc receive this 
padata entry, it can decrypt with the configured private decryption key.


>>
>> 5) Actually,  AuthorizationData is not really set in the 
> >EncTicketPart, in AbstractIdentityBackend with the following implementation:
>> protected AuthorizationData doGetIdentityAuthorizationData(
>> Object kdcRequest, EncTicketPart encTicketPart)
>> throws KrbException {
>> return null;
> >}
>>

> Right, but I am doing this locally. The problem is on the client side that 
> "tkt.getTicket().getEncPart()" is null. How can I see what the authorization 
> data of the ticket is on 
> the client side, so that I can test that it was inserted correctly?

The EncTicketPart should be unseal, I think the following code could help you.

   Ticket ticket = apReq.getTicket();
EncTicketPart encPart = 
EncryptionUtil.unseal(ticket.getEncryptedEncPart(),
encKey, KeyUsage.KDC_REP_TICKET, EncTicketPart.class);
ticket.setEncPart(encPart);


Thanks
Jiajia

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Wednesday, June 28, 2017 5:41 PM
To: Li, Jiajia 
Cc: kerby@directory.apache.org
Subject: Re: Kerby JWT support

Hi Jiajia,

On Tue, Jun 27, 2017 at 9:37 AM, Li, Jiajia  wrote:

>
> 2) Do you mean if the credential cache is null or not set, we can skip 
> the step to store the TGT ticket to credential cache?
>

 Yes exactly. "tgtTicket" is stored as a variable in the TokenAuthLoginModule 
so we may not need the credential cache at all. If you agree I will fix this.


> 3) We get the armor key from armor cache, do you mean to set the armor 
> key in client and KDC to replace the armor cache?
>

No, I want to find a way to avoid having an armor key at all. If the purpose of 
the armor key is to encrypt the communication with the KDC, then if the JWT 
token is encrypted this requirement is not necessary. But perhaps it's not 
possible to skip this step?


>
> 4) I thinks it's great to put claims from the JWT token into the 
> authorization data of the ticket, that will be an important feature.
>

OK I have created a JIRA for this.


>
> 5) Actually,  AuthorizationData is not really set in the 
> EncTicketPart, in AbstractIdentityBackend with the following implementation:
> protected AuthorizationData doGetIdentityAuthorizationData(
> Object kdcRequest, EncTicketPart encTicketPart)
> throws KrbException {
> return null;
> }
>

Right, but I am doing this locally. The problem is on the client side that 
"tkt.getTicket().getEncPart()" is null. How can I see what the authorization 
data of the ticket is on the client side, so that I can test that it was 
inserted correctly?

Colm.


>
> Thanks
> Jiajia
>
> -Original Message-
> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> Sent: Monday, June 19, 2017 8:24 PM
> To: kerby@directory.apache.org
> Subject: Kerby JWT support
>
> Hi all,
>
> I'd like to resurrect some of the issues surrounding the JWT support 
> in Kerby. If nothing else we can hopefully agree on what the 
> outstanding issues are and then put them into JIRA so that we have a 
> reco

RE: Kerby JWT support

[Li, Jiajia]

Hi Colm,
1) Agree with you, I can do it soon.

2) Do you mean if the credential cache is null or not set, we can skip the step 
to store the TGT ticket to credential cache?

3) We get the armor key from armor cache, do you mean to set the armor key in 
client and KDC to replace the armor cache? 

4) I thinks it's great to put claims from the JWT token into the authorization 
data of the ticket, that will be an important feature.

5) Actually,  AuthorizationData is not really set in the EncTicketPart, in 
AbstractIdentityBackend with the following implementation:
protected AuthorizationData doGetIdentityAuthorizationData(
Object kdcRequest, EncTicketPart encTicketPart)
throws KrbException {
return null;
}

Thanks
Jiajia

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Monday, June 19, 2017 8:24 PM
To: kerby@directory.apache.org
Subject: Kerby JWT support

Hi all,

I'd like to resurrect some of the issues surrounding the JWT support in Kerby. 
If nothing else we can hopefully agree on what the outstanding issues are and 
then put them into JIRA so that we have a record of what needs to be done. Some 
of the tasks are fairly trivial and could be addressed for the next release.

1) There was a proposal last year to move the TokenAuthLoginModule from the 
"integration-test" module into the "kerb-client" module in a separate package 
like 'jaas'.

2) I'd like to make the credential cache configuration item in the 
TokenAuthLoginModule optional to simplify the configuration. It's not actually 
needed as we just keep the TgtTicket internally in the LoginModule anyway.

3) Right now, we need an armor cache to then get a TGT using a JWT.
However, I think we should also support configuring the KDC with a private 
decryption key. If the incoming JWT token is encrypted to the KDC then we 
should be able to skip the armor cache step.

4) For the access token case, make it possible to put claims from the JWT token 
into the authorization data of the ticket. I've done some work on this last 
year that could be re-used.

5) To test (4), I'd like to be able to query the authorization data of the 
issued service ticket. However, using the Kerby API, the following returns null?

tkt.getTicket().getEncPart() (.getAuthorizationData())

Is there a way for me to access the authorization data of the ticket using the 
Kerby API in some way to check that it's actually getting inserted properly?

Thoughts? Am I missing anything else?

Colm.


--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

RE: MIT Kerberos compatibility

[Li, Jiajia]

Hi Colm,
Thanks for providing the way to reproduce the error, and I have the fix in 
trunk code, can you take some time to check it?

Commit log:
commit 106299efb7aa3001da89ae821eb43285c544bab7
Author: plusplusjiajia 
Date:   Mon Jun 19 13:07:04 2017 +0800

Fix DIRKRB-629:ICMP Port Unreachable error message with GSS + default 
transport.


Thanks
Jiajia

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Monday, May 8, 2017 6:19 PM
To: kerby@directory.apache.org
Subject: Re: MIT Kerberos compatibility

OK I have created a JIRA and attached a patch that you have to apply to the
Apache WSS4J project to reproduce the error. If you uncomment the line that
uses Netty then the tests all work perfectly. The tests appear to work fine
when run in isolation, it's only when you run a few of them after one
another that you can see the failures.

Please let me know if you have any difficulty in reproducing, thanks!

Colm.

On Mon, May 8, 2017 at 11:08 AM, Zheng, Kai  wrote:

> Hi Colm,
>
> Sure, please do it. Could you review my change and see how it would cause
> the new failures? Any difference between the failed GSS tests and the Kerby
> GSS tests?
>
> Regards,
> Kai
>
> -Original Message-
> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> Sent: Monday, May 08, 2017 5:42 PM
> To: Zheng, Kai 
> Cc: kerby@directory.apache.org
> Subject: Re: MIT Kerberos compatibility
>
> Hi Kai,
>
> Your changes fixed the error message I was seeing. However, I now see
> another problem when I run a few GSS client tests in a row:
>
> >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
> >>> KrbAsReq creating message
> >>> KrbKdcReq send: kdc=localhost UDP:42665, timeout=3, number of
> retries =3, #bytes=245
> >>> KDCCommunication: kdc=localhost UDP:42665, timeout=3,Attempt =1,
> #bytes=245
> SocketTimeOutException with attempt: 1
> >>> KDCCommunication: kdc=localhost UDP:42665, timeout=3,Attempt =2,
> #bytes=245
> >>> KrbKdcReq send: error trying localhost:42665
> java.net.PortUnreachableException: ICMP Port Unreachable
>
> Do you want me to create a JIRA + attach a test-case?
>
> Colm.
>
> On Sat, May 6, 2017 at 2:01 AM, Zheng, Kai  wrote:
>
> > I haven't repeated the issue but revisited the codes again and made
> > improvements. Would you check it out? Thanks!
> >
> > Sent from iPhone
> >
> > > 在 2017年5月6日，上午6:28，Zheng, Kai  写道：
> > >
> > > Thanks colm for the clarification and it sounds an issue we need to
> > address. I will investigate it soon.
> > >
> > > Sent from iPhone
> > >
> > >> 在 2017年5月6日，上午2:14，Colm O hEigeartaigh  写道：
> > >>
> > >> Hi Kai,
> > >>
> > >> If I enable UDP with the default Transport, I can get a ticket fine
> > using
> > >> kinit. However then the following error pops up in the window I'm
> > running
> > >> Kerby in (as a test):
> > >>
> > >> Exception in thread "Thread-1" java.lang.RuntimeException: Error
> > >> occured while checking udp connections
> > >>   at
> > >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(
> > KdcNetwork.java:105)
> > >>   at
> > >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.
> > access$000(KdcNetwork.java:39)
> > >>   at
> > >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork$1.
> > run(KdcNetwork.java:75)
> > >>   at java.lang.Thread.run(Thread.java:748)
> > >> Caused by: java.nio.channels.ClosedChannelException
> > >>   at
> > >> sun.nio.ch.DatagramChannelImpl.ensureOpen(
> DatagramChannelImpl.java:320)
> > >>   at sun.nio.ch.DatagramChannelImpl.receive(
> > DatagramChannelImpl.java:331)
> > >>   at
> > >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.
> > checkUdpMessage(KdcNetwork.java:132)
> > >>   at
> > >> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(
> > KdcNetwork.java:101)
> > >>
> > >> Colm.
> > >>
> > >>
> > >>> On Fri, May 5, 2017 at 5:56 PM, Zheng, Kai 
> > wrote:
> > >>>
> > >>> Colm, did you see udp problem now instead? I'm a little confused.
> > >>> Udp
> > is
> > >>> sure supported but may not be enabled by default, which should be
> > >>> okay, imo. Thanks.
> > >>>
> > >>> Sent from iPhone
> > >>>
>

RE: [Kerby] How to setup 1-way trust for cross-realm authentication between two KDC's ?

[Li, Jiajia]

Hi Pratyush，

Kerby does not support the cross realm, this is one of the important missing 
features.

Thanks
Jiajia


-Original Message-
From: pratyush parimal [mailto:pratyush.pari...@gmail.com] 
Sent: Thursday, June 15, 2017 3:10 AM
To: kerby@directory.apache.org
Subject: [Kerby] How to setup 1-way trust for cross-realm authentication 
between two KDC's ?

Hi everyone,

I'm wondering if Kerby supports setting up 1-way trusts, similar to using the 
[capaths] directive in MIT kerberos.

For example, in MIT kdc, if I wanted to setup cross-realm auth between a source 
realm R1.COM and destination realm R2.COM, I would have to add the following 
section to R1.COM's krb5.conf:

[capaths]
 R2.COM = {
  R1.COM = .
 }

, followed by adding the principal "krbtgt/r2@r1.com" with the same 
password to both the KDCs.

Is it possible to achieve the same with Kerby? If so, I'd really appreciate it 
if someone could point me to a Java example for setting up capaths in Kerby.

Cheers,
Pratyush

RE: [Kerby] TGS req failing with "Unexpected item context"

[Li, Jiajia]

Hi Pratyush,
The trunk is available.

Thanks
Jiajia

-Original Message-
From: pratyush parimal [mailto:pratyush.pari...@gmail.com] 
Sent: Thursday, June 15, 2017 2:50 AM
To: kerby@directory.apache.org; Colm O hEigeartaigh 
Subject: Re: [Kerby] TGS req failing with "Unexpected item context"

Hi all,

I'm so excited to hear that the issue was addressed. I'd like to test it out as 
well.
What branch specifically should I checkout to get this fix? Is it available in 
master/trunk?

Cheers,
Pratyush

On Wed, Jun 14, 2017 at 6:44 AM, Colm O hEigeartaigh 
wrote:

> Yes, it fixes the issue that I ran into, thanks Jiajia!
>
> Colm.
>
> On Wed, Jun 14, 2017 at 6:30 AM, Zheng, Kai  wrote:
>
> > Thank you Jiajia for your taking time to fix this long hanging 
> > issue. The fix looks great!
> >
> > Regards,
> > Kai
> >
> > -Original Message-
> > From: Li, Jiajia [mailto:jiajia...@intel.com]
> > Sent: Wednesday, June 14, 2017 10:42 AM
> > To: kerby@directory.apache.org
> > Subject: RE: [Kerby] TGS req failing with "Unexpected item context"
> >
> > Hi all,
> > I have some fix for this issue, could anyone help me to check it 
> > using your test env?
> >
> > Commit log is:
> > commit a6224d2cf60e8e18ba5e307f1a4a2bc4c01a55b4
> > Author: plusplusjiajia 
> > Date:   Wed Jun 14 10:43:46 2017 +0800
> >
> > Fix DIRKRB-614 and DIRKRB-631.
> >
> > Thanks
> > Jiajia
> >
> > -Original Message-
> > From: Marc de Lignie [mailto:m.c.delig...@xs4all.nl]
> > Sent: Thursday, June 8, 2017 8:10 PM
> > To: kerby@directory.apache.org
> > Subject: Re: [Kerby] TGS req failing with "Unexpected item context"
> >
> > Hi Kai,
> >
> > See, my original logs from both the python client and the KDC at 
> > (this link is also present in DIRKRB-631):
> >
> > http://mail-archives.apache.org/mod_mbox/directory-kerby/
> > 201705.mbox/browser
> >
> > Here, the logs of the python client coincide with Pratyush's report 
> > in
> the
> > current thread. The logs of the KDC coincide with the old
> > DIRKKRB-614 issue.
> >
> > I would say all reports are related to the same error, Kerby not 
> > being able the decode the FAST OTP requests of MIT Kerberos 1.11+. 
> > Also, all
> are
> > related to a TGS request based on an existing TGT.
> >
> > Cheers,Marc
> >
> >
> > Op 06-06-17 om 21:07 schreef Marc de Lignie:
> > > Dear all,
> > >
> > > My bad, it seems I made a separate issue for this, which might add 
> > > more details to DIRKRB-614 and might help you in finding the 
> > > decode
> > > error:
> > >
> > > https://issues.apache.org/jira/browse/DIRKRB-631
> > >
> > > The workaround I mentioned is there, in the comments.
> > >
> > > Cheers,   Marc
> > >
> > >
> > > Op 06-06-17 om 21:02 schreef Marc de Lignie:
> > >> Pratjush,
> > >>
> > >> I just posted a temporary workaround as a comment below:
> > >>
> > >> https://issues.apache.org/jira/browse/DIRKRB-614
> > >>
> > >> Cheers,Marc
> > >>
> > >>
> > >> Kai wrote:
> > >>
> > >> It seems so and we need to fix it. However, I don't see any 
> > >> obvious cause for it. Hope we can get to this sooner (should be 
> > >> next week) after some deadline is caught. Sorry for the late.
> > >>
> > >> Regards,
> > >> Kai
> > >>
> > >> -Original Message-
> > >> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> > >> Sent: Monday, June 05, 2017 12:04 AM
> > >> To: kerby@directory.apache.org
> > >> Subject: Re: [Kerby] TGS req failing with "Unexpected item context"
> > >>
> > >> Looks like you're running into this known issue:
> > >>
> > >> https://issues.apache.org/jira/browse/DIRKRB-614
> > >>
> > >> Colm.
> > >>
> > >> On Sat, Jun 3, 2017 at 8:09 PM, pratyush parimal 
> > >>  > >>> wrote:
> > >>
> > >>> Hi everyone,
> > >>>
> > >>> I'm writing a simple Java program that stands up a KDC using the 
> > >>> SimpleKdcServer class, and I'm trying to use it for AS & TGS 
> > >>> operations. Relevant code is below:
> > >>>
> > >

RE: [Kerby] TGS req failing with "Unexpected item context"

[Li, Jiajia]

Hi all,
I have some fix for this issue, could anyone help me to check it using your 
test env? 

