Hi Michael,
Thanks for trying this new feature, you are always the first one.
If I remember correctly, when Martin developed this new feature, he was
thinking of adding as little as possible spec change at the beginning.
Therefore although there is a new KerberosPrincipal::KRB_NT_ENTERPRISE
constant, it was just an integer and anyone can hardcode it. His next steps
will be `kinit -e` and a new Krb5LoginModule option.
And welcome to provide more detail on your usecase.
--Max
> On Sep 26, 2019, at 5:27 AM, Osipov, Michael <michael.osi...@siemens.com>
> wrote:
>
> Hi folks,
>
> apologies upfront that I wasn't able when Martin Balao asked for a review of
> the code. I finally made to test it and cannot see that it is working anyhow
> here.
>
> I won't dive into my usecase now, but will depict two simple cases which are
> not possible.
>
> All tests were performed with Oracle JDK 13 on Windows 7:
>> java version "13" 2019-09-17
>> Java(TM) SE Runtime Environment (build 13+33)
>> Java HotSpot(TM) 64-Bit Server VM (build 13+33, mixed mode, sharing)
>
> 1. kinit (JDK bundled) does not work. It does neither provide an '-E' option,
> nor does it send NT-ENTERPRISE, but only NT-UNKNOWN:
>
>> 0000 30 25 a0 03 02 01 00 a1 1e 30 1c 1b 1a 6d 69 63 0%.......0...mic
>> 0010 68 61 65 6c 2e 6f 73 69 70 6f 76 40 73 69 65 6d hael.osipov@siem
>> 0020 65 6e 73 2e 63 6f 6d ens.com
>
> In byte 0x06 is the name type NT-UNKNOWN (0). In contrast to this with MIT
> Kerberos 1.17 and 'kinit -E' I see in Wireshark:
>
>> 0000 30 25 a0 03 02 01 0a a1 1e 30 1c 1b 1a 6d 69 63 0%.......0...mic
>> 0010 68 61 65 6c 2e 6f 73 69 70 6f 76 40 73 69 65 6d hael.osipov@siem
>> 0020 65 6e 73 2e 63 6f 6d ens.com
>
> byte 0x06 is now name type NT-ENTERPRISE-PRINCIPAL (10).
>
> Trying the very same with LSA on Windows with "run as user" I get for my
> implicit UPN osipo...@ad001.siemens.net always type 10. It only uses
> NT-PRINCIPAL when I provide the local part (samAccountName).
>
> 2. Using the appropriate OID for the enterprise principal:
>
>> public static void main(String[] args) throws GSSException {
>> GSSManager m = GSSManager.getInstance();
>> Oid msUpnOid = new Oid("1.3.6.1.4.1.311.20.2.3");
>> Oid krb5PrincipalOid = new Oid("1.2.840.113554.1.2.2.1");
>> Oid krb5EnterprisePrincialOid = new
>> Oid("1.2.840.113554.1.2.2.6");
>> Oid krb5MechOid = new Oid("1.2.840.113554.1.2.2");
>> GSSName upn = m.createName("michael.osi...@siemens.com",
>> krb5EnterprisePrincialOid);
>> }
>
> gives me:
>> Exception in thread "main" GSSException: Name of unsupported type provided
>> (Mechanism level: 1.2.840.113554.1.2.2.6 is an unsupported nametype)
>> at
>> java.security.jgss/sun.security.jgss.krb5.Krb5NameElement.getInstance(Krb5NameElement.java:87)
>> at
>> java.security.jgss/sun.security.jgss.krb5.Krb5MechFactory.getNameElement(Krb5MechFactory.java:99)
>> at
>> java.security.jgss/sun.security.jgss.GSSManagerImpl.getNameElement(GSSManagerImpl.java:184)
>> at
>> java.security.jgss/sun.security.jgss.GSSNameImpl.getElement(GSSNameImpl.java:478)
>> at
>> java.security.jgss/sun.security.jgss.GSSNameImpl.init(GSSNameImpl.java:201)
>> at
>> java.security.jgss/sun.security.jgss.GSSNameImpl.<init>(GSSNameImpl.java:170)
>> at
>> java.security.jgss/sun.security.jgss.GSSNameImpl.<init>(GSSNameImpl.java:151)
>> at
>> java.security.jgss/sun.security.jgss.GSSManagerImpl.createName(GSSManagerImpl.java:109)
>> at com.siemens.dynamowerk.Main.main(Main.java:20)
>
> and yes, the OID has never been defined in that class [1], but is present in
> MIT Kerberos [2].
>
> I haven't tried a programmatical kinit, but as mentioned in the notes [3],
> Krb5LoginModule does not support it, so I don't even have to try.
>
>
> Any insights?
>
> Beside that, it'd be very cool if this gets into 11u or better yet to 8u. I
> have talked with Weijun about this several times many years ago for Java 7+.
> I have no option to use anything else, but Java 8 for now.
>
> If someone wants to know better about my usecase, I'd be happy to lay it out
> in detail. I do need at least krb5EnterprisePrincialOid and better msUpnOid
> for my usecase.
>
> The only option I see now is to write a delegating wrapper for this:
>
>> GSSName upn = m.createName("michael.osi...@siemens.com", krb5PrincipalOid);
>> GSSName wrappedUpn = new WrappedGSSName(upn, krb5EnterprisePrincialOid);
>> System.out.println(wrappedUpn);
>> System.out.println(wrappedUpn.getStringNameType());
>
>> michael.osi...@siemens.com
>> 1.2.840.113554.1.2.2.6
>
> Michael
>
> [1]
> https://github.com/AdoptOpenJDK/openjdk-jdk13u/blob/bb0786d980437800b9d6efe17e42d18241714ea1/src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5MechFactory.java#L51-L61
> [2] https://web.mit.edu/kerberos/krb5-devel/doc/appdev/gssapi.html
> [3]
> http://mail.openjdk.java.net/pipermail/security-dev/2018-December/018952.html
