Hi Michael, Thanks for trying this new feature, you are always the first one.
If I remember correctly, when Martin developed this new feature, he was thinking of adding as little as possible spec change at the beginning. Therefore although there is a new KerberosPrincipal::KRB_NT_ENTERPRISE constant, it was just an integer and anyone can hardcode it. His next steps will be `kinit -e` and a new Krb5LoginModule option. And welcome to provide more detail on your usecase. --Max > On Sep 26, 2019, at 5:27 AM, Osipov, Michael <michael.osi...@siemens.com> > wrote: > > Hi folks, > > apologies upfront that I wasn't able when Martin Balao asked for a review of > the code. I finally made to test it and cannot see that it is working anyhow > here. > > I won't dive into my usecase now, but will depict two simple cases which are > not possible. > > All tests were performed with Oracle JDK 13 on Windows 7: >> java version "13" 2019-09-17 >> Java(TM) SE Runtime Environment (build 13+33) >> Java HotSpot(TM) 64-Bit Server VM (build 13+33, mixed mode, sharing) > > 1. kinit (JDK bundled) does not work. It does neither provide an '-E' option, > nor does it send NT-ENTERPRISE, but only NT-UNKNOWN: > >> 0000 30 25 a0 03 02 01 00 a1 1e 30 1c 1b 1a 6d 69 63 0%.......0...mic >> 0010 68 61 65 6c 2e 6f 73 69 70 6f 76 40 73 69 65 6d hael.osipov@siem >> 0020 65 6e 73 2e 63 6f 6d ens.com > > In byte 0x06 is the name type NT-UNKNOWN (0). In contrast to this with MIT > Kerberos 1.17 and 'kinit -E' I see in Wireshark: > >> 0000 30 25 a0 03 02 01 0a a1 1e 30 1c 1b 1a 6d 69 63 0%.......0...mic >> 0010 68 61 65 6c 2e 6f 73 69 70 6f 76 40 73 69 65 6d hael.osipov@siem >> 0020 65 6e 73 2e 63 6f 6d ens.com > > byte 0x06 is now name type NT-ENTERPRISE-PRINCIPAL (10). > > Trying the very same with LSA on Windows with "run as user" I get for my > implicit UPN osipo...@ad001.siemens.net always type 10. It only uses > NT-PRINCIPAL when I provide the local part (samAccountName). > > 2. Using the appropriate OID for the enterprise principal: > >> public static void main(String[] args) throws GSSException { >> GSSManager m = GSSManager.getInstance(); >> Oid msUpnOid = new Oid("1.3.6.1.4.1.311.20.2.3"); >> Oid krb5PrincipalOid = new Oid("1.2.840.113554.1.2.2.1"); >> Oid krb5EnterprisePrincialOid = new >> Oid("1.2.840.113554.1.2.2.6"); >> Oid krb5MechOid = new Oid("1.2.840.113554.1.2.2"); >> GSSName upn = m.createName("michael.osi...@siemens.com", >> krb5EnterprisePrincialOid); >> } > > gives me: >> Exception in thread "main" GSSException: Name of unsupported type provided >> (Mechanism level: 1.2.840.113554.1.2.2.6 is an unsupported nametype) >> at >> java.security.jgss/sun.security.jgss.krb5.Krb5NameElement.getInstance(Krb5NameElement.java:87) >> at >> java.security.jgss/sun.security.jgss.krb5.Krb5MechFactory.getNameElement(Krb5MechFactory.java:99) >> at >> java.security.jgss/sun.security.jgss.GSSManagerImpl.getNameElement(GSSManagerImpl.java:184) >> at >> java.security.jgss/sun.security.jgss.GSSNameImpl.getElement(GSSNameImpl.java:478) >> at >> java.security.jgss/sun.security.jgss.GSSNameImpl.init(GSSNameImpl.java:201) >> at >> java.security.jgss/sun.security.jgss.GSSNameImpl.<init>(GSSNameImpl.java:170) >> at >> java.security.jgss/sun.security.jgss.GSSNameImpl.<init>(GSSNameImpl.java:151) >> at >> java.security.jgss/sun.security.jgss.GSSManagerImpl.createName(GSSManagerImpl.java:109) >> at com.siemens.dynamowerk.Main.main(Main.java:20) > > and yes, the OID has never been defined in that class [1], but is present in > MIT Kerberos [2]. > > I haven't tried a programmatical kinit, but as mentioned in the notes [3], > Krb5LoginModule does not support it, so I don't even have to try. > > > Any insights? > > Beside that, it'd be very cool if this gets into 11u or better yet to 8u. I > have talked with Weijun about this several times many years ago for Java 7+. > I have no option to use anything else, but Java 8 for now. > > If someone wants to know better about my usecase, I'd be happy to lay it out > in detail. I do need at least krb5EnterprisePrincialOid and better msUpnOid > for my usecase. > > The only option I see now is to write a delegating wrapper for this: > >> GSSName upn = m.createName("michael.osi...@siemens.com", krb5PrincipalOid); >> GSSName wrappedUpn = new WrappedGSSName(upn, krb5EnterprisePrincialOid); >> System.out.println(wrappedUpn); >> System.out.println(wrappedUpn.getStringNameType()); > >> michael.osi...@siemens.com >> 1.2.840.113554.1.2.2.6 > > Michael > > [1] > https://github.com/AdoptOpenJDK/openjdk-jdk13u/blob/bb0786d980437800b9d6efe17e42d18241714ea1/src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5MechFactory.java#L51-L61 > [2] https://web.mit.edu/kerberos/krb5-devel/doc/appdev/gssapi.html > [3] > http://mail.openjdk.java.net/pipermail/security-dev/2018-December/018952.html