Commit log is:
commit a6224d2cf60e8e18ba5e307f1a4a2bc4c01a55b4
Author: plusplusjiajia 
Date:   Wed Jun 14 10:43:46 2017 +0800

Fix DIRKRB-614 and DIRKRB-631.

Thanks
Jiajia

-Original Message-
From: Marc de Lignie [mailto:m.c.delig...@xs4all.nl] 
Sent: Thursday, June 8, 2017 8:10 PM
To: kerby@directory.apache.org
Subject: Re: [Kerby] TGS req failing with "Unexpected item context"

Hi Kai,

See, my original logs from both the python client and the KDC at (this link is 
also present in DIRKRB-631):

http://mail-archives.apache.org/mod_mbox/directory-kerby/201705.mbox/browser

Here, the logs of the python client coincide with Pratyush's report in the 
current thread. The logs of the KDC coincide with the old
DIRKKRB-614 issue.

I would say all reports are related to the same error, Kerby not being able the 
decode the FAST OTP requests of MIT Kerberos 1.11+. Also, all are related to a 
TGS request based on an existing TGT.

Cheers,Marc


Op 06-06-17 om 21:07 schreef Marc de Lignie:
> Dear all,
>
> My bad, it seems I made a separate issue for this, which might add 
> more details to DIRKRB-614 and might help you in finding the decode
> error:
>
> https://issues.apache.org/jira/browse/DIRKRB-631
>
> The workaround I mentioned is there, in the comments.
>
> Cheers,   Marc
>
>
> Op 06-06-17 om 21:02 schreef Marc de Lignie:
>> Pratjush,
>>
>> I just posted a temporary workaround as a comment below:
>>
>> https://issues.apache.org/jira/browse/DIRKRB-614
>>
>> Cheers,Marc
>>
>>
>> Kai wrote:
>>
>> It seems so and we need to fix it. However, I don't see any obvious 
>> cause for it. Hope we can get to this sooner (should be next week) 
>> after some deadline is caught. Sorry for the late.
>>
>> Regards,
>> Kai
>>
>> -Original Message-
>> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
>> Sent: Monday, June 05, 2017 12:04 AM
>> To: kerby@directory.apache.org
>> Subject: Re: [Kerby] TGS req failing with "Unexpected item context"
>>
>> Looks like you're running into this known issue:
>>
>> https://issues.apache.org/jira/browse/DIRKRB-614
>>
>> Colm.
>>
>> On Sat, Jun 3, 2017 at 8:09 PM, pratyush parimal 
>> >> wrote:
>>
>>> Hi everyone,
>>>
>>> I'm writing a simple Java program that stands up a KDC using the 
>>> SimpleKdcServer class, and I'm trying to use it for AS & TGS 
>>> operations. Relevant code is below:
>>>
>>> kdc = new SimpleKdcServer(); 
>>> kdc.setKdcHost("kdc.example.com");
>>> kdc.setKdcPort(60088);
>>> kdc.setKdcRealm("EXAMPLE.COM");
>>>
>>> kdc.setAllowUdp(false);
>>> kdc.setWorkDir(keytabFile.getParentFile());
>>>
>>> kdc.init();
>>>
>>> kdc.createPrincipal("u...@example.com", "u1pwd"); 
>>> kdc.createPrincipal("myservice/kdc.example@example.com",
>>> "myservicepwd");
>>>
>>> kdc.start();
>>>
>>> I use kinit to fetch the TGT for my principal "u1" and that's 
>>> successful.
>>> However, the subsequent TGS req from my client program fails with 
>>> the
>>> error:
>>>
>>> GSSAPI continuation error: Unknown code krcM 137
>>>
>>> . I debugged through the source code for Kerby and saw that the full 
>>> exception was not getting thrown because of a (e instanceof
>>> KdcRecoverableException) check. When I print the stacktrace via a 
>>> debugger, I see the following (apologies for the huge stack trace):
>>>
>>> [pool-1-thread-1] INFO
>>> org.apache.kerby.kerberos.kerb.server.request.KdcRequest - Found 
>>> fast padata and starting to process it.
>>> org.apache.kerby.kerberos.kerb.KrbException: Decoding failed at
>>> org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:85)
>>> at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:70)
>>> at
>>> org.apache.kerby.kerberos.kerb.server.request.KdcRequest.kdcFindFast
>>> (
>>> KdcRequest.java:213)
>>> at
>>> org.apache.kerby.kerberos.kerb.server.request.
>>> KdcRequest.process(KdcRequest.java:170)
>>> at
>>> org.apache.kerby.kerberos.kerb.server.KdcHandler.
>>> handleMessage(KdcHandler.java:116)
>>> at
>>> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.
>>> handleMessage(DefaultKdcHandler.java:67)
>>> at
>>> org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.run(
>>> DefaultKdcHandler.java:52)
>>> at
>>> java.util.concurrent.ThreadPoolExecutor.runWorker(
>>> ThreadPoolExecutor.java:1145)
>>> at
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(
>>> ThreadPoolExecutor.java:615)
>>> at java.lang.Thread.run(Thread.java:745)
>>> Caused by: java.io.IOException: Unexpected item context [0] 
>>> [tag=0xA0, off=0, len=3+198], expecting 0x30 at 
>>> org.apache.kerby.asn1.type.Asn1Encodeable.decode(
>>> Asn1Encodeable.java:219)
>>> at org.apache.kerby.asn1.type.Asn1Encodeable.decode(
>>> Asn1Encodeable.java:207)
>>> at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:83)
>>> ... 9 more
>>> org.apache.kerby.kerberos.kerb.KrbException: Decoding failed at
>>> org.apache.kerby.

RE: [VOTE] - Release Apache Kerby 1.0.0 (take II)

[Li, Jiajia]

+1

Items checked:

1.  Built successfully with jdk1.8.0_40

2.  All tests passed.

3.  Checked the tools.

Thanks
Jiajia

From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
Sent: Wednesday, May 10, 2017 6:14 PM
To: kerby@directory.apache.org; Apache Directory Developers List 

Subject: [VOTE] - Release Apache Kerby 1.0.0 (take II)

This is (the second) vote to release Apache Kerby 1.0.0. We had to cancel the 
first vote after Emmanuel identified some issues with the NOTICE + licenses for 
the two Kerby distributions. The distributions now correctly include the Netty 
NOTICEs and licenses of modified components, and SLF4J copyright notice + 
license.
Issues fixed:

https://issues.apache.org/jira/browse/DIRKRB/fixforversion/12332775
Maven Artifacts:

https://repository.apache.org/content/repositories/orgapachedirectory-1130/
In particular the source:

https://repository.apache.org/content/repositories/orgapachedirectory-1130/org/apache/kerby/kerby-all/1.0.0/
Git tag:

https://git-wip-us.apache.org/repos/asf?p=directory-kerby.git;a=commit;h=b0e8f9da3cdb494c82d62c956ee35a53a52ac0ce

+1 from me.
Colm.


--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

RE: Questions about the release

[Li, Jiajia]

I've added the slf4j N&L, mockito N&L, netty's NOTICE, hamcrest N&L, 
bouncycastle N&L(used by netty, but not included in it's N&L),
Jline N&L(used by zookeeper, but not included in it's N&L)
You can find out the NOTICE at NOTICE file, the licenses in LICENSE file and 
license/ folder.

I also checked the following:
>>> Check the google gson N&L files.
Gson is released under the Apache 2.0 license.

>>>check the nimbus-jose-jwt N&L
The library source code is provided under the Apache 2.0 license.

>>>nimbus-jose-jwt has itself some dependencies that requires some N&L 
>>>(potentially, that has to be checked) :
>>>jcip-annotations, json-smart and bcprov-jdk15on
jcip-annotations, json-smart are under Apache 2.0 license, and I've added 
bouncycastle license

And checked the transitive dependencies:
commons-io: AL 2.0
log4j: AL 2.0
junit: AL 2.0

@ Emmanuel, could you review the changes? 

Thanks
Jiajia


-Original Message-
From: Emmanuel Lécharny [mailto:elecha...@gmail.com] 
Sent: Monday, May 8, 2017 12:18 PM
To: kerby@directory.apache.org
Subject: Questions about the release

Hi guys,


I have checked all the modules, and their dependencies. Here is the result :


kerby-all -> test[junit, assertj-core] : OK, no N&L, test

 |

 +-- kerby-common -> [commons.io] : OK, no N&L, Apache
 +-- kerby-pkix -> [slf4j-api], test[slf4j-simple, mockito-core] : Need to add 
the slf4j N&L
 +-- kerby-kerb

 ||

 |+-- kerb-core -> OK

 |+-- kerb-common -> [commons.io] : OK, no N&L, Apache
 |+-- kerb-util -> test[mockito-core] : OK, no N&L, test
 |+-- kerb-crypto -> OK
 |+-- kerb-identity -> OK
 |+-- kerb-identity-test -> test, no N&L
 |+-- kerb-client -> test[mockito-core]: OK, no N&L, test
 |+-- kerb-server -> test[slf4j-simple]: OK, no N&L, test
 |+-- kerb-kdc-test -> test, no N&L
 |+-- integration-test -> test, no N&L
 |+-- kerb-admin -> OK
 |+-- kerb-admin-server -> OK
 |+-- kerb-simplekdc -> OK
 |+-- kerb-client-api-all -> OK
 |+-- kerb-server-api-all -> OK
 +-- kerby-kdc -> [netty-transport, netty-handler, netty-common, netty-codec, 
netty-buffer, slf4j-api] : Need to add the mockito mockito N&L, add the netty's 
NOTICE file

 +-- kerby-tool

 ||

 |+-- client-tool -> OK
 |+-- kdc-tool -> OK

 +-- kerby-kdc-test  -> test, no N&L
 +-- kerby-backend

 ||

 |+-- ldap-backend -> test[slf4j-simple], OK, no N&L, test
 |+-- mavibot-backend -> test[slf4j-simple], OK, no N&L, test
 |+-- json-backend -> [com.google.code.gson], test[slf4j-simple] :
Check the google gson N&L files.
 |+-- zookeeper-backend-> OK

 +-- kerby-dist

 ||

 |+-- kdc-dist -> [netty, gson, slf4j-api, slf4j-log4j12] : Check
the google gson N&L files. need to add the slf4j N&L, add the netty's NOTICE 
file
 |+-- tool-dist-> [slf4j-api, slf4j-log4j12] : Need to add the slf4j N&L

 +-- benchmark -> benchmarks, no N&L
 +-- kerby-provider

  |

  +- token-provider -> [nimbus-jose-jwt] -> check the nimbus-jose-jwt N&L


AFAICT, there are not that many missing bits, but there is one more step to 
complete : check the transitive depndencies.

Running mvn dependency:tree on modules which have external dependencies should 
give the required informations. Typically, on token-provider, here is what it 
gives :


MacBook-Pro:token-provider elecharny$ mvn dependency:tree Java HotSpot(TM) 
64-Bit Server VM warning: ignoring option MaxPermSize=256M; support was removed 
in 8.0 [INFO] Scanning for projects...
[INFO]

[INFO]

[INFO] Building Token provider 1.0.0
[INFO]

[INFO]
[INFO] --- maven-dependency-plugin:2.10:tree (default-cli) @ token-provider --- 
[INFO] org.apache.kerby:token-provider:jar:1.0.0
[INFO] +- org.apache.kerby:kerb-core:jar:1.0.0:compile
[INFO] |  \- org.apache.kerby:kerby-pkix:jar:1.0.0:compile
[INFO] | +- org.apache.kerby:kerby-asn1:jar:1.0.0:compile
[INFO] | +- org.apache.kerby:kerby-util:jar:1.0.0:compile
[INFO] | \- org.slf4j:slf4j-api:jar:1.7.25:compile
[INFO] +- com.nimbusds:nimbus-jose-jwt:jar:3.10:compile
[INFO] |  +- net.jcip:jcip-annotations:jar:1.0:compile
[INFO] |  +- net.minidev:json-smart:jar:1.3.1:compile
[INFO] |  +- org.bouncycastle:bcprov-jdk15on:jar:1.52:compile
[INFO] |  \- commons-io:commons-io:jar:2.4:compile
[INFO] +- junit:junit:jar:4.12:test
[INFO] |  \- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] \- org.assertj:assertj-core:jar:2.6.0:test
[INFO]

[INFO] BUILD SUCCESS
[INFO]

[INFO] Total time: 1.527 s
[INFO] Finished at: 2017-05-08T06:14:52+02:00 [INFO] Final Memory: 15M/247M 
[INFO]

RE: Questions about the release

[Li, Jiajia]

Hi Emmanuel,

Thanks very much for listing out the dependencies of each modules, I will add 
the N&L based on your work.

Thanks
Jiajia

-Original Message-
From: Emmanuel Lécharny [mailto:elecha...@gmail.com] 
Sent: Monday, May 8, 2017 12:18 PM
To: kerby@directory.apache.org
Subject: Questions about the release

Hi guys,


I have checked all the modules, and their dependencies. Here is the result :


kerby-all -> test[junit, assertj-core] : OK, no N&L, test

 |

 +-- kerby-common -> [commons.io] : OK, no N&L, Apache
 +-- kerby-pkix -> [slf4j-api], test[slf4j-simple, mockito-core] : Need to add 
the slf4j N&L
 +-- kerby-kerb

 ||

 |+-- kerb-core -> OK

 |+-- kerb-common -> [commons.io] : OK, no N&L, Apache
 |+-- kerb-util -> test[mockito-core] : OK, no N&L, test
 |+-- kerb-crypto -> OK
 |+-- kerb-identity -> OK
 |+-- kerb-identity-test -> test, no N&L
 |+-- kerb-client -> test[mockito-core]: OK, no N&L, test
 |+-- kerb-server -> test[slf4j-simple]: OK, no N&L, test
 |+-- kerb-kdc-test -> test, no N&L
 |+-- integration-test -> test, no N&L
 |+-- kerb-admin -> OK
 |+-- kerb-admin-server -> OK
 |+-- kerb-simplekdc -> OK
 |+-- kerb-client-api-all -> OK
 |+-- kerb-server-api-all -> OK
 +-- kerby-kdc -> [netty-transport, netty-handler, netty-common, netty-codec, 
netty-buffer, slf4j-api] : Need to add the slf4j N&L, add the netty's NOTICE 
file

 +-- kerby-tool

 ||

 |+-- client-tool -> OK
 |+-- kdc-tool -> OK

 +-- kerby-kdc-test  -> test, no N&L
 +-- kerby-backend

 ||

 |+-- ldap-backend -> test[slf4j-simple], OK, no N&L, test
 |+-- mavibot-backend -> test[slf4j-simple], OK, no N&L, test
 |+-- json-backend -> [com.google.code.gson], test[slf4j-simple] :
Check the google gson N&L files.
 |+-- zookeeper-backend-> OK

 +-- kerby-dist

 ||

 |+-- kdc-dist -> [netty, gson, slf4j-api, slf4j-log4j12] : Check
the google gson N&L files. need to add the slf4j N&L, add the netty's NOTICE 
file
 |+-- tool-dist-> [slf4j-api, slf4j-log4j12] : Need to add the slf4j N&L

 +-- benchmark -> benchmarks, no N&L
 +-- kerby-provider

  |

  +- token-provider -> [nimbus-jose-jwt] -> check the nimbus-jose-jwt N&L


AFAICT, there are not that many missing bits, but there is one more step to 
complete : check the transitive depndencies.

Running mvn dependency:tree on modules which have external dependencies should 
give the required informations. Typically, on token-provider, here is what it 
gives :


MacBook-Pro:token-provider elecharny$ mvn dependency:tree Java HotSpot(TM) 
64-Bit Server VM warning: ignoring option MaxPermSize=256M; support was removed 
in 8.0 [INFO] Scanning for projects...
[INFO]

[INFO]

[INFO] Building Token provider 1.0.0
[INFO]

[INFO]
[INFO] --- maven-dependency-plugin:2.10:tree (default-cli) @ token-provider --- 
[INFO] org.apache.kerby:token-provider:jar:1.0.0
[INFO] +- org.apache.kerby:kerb-core:jar:1.0.0:compile
[INFO] |  \- org.apache.kerby:kerby-pkix:jar:1.0.0:compile
[INFO] | +- org.apache.kerby:kerby-asn1:jar:1.0.0:compile
[INFO] | +- org.apache.kerby:kerby-util:jar:1.0.0:compile
[INFO] | \- org.slf4j:slf4j-api:jar:1.7.25:compile
[INFO] +- com.nimbusds:nimbus-jose-jwt:jar:3.10:compile
[INFO] |  +- net.jcip:jcip-annotations:jar:1.0:compile
[INFO] |  +- net.minidev:json-smart:jar:1.3.1:compile
[INFO] |  +- org.bouncycastle:bcprov-jdk15on:jar:1.52:compile
[INFO] |  \- commons-io:commons-io:jar:2.4:compile
[INFO] +- junit:junit:jar:4.12:test
[INFO] |  \- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] \- org.assertj:assertj-core:jar:2.6.0:test
[INFO]

[INFO] BUILD SUCCESS
[INFO]

[INFO] Total time: 1.527 s
[INFO] Finished at: 2017-05-08T06:14:52+02:00 [INFO] Final Memory: 15M/247M 
[INFO]



As we can see, nimbus-jose-jwt has itself some dependencies that requires some 
N&L (potentially, that has to be checked) :
jcip-annotations, json-smart and bcprov-jdk15on. If nimbus-jose-jwt has done 
its job properly, its N&L files should already contain the required bits, but 
we must check.


This tas has to be ran on all the modules that have noapache and non-tests 
dependencies...


--
Emmanuel Lecharny

Symas.com
directory.apache.org

RE: [VOTE] - Release Apache Kerby 1.0.0

[Li, Jiajia]

>>>At this point, I don't know what we package : there is a kerby-dist 
>>>sub-project, which supposely generates the packages, but it's hard to 
>>>tell what is inside, without looking to the maven pom files and assembly 
>>>files. I'd like that to be explicit somewhere for people to check 
>>>easily the validity of the packages...

As Stefan said, we only distribute the source for Kerby. If people wants to run 
the shell(start-kdc.sh, kadmin.sh, kinit.sh ,klist.sh...), he should download 
the distributed source code, and run "mvn clean package -Pdist", after that, 
the kerby-dist module will copy the dependencies to the 
kerby-dist/kdc-dist/target/lib and kerby-dist/tool-dist/target/lib.

Thanks
Jiajia

-Original Message-
From: Emmanuel Lécharny [mailto:elecha...@gmail.com] 
Sent: Sunday, May 7, 2017 11:12 PM
To: kerby@directory.apache.org
Subject: Re: [VOTE] - Release Apache Kerby 1.0.0



Le 07/05/2017 à 13:08, Stefan Seelmann a écrit :
> On 05/06/2017 09:53 PM, Emmanuel Lécharny wrote:
>> but I can't cas a +1 : the N&L are lacking some required external 
>> licenses (MIT for mockito, qos.ch for slf4j, BSD for harmcrest, ASM 
>> is BSD, and bytebuddy depends on it, Junit is ECL, Netty has a NOTICE 
>> file just must be included - see
>> https://github.com/netty/netty/blob/4.1/NOTICE.txt- , and has *many* 
>> dependencies on other products, that must be listed if used -see
>> https://github.com/netty/netty/tree/4.1/license-)
> I don't think we have to list all those licenses. As far as I see for 
> Kerby we only distribute the source (which is ASLv2 only) and the JARs.
> We don't distribute any artifact that bundles any third-party 
> dependency. [1] clearly states: "Dependencies which are not included 
> in the distribution MUST NOT be added to LICENSE and NOTICE. As far as 
> LICENSE and NOTICE are concerned, only bundled bits matter."
>
> But maybe I'm wrong and Maven dependencies count as "bundled"?
It depends.

First of all, we *must* have different N&L files if we distribute sources on 
one side and a bnary package on another side. This is typically what we do with 
apacheDS : we have the source targ.gz and a binary (the installers). As they 
embed different components, they have differnet N&L files. For instance, the 
installers-maven-plugin/src/main/resources/org/apache/directory/server/installers/LICENSE
file contains the antlr license while the root LICENSE file does not :
it makes totally sense because we don't have any generated antlr file in the 
source, while we have many in the installers.

All in all, this is the logic to follow :

* if a library is present in the package, and if its LICENSE is not AL 2.0, 
then add the LICENSE file in the package
* if a library is present in the package, and if there is a NOTICE file for 
this lib then it must be added in the package
* of course, we don't support any non-AL 2.0 compatible bundle (GPL/LGPL aren't 
accepted license)

There are specific cases : everything that is required to build the sources, 
and that will not generate files (à la antlr) don't need to get their N&L 
added. Same thing for the tests.

One more thing : we *may* distribute source only, but at some point, people 
will build it and embed the result in their product. It's fine if our source 
package does not include any N&L from bundles that are referenced by maven 
dependencies, as we don't bundle those dependencies in the resulting source tar 
gz. But at some point, people *will* consume a library, generated *from* the 
sources, and this library may content external dependencies : at this point, 
this library *MUST* contain all the required N&L.

At this point, I don't know what we package : there is a kerby-dist 
sub-project, which supposely generates the packages, but it's hard to tell what 
is inside, without looking to the maven pom files and assembly files. I'd like 
that to be explicit somewhere for people to check easily the validity of the 
packages...


--
Emmanuel Lecharny

Symas.com
directory.apache.org

RE: [VOTE] - Release Apache Kerby 1.0.0

[Li, Jiajia]

Thanks Emmanuel for pointing out this license issue. I've added the licenses in 
NOTICE、LICENSE and licenses folder, could you take some time to check?

Thanks
Jiajia

-Original Message-
From: Emmanuel Lécharny [mailto:elecha...@gmail.com] 
Sent: Sunday, May 7, 2017 3:53 AM
To: kerby@directory.apache.org
Subject: Re: [VOTE] - Release Apache Kerby 1.0.0

Built from source,

Built from tag,

signature checked


but I can't cas a +1 : the N&L are lacking some required external licenses (MIT 
for mockito, qos.ch for slf4j, BSD for harmcrest, ASM is BSD, and bytebuddy 
depends on it, Junit is ECL, Netty has a NOTICE file just must be included - see
https://github.com/netty/netty/blob/4.1/NOTICE.txt- , and has *many* 
dependencies on other products, that must be listed if used -see
https://github.com/netty/netty/tree/4.1/license-)


Also note that some parts of netty are using some GPL dependencies, which is 
incompatible with AL 2.0. It's mandatory to check if those dependencies are 
used or not in Kerby (jboss-marshalling).


So I have to cast a -1 at this point :-/



Le 05/05/2017 à 15:40, Colm O hEigeartaigh a écrit :
> This is a vote to release Apache Kerby 1.0.0. We have had two 1.0.0 
> RCs going back to 2015, and we have fixed enough issues to get a final 
> release out.
>
> Maven Artifacts:
>
> https://repository.apache.org/content/repositories/orgapachedirectory-
> 1124/
>
> In particular, the source release:
>
> https://repository.apache.org/content/repositories/orgapachedirectory-
> 1124/org/apache/kerby/kerby-all/1.0.0/
>
> Git tag:
>
> https://git-wip-us.apache.org/repos/asf?p=directory-kerby.git;a=commit
> ;h=c51bdb8bd1e451caeadaebc72ce294cdaec5c4a1
>
> Issues fixed:
>
> https://issues.apache.org/jira/browse/DIRKRB/fixforversion/12332775
>
> +1 from me.
>
> Colm.
>
>

--
Emmanuel Lecharny

Symas.com
directory.apache.org

RE: MIT Kerberos compatibility

[Li, Jiajia]

I have tested the new improvement committed by Kai, without exceptions and 
errors in my side.

Thanks
Jiajia

-Original Message-
From: Zheng, Kai [mailto:kai.zh...@intel.com] 
Sent: Saturday, May 6, 2017 9:01 AM
To: kerby@directory.apache.org; cohei...@apache.org
Subject: Re: MIT Kerberos compatibility

I haven't repeated the issue but revisited the codes again and made 
improvements. Would you check it out? Thanks!

Sent from iPhone

> 在 2017年5月6日，上午6:28，Zheng, Kai  写道：
> 
> Thanks colm for the clarification and it sounds an issue we need to address. 
> I will investigate it soon.
> 
> Sent from iPhone
> 
>> 在 2017年5月6日，上午2:14，Colm O hEigeartaigh  写道：
>> 
>> Hi Kai,
>> 
>> If I enable UDP with the default Transport, I can get a ticket fine 
>> using kinit. However then the following error pops up in the window 
>> I'm running Kerby in (as a test):
>> 
>> Exception in thread "Thread-1" java.lang.RuntimeException: Error 
>> occured while checking udp connections
>>   at
>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(KdcNetwork.java:105)
>>   at
>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.access$000(KdcNetwork.java:39)
>>   at
>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork$1.run(KdcNetwork.java:75)
>>   at java.lang.Thread.run(Thread.java:748)
>> Caused by: java.nio.channels.ClosedChannelException
>>   at
>> sun.nio.ch.DatagramChannelImpl.ensureOpen(DatagramChannelImpl.java:320)
>>   at sun.nio.ch.DatagramChannelImpl.receive(DatagramChannelImpl.java:331)
>>   at
>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.checkUdpMessage(KdcNetwork.java:132)
>>   at
>> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(KdcNetwork.ja
>> va:101)
>> 
>> Colm.
>> 
>> 
>>> On Fri, May 5, 2017 at 5:56 PM, Zheng, Kai  wrote:
>>> 
>>> Colm, did you see udp problem now instead? I'm a little confused. 
>>> Udp is sure supported but may not be enabled by default, which 
>>> should be okay, imo. Thanks.
>>> 
>>> Sent from iPhone
>>> 
>>>> 在 2017年5月6日，上午12:02，Colm O hEigeartaigh  写道：
>>>> 
>>>> That's probably it. Why does the default transport not support UDP 
>>>> in
>>> Kerby?
>>>> 
>>>> Colm.
>>>> 
>>>>> On Fri, May 5, 2017 at 4:54 PM, Li, Jiajia  wrote:
>>>>> 
>>>>> Are you sure add kdc_allow_udp = false in kdc.conf?
>>>>> 
>>>>> Thanks
>>>>> Jiajia
>>>>> 
>>>>> -Original Message-
>>>>> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
>>>>> Sent: Friday, May 5, 2017 11:41 PM
>>>>> To: Li, Jiajia 
>>>>> Cc: kerby@directory.apache.org; Zheng, Kai ;
>>> mailto:
>>>>> m.c.delig...@xs4all.nl 
>>>>> Subject: Re: MIT Kerberos compatibility
>>>>> 
>>>>> Sorry, it was my error, UDP was actually enabled there. But why am 
>>>>> I
>>> still
>>>>> seeing that error message?
>>>>> 
>>>>> Colm.
>>>>> 
>>>>>> On Fri, May 5, 2017 at 4:39 PM, Li, Jiajia 
>>> wrote:
>>>>>> 
>>>>>> Hi Colm,
>>>>>> I also test the Kerby KDC with kerby kint and MIT kinit, and only 
>>>>>> listen the tcp port(disable udp), both got ticket successfully. 
>>>>>> But I don't get the error message. Both krb.conf and kdc.conf 
>>>>>> should set udp to be false, udp is enabled in default.
>>>>>> 
>>>>>> Thanks
>>>>>> Jiajia
>>>>>> 
>>>>>> -Original Message-
>>>>>> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
>>>>>> Sent: Friday, May 5, 2017 11:34 PM
>>>>>> To: kerby@directory.apache.org
>>>>>> Cc: Zheng, Kai ; 
>>>>>> mailto:m.c.delig...@xs4all.nl < m.c.delig...@xs4all.nl>
>>>>>> Subject: Re: MIT Kerberos compatibility
>>>>>> 
>>>>>> Hi Jiajia,
>>>>>> 
>>>>>> If UDP is disabled and we don't use Netty, I can get a token 
>>>>>> successfully via kinit. However I then see an error message in 
>>>>>> the
>>> Kerby
>>>>> console:
>>>>>> 
>>>>>> Exception in thread &quo

RE: MIT Kerberos compatibility

[Li, Jiajia]

I think it contains the service ticket for test-service. Here is the log:
klist
Credentials cache: FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
Principal: dran...@test.com
2017-05-06T07:59:44 set-error: -1765328243: Did not find credential for 
krb5_ccache_conf_data/FriendlyName@X-CACHECONF: in cache 
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc

  IssuedExpires   Principal
May  6 07:57:58 2017  May  6 17:57:45 2017  krbtgt/test@test.com
May  6 07:59:40 2017  May  7 07:59:40 2017  test-service/localh...@test.com

Thanks
Jiajia
-Original Message-
From: Marc de Lignie [mailto:m.c.delig...@xs4all.nl] 
Sent: Saturday, May 6, 2017 4:13 AM
To: Li, Jiajia 
Cc: kerby@directory.apache.org
Subject: Re: MIT Kerberos compatibility

Hi Jiajia,

Thanks for the netty config option. This indeed helped to get rid of the udp 
errors, but did not help in getting the service ticket (final error message 
remains the same).

I also noticed that I get the same error from the python console whether I 
specify the right service name or some service name for which no service 
principal exists in the TestKdc.

I did not succeed in getting mvn tst to print the debug logging of the various 
kdc classes involved.

Did you check with klist whether drankye's credential cache contains the 
service ticket for test-service?

Cheers,Marc


Op 04-05-17 om 14:55 schreef Li, Jiajia:
> Hi Marc,
> I try to run your test(through applying your patch in the trunk) , I think 
> it's success now.  Could you take some time to check about it?
> Here is the log:
>
> directory-kerby git:(trunk) ✗ . 
> kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/
> server/MitIssueTest.sh
> kerberos.authGSSClientInit successful
> 2017-05-04T20:44:06 set-error: -1765328234: entypes not supported
> 2017-05-04T20:44:06 set-error: -1765328243: Did not find credential 
> for krb5_ccache_conf_data/realm-config@X-CACHECONF: in cache 
> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> 2017-05-04T20:44:06 set-error: -1765328243: Did not find credential 
> for test-service/localh...@test.com in cache 
> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> 2017-05-04T20:44:06 set-error: -1765328243: Did not find credential 
> for 
> krb5_ccache_conf_data/negative-cache/test-service\134/localhost\134@TE
> ST.COM@X-CACHECONF: in cache 
> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> 2017-05-04T20:44:06 set-error: -1765328243: Did not find credential 
> for krb5_ccache_conf_data/lkdc-hostname@X-CACHECONF: in cache 
> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> 2017-05-04T20:44:06 set-error: -1765328243: Did not find credential 
> for krb5_ccache_conf_data/sitename@X-CACHECONF: in cache 
> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> 2017-05-04T20:44:06 set-error: -1765328243: Did not find credential 
> for test-service/localh...@test.com in cache 
> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> 2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
> des-cbc-md5-deprecated not supported
> 2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
> des-cbc-md4-deprecated not supported
> 2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
> des-cbc-crc-deprecated not supported
> 2017-05-04T20:44:06 Trying to find service kdc for realm TEST.COM 
> flags 0
> 2017-05-04T20:44:06 configuration file for realm TEST.COM found
> 2017-05-04T20:44:06 submissing new requests to new host
> 2017-05-04T20:44:06 host_create: setting hostname localhost
> 2017-05-04T20:44:06 connecting to host: udp ::1:52534 (localhost) tid: 
> 0001
> 2017-05-04T20:44:06 host_create: setting hostname localhost
> 2017-05-04T20:44:06 Queuing host in future (in 3s), its the 2 address 
> on the same name: udp 127.0.0.1:52534 (localhost) tid: 0002
> 2017-05-04T20:44:06 writing packet: udp ::1:52534 (localhost) tid: 
> 0001
> 2017-05-04T20:44:06 reading packet: udp ::1:52534 (localhost) tid: 
> 0001
> 2017-05-04T20:44:06 host completed: udp ::1:52534 (localhost) tid: 
> 0001
> 2017-05-04T20:44:06 krb5_sendto_context TEST.COM done: 0 hosts 1 
> packets 1 wc: 0.048927 nr: 0.000932 kh: 0.000814 tid: 0002
> 2017-05-04T20:44:06 tkt: extract key 17/763641F3
> 2017-05-04T20:44:06 set-error: -1765328353: Decrypt integrity check 
> failed for checksum type hmac-sha1-96-aes128, key type 
> aes128-cts-hmac-sha1-96
> 2017-05-04T20:44:06 tkt: extract key 17/3084A95C
> 2017-05-04T20:44:06 krb5_get_credentials_with_flags: TEST.COM wc: 
> 0.050317
> 2017-05-04T20:44:06 set-error: -1765328243: Did not find credential 
> for krb5_ccache_conf_data/realm-config@X-CACHECONF: in cache 
> FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
> 2017-05-04T20:44:06 set-err

RE: MIT Kerberos compatibility

[Li, Jiajia]

Are you sure add kdc_allow_udp = false in kdc.conf?

Thanks
Jiajia

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Friday, May 5, 2017 11:41 PM
To: Li, Jiajia 
Cc: kerby@directory.apache.org; Zheng, Kai ; 
mailto:m.c.delig...@xs4all.nl 
Subject: Re: MIT Kerberos compatibility

Sorry, it was my error, UDP was actually enabled there. But why am I still 
seeing that error message?

Colm.

On Fri, May 5, 2017 at 4:39 PM, Li, Jiajia  wrote:

> Hi Colm,
> I also test the Kerby KDC with kerby kint and MIT kinit, and only 
> listen the tcp port(disable udp), both got ticket successfully. But I 
> don't get the error message. Both krb.conf and kdc.conf should set udp 
> to be false, udp is enabled in default.
>
> Thanks
> Jiajia
>
> -Original Message-
> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> Sent: Friday, May 5, 2017 11:34 PM
> To: kerby@directory.apache.org
> Cc: Zheng, Kai ; mailto:m.c.delig...@xs4all.nl < 
> m.c.delig...@xs4all.nl>
> Subject: Re: MIT Kerberos compatibility
>
> Hi Jiajia,
>
> If UDP is disabled and we don't use Netty, I can get a token 
> successfully via kinit. However I then see an error message in the Kerby 
> console:
>
> Exception in thread "Thread-1" java.lang.RuntimeException: Error 
> occured while checking udp connections
> at
> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(
> KdcNetwork.java:105)
> at
> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.
> access$000(KdcNetwork.java:39)
> at
> org.apache.kerby.kerberos.kerb.transport.KdcNetwork$1.
> run(KdcNetwork.java:75)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: java.nio.channels.ClosedChannelException
> at
> sun.nio.ch.DatagramChannelImpl.ensureOpen(DatagramChannelImpl.java:320)
> at sun.nio.ch.DatagramChannelImpl.receive(
> DatagramChannelImpl.java:331)
> at
> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.
> checkUdpMessage(KdcNetwork.java:132)
> at
> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(
> KdcNetwork.java:101)
>
> I'm not sure why we are seeing UDP errors when it's disabled?
>
> Colm.
>
> On Fri, May 5, 2017 at 3:57 PM, Li, Jiajia  wrote:
>
> > Hi Colm,
> > The shell client can't connect to kdc if the UDP is disabled.
> > We don't use Netty in default.
> > What's your test-cases? The same as the Marc's?
> >
> > Thanks
> > Jiajia
> >
> > -Original Message-
> > From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> > Sent: Friday, May 5, 2017 10:09 PM
> > To: kerby@directory.apache.org
> > Cc: Zheng, Kai ; mailto:m.c.delig...@xs4all.nl 
> > < m.c.delig...@xs4all.nl>
> > Subject: Re: MIT Kerberos compatibility
> >
> > Hi Jiajia,
> >
> > What are the issues if UDP is disabled and we don't use Netty? I 
> > tried doing this with my own test-cases and it didn't work, so it 
> > would be good to get this fixed soon.
> >
> > Colm.
> >
> > On Fri, May 5, 2017 at 2:46 PM, Li, Jiajia  wrote:
> >
> > > Hi Marc,
> > > >>> - your KRB5 tracing looks quite different. What OS and 
> > > >>> mit-kerberos
> > > version did you use?
> > > I use mac os and the python version is 2.7.10
> > >
> > > >>>- your KRB5 tracing shows UDP comms between kerberos client and 
> > > >>>KDC,
> > > despite the allowUDP = false setting
> > > >>> in my test. I did this setting because I get different 
> > > >>> problems
> > > without it, see the additional logs below. So,
> > > >>>we must also be aware of networking problems at my side.
> > > I enable the UDP and use netty network, there are some issues if 
> > > UDP disabled, you can create a JIRA for this and we can fix this 
> > > issue in the next release version.
> > >
> > > The changes in my side as following:
> > >
> > > protected boolean allowUdp() {
> > > return true;
> > > }
> > > @Override
> > > protected void prepareKdc() throws KrbException {
> > > getKdcServer().setInnerKdcImpl(
> > > new NettyKdcServerImpl(getKdcServer().getKdcSetting()));
> > > super.prepareKdc();
> > > }
> > >
> > > Here is log of MitIssueTest:
> > > [INFO] Running org.apache.kerby.kerberos.kerb.server.MitIssueTest
> > > [nioEventLoopGroup-2-1] INFO 
> > > io.netty.handler.logging.LoggingHandler
> > > -
> >

RE: MIT Kerberos compatibility

[Li, Jiajia]

Hi Colm,
I also test the Kerby KDC with kerby kint and MIT kinit, and only listen the 
tcp port(disable udp),
both got ticket successfully. But I don't get the error message. Both krb.conf 
and kdc.conf should set udp to be false, udp is enabled in default.

Thanks
Jiajia

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Friday, May 5, 2017 11:34 PM
To: kerby@directory.apache.org
Cc: Zheng, Kai ; mailto:m.c.delig...@xs4all.nl 

Subject: Re: MIT Kerberos compatibility

Hi Jiajia,

If UDP is disabled and we don't use Netty, I can get a token successfully via 
kinit. However I then see an error message in the Kerby console:

Exception in thread "Thread-1" java.lang.RuntimeException: Error occured while 
checking udp connections
at
org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(KdcNetwork.java:105)
at
org.apache.kerby.kerberos.kerb.transport.KdcNetwork.access$000(KdcNetwork.java:39)
at
org.apache.kerby.kerberos.kerb.transport.KdcNetwork$1.run(KdcNetwork.java:75)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.nio.channels.ClosedChannelException
at
sun.nio.ch.DatagramChannelImpl.ensureOpen(DatagramChannelImpl.java:320)
at sun.nio.ch.DatagramChannelImpl.receive(DatagramChannelImpl.java:331)
at
org.apache.kerby.kerberos.kerb.transport.KdcNetwork.checkUdpMessage(KdcNetwork.java:132)
at
org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run(KdcNetwork.java:101)

I'm not sure why we are seeing UDP errors when it's disabled?

Colm.

On Fri, May 5, 2017 at 3:57 PM, Li, Jiajia  wrote:

> Hi Colm,
> The shell client can't connect to kdc if the UDP is disabled.
> We don't use Netty in default.
> What's your test-cases? The same as the Marc's?
>
> Thanks
> Jiajia
>
> -Original Message-
> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> Sent: Friday, May 5, 2017 10:09 PM
> To: kerby@directory.apache.org
> Cc: Zheng, Kai ; mailto:m.c.delig...@xs4all.nl < 
> m.c.delig...@xs4all.nl>
> Subject: Re: MIT Kerberos compatibility
>
> Hi Jiajia,
>
> What are the issues if UDP is disabled and we don't use Netty? I tried 
> doing this with my own test-cases and it didn't work, so it would be 
> good to get this fixed soon.
>
> Colm.
>
> On Fri, May 5, 2017 at 2:46 PM, Li, Jiajia  wrote:
>
> > Hi Marc,
> > >>> - your KRB5 tracing looks quite different. What OS and 
> > >>> mit-kerberos
> > version did you use?
> > I use mac os and the python version is 2.7.10
> >
> > >>>- your KRB5 tracing shows UDP comms between kerberos client and 
> > >>>KDC,
> > despite the allowUDP = false setting
> > >>> in my test. I did this setting because I get different problems
> > without it, see the additional logs below. So,
> > >>>we must also be aware of networking problems at my side.
> > I enable the UDP and use netty network, there are some issues if UDP 
> > disabled, you can create a JIRA for this and we can fix this issue 
> > in the next release version.
> >
> > The changes in my side as following:
> >
> > protected boolean allowUdp() {
> > return true;
> > }
> > @Override
> > protected void prepareKdc() throws KrbException {
> > getKdcServer().setInnerKdcImpl(
> > new NettyKdcServerImpl(getKdcServer().getKdcSetting()));
> > super.prepareKdc();
> > }
> >
> > Here is log of MitIssueTest:
> > [INFO] Running org.apache.kerby.kerberos.kerb.server.MitIssueTest
> > [nioEventLoopGroup-2-1] INFO io.netty.handler.logging.LoggingHandler 
> > -
> > [id: 0x2634fe6b] REGISTERED
> > [nioEventLoopGroup-2-1] INFO io.netty.handler.logging.LoggingHandler 
> > -
> > [id: 0x2634fe6b] BIND(0.0.0.0/0.0.0.0:53957) [nioEventLoopGroup-2-1] 
> > INFO io.netty.handler.logging.LoggingHandler -
> > [id: 0x2634fe6b, /0:0:0:0:0:0:0:0:53957] ACTIVE [main] INFO 
> > org.apache.kerby.kerberos.kdc.impl.NettyKdcServerImpl - Netty kdc 
> > server started.
> > [nioEventLoopGroup-2-1] INFO io.netty.handler.logging.LoggingHandler 
> > -
> > [id: 0x2634fe6b, /0:0:0:0:0:0:0:0:53957] RECEIVED: [id: 0xdac7228b, 
> > /
> > 127.0.0.1:53961 => /127.0.0.1:53957] [defaultEventExecutorGroup-4-1] 
> > INFO org.apache.kerby.kerberos.kerb.server.request.AsRequest
> > - AS_REQ ISSUE: authtime 1493991123792,dran...@test.com for krbtgt/ 
> > test@test.com [main] INFO 
> > org.apache.kerby.kerberos.kerb.client.impl.DefaultInternalKrbClient
> > - Send to kdc success.
> > [main] INFO org.apache.kerby.kerberos.kerb.client.KrbClientBase - 
> > Storing the tgt to the c

RE: MIT Kerberos compatibility

[Li, Jiajia]

Hi Colm,
The shell client can't connect to kdc if the UDP is disabled. 
We don't use Netty in default.
What's your test-cases? The same as the Marc's?

Thanks
Jiajia

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Friday, May 5, 2017 10:09 PM
To: kerby@directory.apache.org
Cc: Zheng, Kai ; mailto:m.c.delig...@xs4all.nl 

Subject: Re: MIT Kerberos compatibility

Hi Jiajia,

What are the issues if UDP is disabled and we don't use Netty? I tried doing 
this with my own test-cases and it didn't work, so it would be good to get this 
fixed soon.

Colm.

On Fri, May 5, 2017 at 2:46 PM, Li, Jiajia  wrote:

> Hi Marc,
> >>> - your KRB5 tracing looks quite different. What OS and 
> >>> mit-kerberos
> version did you use?
> I use mac os and the python version is 2.7.10
>
> >>>- your KRB5 tracing shows UDP comms between kerberos client and 
> >>>KDC,
> despite the allowUDP = false setting
> >>> in my test. I did this setting because I get different problems
> without it, see the additional logs below. So,
> >>>we must also be aware of networking problems at my side.
> I enable the UDP and use netty network, there are some issues if UDP 
> disabled, you can create a JIRA for this and we can fix this issue in 
> the next release version.
>
> The changes in my side as following:
>
> protected boolean allowUdp() {
> return true;
> }
> @Override
> protected void prepareKdc() throws KrbException {
> getKdcServer().setInnerKdcImpl(
> new NettyKdcServerImpl(getKdcServer().getKdcSetting()));
> super.prepareKdc();
> }
>
> Here is log of MitIssueTest:
> [INFO] Running org.apache.kerby.kerberos.kerb.server.MitIssueTest
> [nioEventLoopGroup-2-1] INFO io.netty.handler.logging.LoggingHandler -
> [id: 0x2634fe6b] REGISTERED
> [nioEventLoopGroup-2-1] INFO io.netty.handler.logging.LoggingHandler -
> [id: 0x2634fe6b] BIND(0.0.0.0/0.0.0.0:53957) [nioEventLoopGroup-2-1] 
> INFO io.netty.handler.logging.LoggingHandler -
> [id: 0x2634fe6b, /0:0:0:0:0:0:0:0:53957] ACTIVE [main] INFO 
> org.apache.kerby.kerberos.kdc.impl.NettyKdcServerImpl - Netty kdc 
> server started.
> [nioEventLoopGroup-2-1] INFO io.netty.handler.logging.LoggingHandler -
> [id: 0x2634fe6b, /0:0:0:0:0:0:0:0:53957] RECEIVED: [id: 0xdac7228b, /
> 127.0.0.1:53961 => /127.0.0.1:53957]
> [defaultEventExecutorGroup-4-1] INFO 
> org.apache.kerby.kerberos.kerb.server.request.AsRequest
> - AS_REQ ISSUE: authtime 1493991123792,dran...@test.com for krbtgt/ 
> test@test.com [main] INFO 
> org.apache.kerby.kerberos.kerb.client.impl.DefaultInternalKrbClient
> - Send to kdc success.
> [main] INFO org.apache.kerby.kerberos.kerb.client.KrbClientBase - 
> Storing the tgt to the credential cache file.
> [nioEventLoopGroup-5-1] INFO 
> org.apache.kerby.kerberos.kerb.server.request.KdcRequest
> - The preauth data is empty.
> [nioEventLoopGroup-5-1] INFO 
> org.apache.kerby.kerberos.kerb.server.KdcHandler
> - KRB error occurred while processing request:Additional 
> pre-authentication required [nioEventLoopGroup-5-1] INFO 
> org.apache.kerby.kerberos.kerb.server.request.AsRequest
> - AS_REQ ISSUE: authtime 1493991123859,test-service/localh...@test.com
> for krbtgt/test@test.com
> [nioEventLoopGroup-5-1] INFO 
> org.apache.kerby.kerberos.kerb.server.request.TgsRequest
> - TGS_REQ ISSUE: authtime 1493991142850,drankye for test-service/ 
> localh...@test.com
>
> Thanks
> Jiajia
>
> -Original Message-
> From: Zheng, Kai
> Sent: Friday, May 5, 2017 7:46 PM
> To: kerby@directory.apache.org; Li, Jiajia 
> Subject: RE: MIT Kerberos compatibility
>
> Hi Marc,
>
> Looks like this is quite environment related, could you fire an issue 
> for this? I would suggest we target it to 1.1.0, which can be done in June.
>
> Regards,
> Kai
>
> -Original Message-
> From: Marc de Lignie [mailto:m.c.delig...@xs4all.nl]
> Sent: Friday, May 05, 2017 4:44 PM
> To: Li, Jiajia 
> Cc: kerby@directory.apache.org
> Subject: Re: MIT Kerberos compatibility
>
> Hi Jiajia,
>
> Great to read that you made progress on this issue and to see a 
> working config at your side. Below, I list my progress below (with 
> trunk merged into my MitIssue branch), but I am afraid we are not done yet.
>
> Things that stand out:
>
> - the kdc decoding error is solved, relative to the logs without your 
> patch
>
> - your KRB5 tracing looks quite different. What OS and mit-kerberos 
> version did you use?
>
> - your KRB5 tracing shows UDP comms between kerberos client and KDC, 
> despite the allowUDP = false setting in my test. I did this setting 
> because I get

RE: [VOTE] - Release Apache Kerby 1.0.0

[Li, Jiajia]

+1

Thanks
Jiajia

From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
Sent: Friday, May 5, 2017 9:40 PM
To: kerby@directory.apache.org; Apache Directory Developers List 

Subject: [VOTE] - Release Apache Kerby 1.0.0

This is a vote to release Apache Kerby 1.0.0. We have had two 1.0.0 RCs going 
back to 2015, and we have fixed enough issues to get a final release out.
Maven Artifacts:

https://repository.apache.org/content/repositories/orgapachedirectory-1124/
In particular, the source release:

https://repository.apache.org/content/repositories/orgapachedirectory-1124/org/apache/kerby/kerby-all/1.0.0/
Git tag:

https://git-wip-us.apache.org/repos/asf?p=directory-kerby.git;a=commit;h=c51bdb8bd1e451caeadaebc72ce294cdaec5c4a1
Issues fixed:

https://issues.apache.org/jira/browse/DIRKRB/fixforversion/12332775
+1 from me.
Colm.


--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

RE: MIT Kerberos compatibility

[Li, Jiajia]

Hi Marc,
>>> - your KRB5 tracing looks quite different. What OS and mit-kerberos version 
>>> did you use?
I use mac os and the python version is 2.7.10

>>>- your KRB5 tracing shows UDP comms between kerberos client and KDC, despite 
>>>the allowUDP = false setting
>>> in my test. I did this setting because I get different problems without it, 
>>> see the additional logs below. So, 
>>>we must also be aware of networking problems at my side.
I enable the UDP and use netty network, there are some issues if UDP disabled, 
you can create a JIRA for this and we can fix this issue in the next release 
version.

The changes in my side as following:

protected boolean allowUdp() {
return true;
}
@Override
protected void prepareKdc() throws KrbException {
getKdcServer().setInnerKdcImpl(
new NettyKdcServerImpl(getKdcServer().getKdcSetting()));
super.prepareKdc();
}

Here is log of MitIssueTest:
[INFO] Running org.apache.kerby.kerberos.kerb.server.MitIssueTest
[nioEventLoopGroup-2-1] INFO io.netty.handler.logging.LoggingHandler - [id: 
0x2634fe6b] REGISTERED
[nioEventLoopGroup-2-1] INFO io.netty.handler.logging.LoggingHandler - [id: 
0x2634fe6b] BIND(0.0.0.0/0.0.0.0:53957)
[nioEventLoopGroup-2-1] INFO io.netty.handler.logging.LoggingHandler - [id: 
0x2634fe6b, /0:0:0:0:0:0:0:0:53957] ACTIVE
[main] INFO org.apache.kerby.kerberos.kdc.impl.NettyKdcServerImpl - Netty kdc 
server started.
[nioEventLoopGroup-2-1] INFO io.netty.handler.logging.LoggingHandler - [id: 
0x2634fe6b, /0:0:0:0:0:0:0:0:53957] RECEIVED: [id: 0xdac7228b, /127.0.0.1:53961 
=> /127.0.0.1:53957]
[defaultEventExecutorGroup-4-1] INFO 
org.apache.kerby.kerberos.kerb.server.request.AsRequest - AS_REQ ISSUE: 
authtime 1493991123792,dran...@test.com for krbtgt/test@test.com
[main] INFO org.apache.kerby.kerberos.kerb.client.impl.DefaultInternalKrbClient 
- Send to kdc success.
[main] INFO org.apache.kerby.kerberos.kerb.client.KrbClientBase - Storing the 
tgt to the credential cache file.
[nioEventLoopGroup-5-1] INFO 
org.apache.kerby.kerberos.kerb.server.request.KdcRequest - The preauth data is 
empty.
[nioEventLoopGroup-5-1] INFO org.apache.kerby.kerberos.kerb.server.KdcHandler - 
KRB error occurred while processing request:Additional pre-authentication 
required
[nioEventLoopGroup-5-1] INFO 
org.apache.kerby.kerberos.kerb.server.request.AsRequest - AS_REQ ISSUE: 
authtime 1493991123859,test-service/localh...@test.com for 
krbtgt/test@test.com
[nioEventLoopGroup-5-1] INFO 
org.apache.kerby.kerberos.kerb.server.request.TgsRequest - TGS_REQ ISSUE: 
authtime 1493991142850,drankye for test-service/localh...@test.com

Thanks
Jiajia

-Original Message-
From: Zheng, Kai 
Sent: Friday, May 5, 2017 7:46 PM
To: kerby@directory.apache.org; Li, Jiajia 
Subject: RE: MIT Kerberos compatibility

Hi Marc,

Looks like this is quite environment related, could you fire an issue for this? 
I would suggest we target it to 1.1.0, which can be done in June.

Regards,
Kai

-Original Message-
From: Marc de Lignie [mailto:m.c.delig...@xs4all.nl]
Sent: Friday, May 05, 2017 4:44 PM
To: Li, Jiajia 
Cc: kerby@directory.apache.org
Subject: Re: MIT Kerberos compatibility

Hi Jiajia,

Great to read that you made progress on this issue and to see a working config 
at your side. Below, I list my progress below (with trunk merged into my 
MitIssue branch), but I am afraid we are not done yet.

Things that stand out:

- the kdc decoding error is solved, relative to the logs without your patch

- your KRB5 tracing looks quite different. What OS and mit-kerberos version did 
you use?

- your KRB5 tracing shows UDP comms between kerberos client and KDC, despite 
the allowUDP = false setting in my test. I did this setting because I get 
different problems without it, see the additional logs below. So, we must also 
be aware of networking problems at my side.

- the "Response was not from master KDC" msg is not relevant; it disappears if 
you manually add master_kdc to the realms section of the krb5.conf

I have no idea how to proceed from here, so that is why I just document the 
status at my side and ask about your - apparently working - config.

Cheers,   Marc


KDC logging with allowUDP = false:

[INFO] Running org.apache.kerby.kerberos.kerb.server.MitIssueTest
[pool-1-thread-1] INFO
org.apache.kerby.kerberos.kerb.server.request.AsRequest - AS_REQ ISSUE: 
authtime 1493970789075,dran...@test.com for krbtgt/test@test.com [main] 
INFO org.apache.kerby.kerberos.kerb.client.impl.DefaultInternalKrbClient - Send 
to kdc success.
[main] INFO org.apache.kerby.kerberos.kerb.client.KrbClientBase - Storing the 
tgt to the credential cache file.
[pool-1-thread-1] INFO
org.apache.kerby.kerberos.kerb.server.request.KdcRequest - The preauth data is 
empty.
[pool-1-thread-1] INFO org.apache.kerby.kerberos.kerb.server.KdcHandler
- KRB error occurred while proce

RE: Backend modules skipped?

[Li, Jiajia]

Hi Colm,
Sorry for about that, I skip the backends build in my own repo, and mistake to 
commit it to trunk, I will revert it soon.

Thanks
Jiajia

From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
Sent: Friday, May 5, 2017 5:02 PM
To: kerby@directory.apache.org; Li, Jiajia 
Subject: Backend modules skipped?

Hi Jiajia,
Is there a reason why the following modules are commented out?

commit 6560e6d98b3f642b628a0e50e58a917f6da7d8bf
Author: plusplusjiajia mailto:jiajia...@intel.com>>
Date:   Wed Apr 19 15:03:26 2017 +0800

Skip ldap, mavibot and zookeeper backends build.
Colm.


--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

RE: Kerby 1.0 GA

[Li, Jiajia]

Hi Colm,

I've removed the open JIRAs to a future release. 
Our network is very bad for dong the release process, so could take the release 
work?
1.0.0 GA will used in the next Hadoop release version 3.0.0-alpha3(May 15), so 
we should finish the release before it.

Thanks
Jiajia

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Thursday, May 4, 2017 7:33 PM
To: Zheng, Kai 
Cc: kerby@directory.apache.org
Subject: Re: Kerby 1.0 GA

OK, I've merged a bunch of fixes and I'm now done for the 1.0.0-GA release.
I see there are still a few open JIRAs. When do you anticipate calling the vote?

Colm.

On Wed, May 3, 2017 at 1:01 PM, Colm O hEigeartaigh 
wrote:

> There are a lot of open issues (including one "in progress") for the 
> 1.0.0-GA release in JIRA:
>
> https://issues.apache.org/jira/browse/DIRKRB/fixforversion/12332775
>
> It would be a good idea to go through the issues and decide which will 
> be fixed for the GA release, and which should be moved to a future release.
>
> Colm.
>
> On Sun, Apr 30, 2017 at 1:11 AM, Zheng, Kai  wrote:
>
>> This makes sense. The GA should clean such kinds of codes.
>>
>> Regards,
>> Kai
>>
>> -Original Message-
>> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
>> Sent: Wednesday, April 26, 2017 6:38 PM
>> To: kerby@directory.apache.org
>> Subject: Re: Kerby 1.0 GA
>>
>> One improvement I'd like to see before the 1.0 GA release is to 
>> improve the exception handling. There are many examples of catch 
>> statements that just have a printStackTrace() leading to NPEs down 
>> the line. Apart from that, +1 from me on the release:
>>
>> find . -name "*.java" -path "*/main/*" | xargs grep 
>> "printStackTrace()" | wc -l
>> 30
>>
>> Colm.
>>
>> On Wed, Apr 26, 2017 at 3:31 AM, Zheng, Kai  wrote:
>>
>> > Sounds cool! Thanks Jiajia for taking this step forward.
>> >
>> > Regards,
>> > Kai
>> >
>> > -Original Message-
>> > From: Li, Jiajia [mailto:jiajia...@intel.com]
>> > Sent: Wednesday, April 26, 2017 9:54 AM
>> > To: kerby@directory.apache.org
>> > Subject: RE: Kerby 1.0 GA
>> >
>> > Sorry for wrong typo.
>> >
>> > Hi all,
>> >
>> > We are going to start the Kerby 1.0.0 GA release progress.
>> > It's more than one year since our last release 1.0.0-RC2, we have 
>> > added lots of new features and bug fixes.
>> > And this release will include some blocking issues for Hadoop and
>> > 1.0.0 GA will impact the next Hadoop release version 3.0.0-alpha3.
>> >
>> > Regards,
>> > Jiajia
>> >
>> > -Original Message-
>> > From: Li, Jiajia [mailto:jiajia...@intel.com]
>> > Sent: Wednesday, April 26, 2017 9:49 AM
>> > To: kerby@directory.apache.org
>> > Subject: Kerby 1.0 GA
>> >
>> > Hi all,
>> >
>> > We are going to start the Kerby 1.0.0 GA release progress.
>> > It's more than one year since our last release 1.0.0-RC2, we have 
>> > added lots of new features and bug fixes.
>> > And this release will include some blocking issues for Hadoop and
>> > 1.0.0 GA will impact the next Hadoop release version 3.0.0-alpha1.
>> >
>> > Regards,
>> > Jiajia
>> >
>>
>>
>>
>> --
>> Colm O hEigeartaigh
>>
>> Talend Community Coder
>> http://coders.talend.com
>>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

RE: MIT Kerberos compatibility

[Li, Jiajia]

Hi Marc,
I try to run your test(through applying your patch in the trunk) , I think it's 
success now.  Could you take some time to check about it?
Here is the log:

directory-kerby git:(trunk) ✗ . 
kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/MitIssueTest.sh
kerberos.authGSSClientInit successful
2017-05-04T20:44:06 set-error: -1765328234: entypes not supported
2017-05-04T20:44:06 set-error: -1765328243: Did not find credential for 
krb5_ccache_conf_data/realm-config@X-CACHECONF: in cache 
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
2017-05-04T20:44:06 set-error: -1765328243: Did not find credential for 
test-service/localh...@test.com in cache 
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
2017-05-04T20:44:06 set-error: -1765328243: Did not find credential for 
krb5_ccache_conf_data/negative-cache/test-service\134/localhost\1...@test.com@X-CACHECONF:
 in cache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
2017-05-04T20:44:06 set-error: -1765328243: Did not find credential for 
krb5_ccache_conf_data/lkdc-hostname@X-CACHECONF: in cache 
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
2017-05-04T20:44:06 set-error: -1765328243: Did not find credential for 
krb5_ccache_conf_data/sitename@X-CACHECONF: in cache 
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
2017-05-04T20:44:06 set-error: -1765328243: Did not find credential for 
test-service/localh...@test.com in cache 
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
des-cbc-md5-deprecated not supported
2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
des-cbc-md4-deprecated not supported
2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
des-cbc-crc-deprecated not supported
2017-05-04T20:44:06 Trying to find service kdc for realm TEST.COM flags 0
2017-05-04T20:44:06 configuration file for realm TEST.COM found
2017-05-04T20:44:06 submissing new requests to new host
2017-05-04T20:44:06 host_create: setting hostname localhost
2017-05-04T20:44:06 connecting to host: udp ::1:52534 (localhost) tid: 0001
2017-05-04T20:44:06 host_create: setting hostname localhost
2017-05-04T20:44:06 Queuing host in future (in 3s), its the 2 address on the 
same name: udp 127.0.0.1:52534 (localhost) tid: 0002
2017-05-04T20:44:06 writing packet: udp ::1:52534 (localhost) tid: 0001
2017-05-04T20:44:06 reading packet: udp ::1:52534 (localhost) tid: 0001
2017-05-04T20:44:06 host completed: udp ::1:52534 (localhost) tid: 0001
2017-05-04T20:44:06 krb5_sendto_context TEST.COM done: 0 hosts 1 packets 1 wc: 
0.048927 nr: 0.000932 kh: 0.000814 tid: 0002
2017-05-04T20:44:06 tkt: extract key 17/763641F3
2017-05-04T20:44:06 set-error: -1765328353: Decrypt integrity check failed for 
checksum type hmac-sha1-96-aes128, key type aes128-cts-hmac-sha1-96
2017-05-04T20:44:06 tkt: extract key 17/3084A95C
2017-05-04T20:44:06 krb5_get_credentials_with_flags: TEST.COM wc: 0.050317
2017-05-04T20:44:06 set-error: -1765328243: Did not find credential for 
krb5_ccache_conf_data/realm-config@X-CACHECONF: in cache 
FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
2017-05-04T20:44:06 set-error: -1765328243: Did not find credential for 
krb5_ccache_conf_data/time-offset/test-service\134/localhost\1...@test.com@X-CACHECONF:
 in cache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
2017-05-04T20:44:06 Setting up PFS for auth context
2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
des-cbc-md5-deprecated not supported
2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
des-cbc-md4-deprecated not supported
2017-05-04T20:44:06 set-error: -1765328234: Encryption type 
des-cbc-crc-deprecated not supported
First kerberos.authGSSClientStep successful

Thanks
Jiajia

-Original Message-
From: Zheng, Kai [mailto:kai.zh...@intel.com] 
Sent: Wednesday, May 3, 2017 7:29 PM
To: kerby@directory.apache.org
Subject: RE: MIT Kerberos compatibility

Hi Marc,

In case you're not aware of this, please check out the latest fix made by 
Jiajia. We thought your case may be different, but would be good to have a 
check before we can repeat/fix your case. Thanks.
https://issues.apache.org/jira/browse/DIRKRB-625

Regards,
Kai

-Original Message-
From: Marc de Lignie [mailto:m.c.delig...@xs4all.nl]
Sent: Sunday, April 30, 2017 7:45 PM
To: kerby@directory.apache.org
Subject: Re: MIT Kerberos compatibility

Hi Kai,

The terminal output below is for the latest MIT Kerberos 1.15.1 (locally built 
on Ubuntu Xenial). Before that, I also tested with the default Xenial MIT 
Kerberos packages (1.13.2), with the same result. I did not try earlier MIT 
Kerberos versions.

Marc

Op 29-04-17 om 21:42 schreef Marc de Lignie:
>
> Hi Kai,
>
> Thanks for the response. I prepared a minimal config that reproduces 
> my problem.
>
> You can fetch the branch/commit from:
> https://github.com/vtslab/directory-kerby/commits/MitIssue
>
> This is re

RE: Kerby 1.0 GA

[Li, Jiajia]

Sorry for wrong typo.

Hi all,

We are going to start the Kerby 1.0.0 GA release progress. 
It's more than one year since our last release 1.0.0-RC2, we have added lots of 
new features and bug fixes.
And this release will include some blocking issues for Hadoop and 1.0.0 GA will 
impact the next Hadoop release version 3.0.0-alpha3.

Regards,
Jiajia

-Original Message-
From: Li, Jiajia [mailto:jiajia...@intel.com] 
Sent: Wednesday, April 26, 2017 9:49 AM
To: kerby@directory.apache.org
Subject: Kerby 1.0 GA

Hi all,

We are going to start the Kerby 1.0.0 GA release progress. 
It's more than one year since our last release 1.0.0-RC2, we have added lots of 
new features and bug fixes.
And this release will include some blocking issues for Hadoop and 1.0.0 GA will 
impact the next Hadoop release version 3.0.0-alpha1.

Regards,
Jiajia

Kerby 1.0 GA

[Li, Jiajia]

Hi all,

We are going to start the Kerby 1.0.0 GA release progress. 
It's more than one year since our last release 1.0.0-RC2, we have added lots of 
new features and bug fixes.
And this release will include some blocking issues for Hadoop and 1.0.0 GA will 
impact the next Hadoop release version 3.0.0-alpha1.

Regards,
Jiajia

RE: Prepare for 1.0.0-RC3

[Li, Jiajia]

I agree with your poinit, we should add some log info for debugging in catch 
clauses.

Thanks
Jiajia

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Thursday, July 28, 2016 10:36 PM
To: kerby@directory.apache.org
Subject: Re: Prepare for 1.0.0-RC3

Just one more point on a 1.0.0 release. The code base could really benefit from 
a quick scan of all "catch" clauses to see what we are doing with exceptions. 
For example, the server TokenPreAuth contains the following:

 } catch (FileNotFoundException e) {
e.printStackTrace();
} catch (Exception e) {
e.printStackTrace();
}

We should either be logging exceptions properly or propagating them accordingly.

Colm.

On Wed, Jul 27, 2016 at 2:01 PM, Colm O hEigeartaigh 
wrote:

> +1 for a release. However, I believe there to be a security issue with
> anonymous pkinit as per my recent mail, so I'd like this to be 
> addressed in the release first.
>
> Colm.
>
> On Wed, Jul 27, 2016 at 10:09 AM, Emmanuel Lécharny 
> 
> wrote:
>
>> Le 27/07/16 à 10:54, Zheng, Kai a écrit :
>> > Maybe we could release this version as 1.0.0 directly? Any concern? 
>> > I
>> don't see any. We could claim the authorization feature and remote 
>> kadmin support as [EXPERIMENTAL].
>> >
>> > Sorry too busy recently and don't have bandwidth on this. Hope it 
>> > can
>> move forward anyway.
>>
>> That's really up to you ! If there were no complain with the latest 
>> RC, then, yes, delivering a 1.0 would totally make sense.
>>
>> FTR, in the past, we had a convoluted versionning pattern at 
>> Directory for projects, with numerous milestones. This was plain 
>> stupid. I really like the way Chrome and Firefox are released those 
>> days, with a quick incremental version : each new features added 
>> deserve a separate version, with some potential minor versions for urgent 
>> bug fixes.
>>
>> But this is something you have to discuss, my friends ;-)
>>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

RE: Anonymous PKINIT signatures

[Li, Jiajia]

Hi Colm,

When I looking at the krb5 source code, I found the function 
cms_signeddata_verify in pkinit_crypto_openssl.c with the following comments:
" if (((si_sk = CMS_get0_SignerInfos(cms)) == NULL) ||
((si = sk_CMS_SignerInfo_value(si_sk, 0)) == NULL)) {
/* Not actually signed; anonymous case */
if (!is_signed)
goto cleanup; 
"
When the client parsing PA-PK-AS-REP message, it will call 
cms_signeddata_verify function. So my point from here.
But what you said let me doubt myself, I will take some time to dig into this 
issue.

Thanks
Jiajia

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Wednesday, July 27, 2016 8:59 PM
To: kerby@directory.apache.org
Subject: Re: Anonymous PKINIT signatures

Hi Jiajia,

It's the client that's anonymous here, and not the KDC. This page leads me to 
believe that the KDC does in fact sign the response to the client:

http://web.mit.edu/kerberos/krb5-devel/doc/admin/pkinit.html

" For anonymous PKINIT, a KDC certificate is required, but client certificates 
are not.".
"The result of this operation will be in two files, kdckey.pem and kdc.pem.
Both files must be placed in the KDC’s filesystem. kdckey.pem, which contains 
the KDC’s private key, must be carefully protected."

Colm.

On Tue, Jul 26, 2016 at 3:08 AM, Li, Jiajia  wrote:

> Hi Colm,
> >> However, the client doesn't use the certificate to verify a 
> >> signature,
> and thus proving that the KDC knows the private key associated with 
> the cert. Is this correct?
> You are right. I think anonymous case, not actually signed.
> Thanks,
> Jiajia
>
>
> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> Sent: Friday, July 22, 2016 11:22 PM
> To: Li, Jiajia 
> Cc: kerby@directory.apache.org
> Subject: Re: Anonymous PKINIT signatures
>
> Hi Jiajia,
> So if I understand you correctly, what you are saying is that it is 
> sufficient to verify that the Subject (alternative name) of the 
> Certificate matches that of the "known principal" of the KDC? In other 
> words, the KDC is not doing any asymmetric signature, it is just 
> "presenting" the certificate to the client. The client verifies that 
> the certificate is trusted, and then verifies that the KDC principal matches 
> the certificate.
> However, the client doesn't use the certificate to verify a signature, 
> and thus proving that the KDC knows the private key associated with the cert.
> Is this correct?
> It's a bit unusual from a security POV but I think it's ok. We're 
> verifying trust in the certificate path and we're putting a hard 
> constraint on the Subject of the certificate. A malicious KDC/MITM 
> could forge a certificate, but then trust validation would fail, or 
> else get a certificate for another KDC, but then the constraint would 
> fail. So I think it's ok.
>
> Colm.
>
> On Fri, Jul 22, 2016 at 3:40 AM, Li, Jiajia  jiajia...@intel.com>> wrote:
> Hi Colm,
> >> >However, I can't see where it is signing the response with the 
> >> >private
> key associated with the KDC. This is a requirement for anonymous 
> PKINIT
>
> Yes, you are right. The  "Identity" should be used in anonymous PKINIT.
> But now in client PkinitPreauth, start from line 393, we skip to use 
> the certificateSet which is returned by server, so now the code can't 
> verify the kdc sans, edu and so on. Such as the function 
> cryptoRetrieveX509Sans#PkinitCrypto is marked as TODO.
>
>
> Thanks
> Jiajia
>
>
> -Original Message-
> From: Colm O hEigeartaigh [mailto:cohei...@apache.org cohei...@apache.org>]
> Sent: Thursday, July 21, 2016 7:27 PM
> To: kerby@directory.apache.org<mailto:kerby@directory.apache.org>
> Subject: Anonymous PKINIT signatures
>
> Hi all,
>
> I'm continuing to look at anonymous PKINIT as implemented in Kerby. 
> I'm a bit puzzled by a few things relating to signatures and would 
> welcome some feedback.
>
> Looking at the server PkinitPreauth, it appears that Diffie-Hellman is 
> used to establish a shared secret key with the client. However, I 
> can't see where it is signing the response with the private key 
> associated with the KDC. This is a requirement for anonymous PKINIT, unless I 
> am mistaken?
>
> Similarly, on the client side, it's not enough just to verify trust in 
> the Certificate that's presented, it also needs to be using the 
> Certificate to verify some signed data, to make sure that the KDC 
> knows the private key associated with the Certificate...
>
> I've updated the code so that the server at least includes the "Identity"
> Certificate in the response to the client.
>
> Thanks,
>
> Colm.
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Prepare for 1.0.0-RC3

[Li, Jiajia]

Hi all,

March 13, the 1.0.0-RC2 of Kerby was released. We're thinking about a new Kerby 
release(RC3).
>From Mar 13 to Jul 27, 60 JIRA issues were resolved, including following 
>important features:

1. Kerby authorization support. Gerard and Richard provided the large patch
2. XDR support
3. Some remote kadmin API(add, delete and list)
4. Some important fixes for JWT pre-authentication and SimpleKdcServer

I thinks the following issues should be solved before release:
1. Update the readme and javadoc
2. Do some tests of tools.
What else did I miss here?

How do you think about this?

Thanks
Jiajia

RE: Anonymous PKINIT signatures

[Li, Jiajia]

Hi Colm,
>> However, the client doesn't use the certificate to verify a signature, and 
>> thus proving that the KDC knows the private key associated with the cert. Is 
>> this correct?
You are right. I think anonymous case, not actually signed.
Thanks,
Jiajia


From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
Sent: Friday, July 22, 2016 11:22 PM
To: Li, Jiajia 
Cc: kerby@directory.apache.org
Subject: Re: Anonymous PKINIT signatures

Hi Jiajia,
So if I understand you correctly, what you are saying is that it is sufficient 
to verify that the Subject (alternative name) of the Certificate matches that 
of the "known principal" of the KDC? In other words, the KDC is not doing any 
asymmetric signature, it is just "presenting" the certificate to the client. 
The client verifies that the certificate is trusted, and then verifies that the 
KDC principal matches the certificate. However, the client doesn't use the 
certificate to verify a signature, and thus proving that the KDC knows the 
private key associated with the cert. Is this correct?
It's a bit unusual from a security POV but I think it's ok. We're verifying 
trust in the certificate path and we're putting a hard constraint on the 
Subject of the certificate. A malicious KDC/MITM could forge a certificate, but 
then trust validation would fail, or else get a certificate for another KDC, 
but then the constraint would fail. So I think it's ok.

Colm.

On Fri, Jul 22, 2016 at 3:40 AM, Li, Jiajia 
mailto:jiajia...@intel.com>> wrote:
Hi Colm,
>> >However, I can't see where it is signing the response with the private key 
>> >associated with the KDC. This is a requirement for anonymous PKINIT

Yes, you are right. The  "Identity" should be used in anonymous PKINIT.
But now in client PkinitPreauth, start from line 393, we skip to use the 
certificateSet which is returned by server, so now the code can't verify the 
kdc sans, edu and so on. Such as the function 
cryptoRetrieveX509Sans#PkinitCrypto is marked as TODO.


Thanks
Jiajia


-Original Message-
From: Colm O hEigeartaigh 
[mailto:cohei...@apache.org<mailto:cohei...@apache.org>]
Sent: Thursday, July 21, 2016 7:27 PM
To: kerby@directory.apache.org<mailto:kerby@directory.apache.org>
Subject: Anonymous PKINIT signatures

Hi all,

I'm continuing to look at anonymous PKINIT as implemented in Kerby. I'm a bit 
puzzled by a few things relating to signatures and would welcome some feedback.

Looking at the server PkinitPreauth, it appears that Diffie-Hellman is used to 
establish a shared secret key with the client. However, I can't see where it is 
signing the response with the private key associated with the KDC. This is a 
requirement for anonymous PKINIT, unless I am mistaken?

Similarly, on the client side, it's not enough just to verify trust in the 
Certificate that's presented, it also needs to be using the Certificate to 
verify some signed data, to make sure that the KDC knows the private key 
associated with the Certificate...

I've updated the code so that the server at least includes the "Identity"
Certificate in the response to the client.

Thanks,

Colm.


--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

RE: Anonymous PKINIT signatures

[Li, Jiajia]

Hi Colm,
>> >However, I can't see where it is signing the response with the private key 
>> >associated with the KDC. This is a requirement for anonymous PKINIT

Yes, you are right. The  "Identity" should be used in anonymous PKINIT.
But now in client PkinitPreauth, start from line 393, we skip to use the 
certificateSet which is returned by server, so now the code can't verify the 
kdc sans, edu and so on. Such as the function 
cryptoRetrieveX509Sans#PkinitCrypto is marked as TODO.


Thanks
Jiajia


-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Thursday, July 21, 2016 7:27 PM
To: kerby@directory.apache.org
Subject: Anonymous PKINIT signatures

Hi all,

I'm continuing to look at anonymous PKINIT as implemented in Kerby. I'm a bit 
puzzled by a few things relating to signatures and would welcome some feedback.

Looking at the server PkinitPreauth, it appears that Diffie-Hellman is used to 
establish a shared secret key with the client. However, I can't see where it is 
signing the response with the private key associated with the KDC. This is a 
requirement for anonymous PKINIT, unless I am mistaken?

Similarly, on the client side, it's not enough just to verify trust in the 
Certificate that's presented, it also needs to be using the Certificate to 
verify some signed data, to make sure that the KDC knows the private key 
associated with the Certificate...

I've updated the code so that the server at least includes the "Identity"
Certificate in the response to the client.

Thanks,

Colm.


--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

RE: Certificate Encoding

[Li, Jiajia]

Hi Colm,
You can change it, I think it will not break other works.

Thanks
Jiajia

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Thursday, July 21, 2016 4:38 PM
To: Li, Jiajia 
Cc: Zheng, Kai ; kerby@directory.apache.org
Subject: Re: Certificate Encoding

Will you make this change Jiajia, or do you want me to do it?

Colm.

On Mon, Jul 18, 2016 at 12:00 PM, Colm O hEigeartaigh 
wrote:

> Yes that's right.
>
> Colm.
>
> On Fri, Jul 15, 2016 at 2:08 AM, Li, Jiajia  wrote:
>
>> I think "remove the line in Extension.java to set critical " can 
>> solve this issue, is it right, @Colm?
>>
>> Regards,
>> Jiajia
>>
>> -Original Message-
>> From: Zheng, Kai
>> Sent: Friday, July 15, 2016 6:30 AM
>> To: kerby@directory.apache.org; cohei...@apache.org; Li, Jiajia < 
>> jiajia...@intel.com>
>> Subject: RE: Certificate Encoding
>>
>> Sorry I'm a little confused. What's the action or fix?
>>
>> @Jiajia, do you have some comment? Thx!
>>
>> Regards,
>> Kai
>>
>> -Original Message-
>> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
>> Sent: Thursday, July 07, 2016 5:39 PM
>> To: Li, Jiajia 
>> Cc: kerby@directory.apache.org
>> Subject: Re: Certificate Encoding
>>
>> Thanks Jiajia. The problem with the current logic of defaulting to "false"
>> is that we appear to be breaking the signature on the certificate. We 
>> should only set the critical value if it actually exists in the cert 
>> extension. I've updated the test to add cert path validation using 
>> the CA Cert. So even though the parsed cert is semantically 
>> equivalent to the original cert, cert path validation fails. If you 
>> remove the line in Extension.java to set critical then it passes.
>>
>> Colm.
>>
>> On Thu, Jul 7, 2016 at 4:31 AM, Li, Jiajia  wrote:
>>
>> > Hi Colm,
>> >
>> > I've checked the two byte arrays, the different is when decoding 
>> > the Extension(Certificate-> TBSCertificate-> Extensions-> 
>> > Extension), we will set the default value "false" for "critical" item.
>> >
>> > Original Extension:
>> > SEQUENCE(2 elem)
>> > OBJECT IDENTIFIER2.5.29.19
>> > OCTET STRING(1 elem)
>> > SEQUENCE(0 elem)
>> >
>> > Decoded Extension:
>> > SEQUENCE(3 elem)
>> > OBJECT IDENTIFIER2.5.29.19
>> > BOOLEAN false
>> > OCTET STRING(1 elem)
>> >  SEQUENCE(0 elem)
>> >
>> > The Extension defined in In https://tools.ietf.org/html/rfc5280:
>> >Extension  ::=  SEQUENCE  {
>> > extnID  OBJECT IDENTIFIER,
>> > criticalBOOLEAN DEFAULT FALSE,
>> > extnValue   OCTET STRING
>> > -- contains the DER encoding of an ASN.1 value
>> > -- corresponding to the extension type identified
>> > -- by extnID
>> > }
>> >
>> > So we implement the Extension with the default Boolean value "false".
>> > If remove the line67 in Extension.java, the test can be passed.
>> >
>> > Thanks
>> > Jiajia
>> >
>> > -Original Message-
>> > From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
>> > Sent: Wednesday, July 6, 2016 6:55 PM
>> > To: kerby@directory.apache.org
>> > Subject: Certificate Encoding
>> >
>> > Hi,
>> >
>> > I'm continuing to dig into the anonymous PKINIT code to try to get 
>> > certificate validation working. I've run into an issue with the way 
>> > certificates are marshalled to the Kerby Certificate type and back
>> again.
>> > See the following @Ignore'd simple test:
>> >
>> >
>> > https://git1-us-west.apache.org/repos/asf?p=directory-kerby.git;a=c
>> > omm
>> > it;h=88a7c956
>> >
>> > It just reads in an X.509Certificate, marshalls it as a 
>> > org.apache.kerby.x509.type.Certificate type, and then back again, 
>> > and checks the byte arrays. However the test for equality fails - 
>> > the two byte arrays are different.
>> >
>> > Any idea why this is? It's causing signature trust validation to 
>> > fail for PKINIT, as the certpath is not validating as a result.
>> >
>> > Colm.
>> >
>> >
>> > --
>> > Colm O hEigeartaigh
>> >
>> > Talend Community Coder
>> > http://coders.talend.com
>> >
>>
>>
>>
>> --
>> Colm O hEigeartaigh
>>
>> Talend Community Coder
>> http://coders.talend.com
>>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

RE: Certificate Encoding

[Li, Jiajia]

I think "remove the line in Extension.java to set critical " can solve this 
issue, is it right, @Colm?

Regards,
Jiajia

-Original Message-
From: Zheng, Kai 
Sent: Friday, July 15, 2016 6:30 AM
To: kerby@directory.apache.org; cohei...@apache.org; Li, Jiajia 

Subject: RE: Certificate Encoding

Sorry I'm a little confused. What's the action or fix? 

@Jiajia, do you have some comment? Thx!

Regards,
Kai

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
Sent: Thursday, July 07, 2016 5:39 PM
To: Li, Jiajia 
Cc: kerby@directory.apache.org
Subject: Re: Certificate Encoding

Thanks Jiajia. The problem with the current logic of defaulting to "false"
is that we appear to be breaking the signature on the certificate. We should 
only set the critical value if it actually exists in the cert extension. I've 
updated the test to add cert path validation using the CA Cert. So even though 
the parsed cert is semantically equivalent to the original cert, cert path 
validation fails. If you remove the line in Extension.java to set critical then 
it passes.

Colm.

On Thu, Jul 7, 2016 at 4:31 AM, Li, Jiajia  wrote:

> Hi Colm,
>
> I've checked the two byte arrays, the different is when decoding the 
> Extension(Certificate-> TBSCertificate-> Extensions-> Extension), we 
> will set the default value "false" for "critical" item.
>
> Original Extension:
> SEQUENCE(2 elem)
> OBJECT IDENTIFIER2.5.29.19
> OCTET STRING(1 elem)
> SEQUENCE(0 elem)
>
> Decoded Extension:
> SEQUENCE(3 elem)
> OBJECT IDENTIFIER2.5.29.19
> BOOLEAN false
> OCTET STRING(1 elem)
>  SEQUENCE(0 elem)
>
> The Extension defined in In https://tools.ietf.org/html/rfc5280:
>Extension  ::=  SEQUENCE  {
> extnID  OBJECT IDENTIFIER,
> criticalBOOLEAN DEFAULT FALSE,
> extnValue   OCTET STRING
> -- contains the DER encoding of an ASN.1 value
> -- corresponding to the extension type identified
> -- by extnID
> }
>
> So we implement the Extension with the default Boolean value "false". 
> If remove the line67 in Extension.java, the test can be passed.
>
> Thanks
> Jiajia
>
> -Original Message-
> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> Sent: Wednesday, July 6, 2016 6:55 PM
> To: kerby@directory.apache.org
> Subject: Certificate Encoding
>
> Hi,
>
> I'm continuing to dig into the anonymous PKINIT code to try to get 
> certificate validation working. I've run into an issue with the way 
> certificates are marshalled to the Kerby Certificate type and back again.
> See the following @Ignore'd simple test:
>
>
> https://git1-us-west.apache.org/repos/asf?p=directory-kerby.git;a=comm
> it;h=88a7c956
>
> It just reads in an X.509Certificate, marshalls it as a 
> org.apache.kerby.x509.type.Certificate type, and then back again, and 
> checks the byte arrays. However the test for equality fails - the two 
> byte arrays are different.
>
> Any idea why this is? It's causing signature trust validation to fail 
> for PKINIT, as the certpath is not validating as a result.
>
> Colm.
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

RE: Certificate Encoding

[Li, Jiajia]

Hi Colm,

I've checked the two byte arrays, the different is when decoding the 
Extension(Certificate-> TBSCertificate-> Extensions-> Extension), we will set 
the default value "false" for "critical" item.

Original Extension:
SEQUENCE(2 elem)
OBJECT IDENTIFIER2.5.29.19
OCTET STRING(1 elem)
SEQUENCE(0 elem)

Decoded Extension:
SEQUENCE(3 elem)
OBJECT IDENTIFIER2.5.29.19
BOOLEAN false
OCTET STRING(1 elem)
 SEQUENCE(0 elem)

The Extension defined in In https://tools.ietf.org/html/rfc5280:
   Extension  ::=  SEQUENCE  {
extnID  OBJECT IDENTIFIER,
criticalBOOLEAN DEFAULT FALSE,
extnValue   OCTET STRING
-- contains the DER encoding of an ASN.1 value
-- corresponding to the extension type identified
-- by extnID
}

So we implement the Extension with the default Boolean value "false". If remove 
the line67 in Extension.java, the test can be passed.

Thanks
Jiajia

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Wednesday, July 6, 2016 6:55 PM
To: kerby@directory.apache.org
Subject: Certificate Encoding

Hi,

I'm continuing to dig into the anonymous PKINIT code to try to get certificate 
validation working. I've run into an issue with the way certificates are 
marshalled to the Kerby Certificate type and back again.
See the following @Ignore'd simple test:

https://git1-us-west.apache.org/repos/asf?p=directory-kerby.git;a=commit;h=88a7c956

It just reads in an X.509Certificate, marshalls it as a 
org.apache.kerby.x509.type.Certificate type, and then back again, and checks 
the byte arrays. However the test for equality fails - the two byte arrays are 
different.

Any idea why this is? It's causing signature trust validation to fail for 
PKINIT, as the certpath is not validating as a result.

Colm.


--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

RE: JWT pre-authentication - get JWT token on service side

[Li, Jiajia]

I think this commit can fix the issue:

https://git-wip-us.apache.org/repos/asf?p=directory-kerby.git;a=commit;h=358340dd2a60a36a69988f1dd7c509cf585acdc8

@Colm, can you check it?

Thanks
Jiajia

-Original Message-
From: Li, Jiajia [mailto:jiajia...@intel.com] 
Sent: Monday, July 4, 2016 12:07 PM
To: Zheng, Kai ; kerby@directory.apache.org; 
cohei...@apache.org
Subject: RE: JWT pre-authentication - get JWT token on service side

Hi Colm,

As Kai said, it's  a bug in new module. 

>>However, if I look at the existing TokenAuthLoginModule, it just adds the 
>>credential via:
>>subject.getPublicCredentials().add(krbToken);
>> It looks like GSS needs the TGT to be encoded in the Subject somehow?

Yes, in the TokenAuthLoginModule, some credentials should be added to subject 
private credentials.
I will take some time to fix it.

Regards,
Jiajia

-Original Message-
From: Zheng, Kai
Sent: Saturday, July 2, 2016 6:31 AM
To: kerby@directory.apache.org; cohei...@apache.org; Li, Jiajia 

Subject: RE: JWT pre-authentication - get JWT token on service side

Hi Colm,

I didn't check the codes yet, but generally the module should do the similar 
thing as Krb5LoginModule in the post process of login. You seemed to find a bug 
in the new module.

@Jiajia, would you have some comments? Thanks.

Regards,
Kai

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
Sent: Friday, July 01, 2016 7:09 PM
To: kerby@directory.apache.org
Subject: Re: JWT pre-authentication - get JWT token on service side

Hi Kai,

Thanks for your reply. Ok writing a JAAS LoginModule that wraps the Kerby API 
is fine with me. However, if I look at the existing TokenAuthLoginModule, it 
just adds the credential via:

subject.getPublicCredentials().add(krbToken);

It looks like GSS needs the TGT to be encoded in the Subject somehow?
Please look at the following @Ignore'd test. I'm getting the Subject using the 
TokenAuthLoginModule and then attempting to get a service ticket using the GSS 
API and the Subject. It fails with "Caused by:
org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level:
Failed to find any Kerberos tgt)":

https://git1-us-west.apache.org/repos/asf?p=directory-kerby.git;a=commit;h=68933ae0

Colm.


On Fri, Jul 1, 2016 at 2:22 AM, Zheng, Kai  wrote:

> Sorry for the late. Just got a chance looking at the codes closely.
>
> I thought it's clearly right in the following test, where it logins 
> first via jaas, then get tgt, then sgt, and then at last you wrap the 
> sgt in a gss token. It got the gss token (roughly a AppReq (of sgt) in 
> a token
> wrapper) and then let it be validated against a server key.
>
> @Test
> public void testGss() throws Exception {
> Subject clientSubject = loginClientUsingTicketCache();
> Set clientPrincipals = clientSubject.getPrincipals();
> Assert.assertFalse(clientPrincipals.isEmpty());
>
> // Get the TGT
> Set privateCredentials =
> clientSubject.getPrivateCredentials(KerberosTicket.class);
> Assert.assertFalse(privateCredentials.isEmpty());
> KerberosTicket tgt = privateCredentials.iterator().next();
> Assert.assertNotNull(tgt);
>
> // Get the service ticket
> KerberosClientExceptionAction action =
> new
> KerberosClientExceptionAction(clientPrincipals.iterator().next(),
> getServerPrincipal());
>
> byte[] kerberosToken = (byte[]) Subject.doAs(clientSubject, 
> action);
> Assert.assertNotNull(kerberosToken);
>
> validateServiceTicket(kerberosToken);
> }
>
> I don't think it's right here. The point is the bytes to validate at 
> the last step shouldn’t be the sgt directly, instead, it should be a 
> gss token of AppReq of the sgt. But you might ask how to generate the 
> gss token? I don't have better idea than the way used in the above 
> test method, that's to say, better to use GSSAPI layer in JRE 
> directly, since the Kerby one hasn't been ready yet.
>
> But how you proceed in the way as above? As you told in previous 
> emails, you don’t want to use jaas login modules, but rather use the 
> Kerby client api directly. I would suggest you still go starting with 
> jaas, doing everything you want in a jaas login module (like calling 
> kerby client api) and obtain a valid logined subject or security 
> context, and then do the left as you did in the above test method. It 
> should be able to work, like we did or will do in the token login module.
>
> @Test
> @org.junit.Ignore
> public void testKerbyClientAndGssService() throws Exception {
> KrbClient client = getKrbClient();
> client.init

RE: JWT pre-authentication - get JWT token on service side

[Li, Jiajia]

Hi Colm,

As Kai said, it's  a bug in new module. 

>>However, if I look at the existing TokenAuthLoginModule, it just adds the 
>>credential via:
>>subject.getPublicCredentials().add(krbToken);
>> It looks like GSS needs the TGT to be encoded in the Subject somehow?

Yes, in the TokenAuthLoginModule, some credentials should be added to subject 
private credentials.
I will take some time to fix it.

Regards,
Jiajia

-Original Message-
From: Zheng, Kai 
Sent: Saturday, July 2, 2016 6:31 AM
To: kerby@directory.apache.org; cohei...@apache.org; Li, Jiajia 

Subject: RE: JWT pre-authentication - get JWT token on service side

Hi Colm,

I didn't check the codes yet, but generally the module should do the similar 
thing as Krb5LoginModule in the post process of login. You seemed to find a bug 
in the new module.

@Jiajia, would you have some comments? Thanks.

Regards,
Kai

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
Sent: Friday, July 01, 2016 7:09 PM
To: kerby@directory.apache.org
Subject: Re: JWT pre-authentication - get JWT token on service side

Hi Kai,

Thanks for your reply. Ok writing a JAAS LoginModule that wraps the Kerby API 
is fine with me. However, if I look at the existing TokenAuthLoginModule, it 
just adds the credential via:

subject.getPublicCredentials().add(krbToken);

It looks like GSS needs the TGT to be encoded in the Subject somehow?
Please look at the following @Ignore'd test. I'm getting the Subject using the 
TokenAuthLoginModule and then attempting to get a service ticket using the GSS 
API and the Subject. It fails with "Caused by:
org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level:
Failed to find any Kerberos tgt)":

https://git1-us-west.apache.org/repos/asf?p=directory-kerby.git;a=commit;h=68933ae0

Colm.


On Fri, Jul 1, 2016 at 2:22 AM, Zheng, Kai  wrote:

> Sorry for the late. Just got a chance looking at the codes closely.
>
> I thought it's clearly right in the following test, where it logins 
> first via jaas, then get tgt, then sgt, and then at last you wrap the 
> sgt in a gss token. It got the gss token (roughly a AppReq (of sgt) in 
> a token
> wrapper) and then let it be validated against a server key.
>
> @Test
> public void testGss() throws Exception {
> Subject clientSubject = loginClientUsingTicketCache();
> Set clientPrincipals = clientSubject.getPrincipals();
> Assert.assertFalse(clientPrincipals.isEmpty());
>
> // Get the TGT
> Set privateCredentials =
> clientSubject.getPrivateCredentials(KerberosTicket.class);
> Assert.assertFalse(privateCredentials.isEmpty());
> KerberosTicket tgt = privateCredentials.iterator().next();
> Assert.assertNotNull(tgt);
>
> // Get the service ticket
> KerberosClientExceptionAction action =
> new
> KerberosClientExceptionAction(clientPrincipals.iterator().next(),
> getServerPrincipal());
>
> byte[] kerberosToken = (byte[]) Subject.doAs(clientSubject, 
> action);
> Assert.assertNotNull(kerberosToken);
>
> validateServiceTicket(kerberosToken);
> }
>
> I don't think it's right here. The point is the bytes to validate at 
> the last step shouldn’t be the sgt directly, instead, it should be a 
> gss token of AppReq of the sgt. But you might ask how to generate the 
> gss token? I don't have better idea than the way used in the above 
> test method, that's to say, better to use GSSAPI layer in JRE 
> directly, since the Kerby one hasn't been ready yet.
>
> But how you proceed in the way as above? As you told in previous 
> emails, you don’t want to use jaas login modules, but rather use the 
> Kerby client api directly. I would suggest you still go starting with 
> jaas, doing everything you want in a jaas login module (like calling 
> kerby client api) and obtain a valid logined subject or security 
> context, and then do the left as you did in the above test method. It 
> should be able to work, like we did or will do in the token login module.
>
> @Test
> @org.junit.Ignore
> public void testKerbyClientAndGssService() throws Exception {
> KrbClient client = getKrbClient();
> client.init();
>
> try {
> // Get a service ticket using Kerby APIs
> TgtTicket tgt = client.requestTgt(getClientPrincipal(),
> getClientPassword());
> Assert.assertTrue(tgt != null);
>
> SgtTicket tkt = client.requestSgt(tgt, getServerPrincipal());
> Assert.assertTrue(tkt != null);
>
> Credential credential = new Credential(tkt,

RE: JWT pre-authentication - get JWT token on service side

[Li, Jiajia]

Hi Colm,

For the first question: I think now the token has not been put into the issued 
service ticket as authorization data. You can look at 
issueTicket()#TgsRequest.java in server side for detail.

Regards,
Jiajia

-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org] 
Sent: Thursday, June 16, 2016 7:19 PM
To: kerby@directory.apache.org
Subject: Re: JWT pre-authentication - get JWT token on service side

Thanks Kai. A few questions below.

On Thu, Jun 16, 2016 at 11:33 AM, Zheng, Kai  wrote:

>
> 1. For issuing service ticket, the token used to do the authentication 
> or a token derivation was put into the issued service ticket as 
> authorization data. I'm not sure in current Kerby impl, it has done 
> this or not. If not, it should be not difficult to support it, 
> considering we have some Kerby authorization support now.
>

I can take a look at this. Can you give me some pointers in the code so that I 
know where to start?


>
> 2. In application server side, it should be able to query and extract 
> out the token encapsulated in the authorization data field in the 
> service ticket. This should be doable now, because a proposal from me 
> quite some ago had already been accepted by Oracle Java, as recorded 
> in the following ticket, though I hadn't got the chance to verify it 
> using latest JDK update like JDK8.
>
> JDK-8044085, our extension proposal accepted and committed: allowing 
> querying authorization data field of service ticket.
> https://bugs.openjdk.java.net/browse/JDK-8044085


The JDK service ticket only refers to SASL. If I'm just using GSS on the 
service side, is it already supported? If so, how can I extract it?

Colm.


>
>
> So in summary, if you want to try this, I would suggest please go 
> ahead since it's doable now. Please let me know if you have other questions.
>
> Regards,
> Kai
>
> -Original Message-
> From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
> Sent: Thursday, June 16, 2016 5:54 PM
> To: kerby@directory.apache.org
> Subject: JWT pre-authentication - get JWT token on service side
>
> Hi all,
>
> For the JWT pre-authentication use-case, how can I get access to the 
> token information on the service side?
>
> From the documentation: "The service authenticates the ticket, 
> extracts the token derivation, then enforce any advanced authorization 
> by employing the token derivation and token attributes"
>
> Is there an example in the code to look at?
>
> Colm.
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com