Folks, Max,
consider the following code snippet configured with the Krb5LoginModule:
LoginContext lc = new LoginContext(loginEntryName);
lc.login();
then a LoginException is thrown with the following stacktrace:
2023-08-01T00:09:31.601 SCHWERWIEGEND [https-openssl-apr-8444-exec-5417]
net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.getPrincipal Exception
acquiring directory server connection
javax.naming.NamingException: null (29) [Root exception is
javax.security.auth.login.LoginException: null (29)]
at
net.sf.michaelo.dirctxsrc.DirContextSource.getGssApiDirContext(DirContextSource.java:625)
at
net.sf.michaelo.dirctxsrc.DirContextSource.getDirContext(DirContextSource.java:685)
at
net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.open(ActiveDirectoryRealm.java:572)
at
net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.acquire(ActiveDirectoryRealm.java:506)
at
net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.getPrincipal(ActiveDirectoryRealm.java:432)
at
net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.getPrincipal(ActiveDirectoryRealm.java:461)
at
net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.getPrincipal(ActiveDirectoryRealm.java:426)
at org.apache.catalina.realm.RealmBase.authenticate(RealmBase.java:497)
at
net.sf.michaelo.tomcat.authenticator.SpnegoAuthenticator.doAuthenticate(SpnegoAuthenticator.java:163)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:564)
...
at java.lang.Thread.run(Thread.java:750)
Caused by: javax.security.auth.login.LoginException: null (29)
at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:810)
at
com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
at sun.reflect.GeneratedMethodAccessor10719.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
at
javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at
javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at
net.sf.michaelo.dirctxsrc.DirContextSource.getGssApiDirContext(DirContextSource.java:574)
... 23 more
Caused by: KrbException: null (29)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:335)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:488)
at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:782)
... 35 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
at sun.security.krb5.internal.ASRep.init(ASRep.java:64)
at sun.security.krb5.internal.ASRep.<init>(ASRep.java:59)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
... 38 more
I am trying to obtain a TGT to authenticate thorugh SASL GSSAPI to
Active Directory via LDAP. This happened to me now repeatedly in the
last couple of days around midnight. Looking up error code 29 says
KDC_ERR_SVC_UNAVAILABLE, obviously the AD DC server is maintenance mode.
What bugs me is that KDC_ERR_SVC_UNAVAILABLE(29) is documented in
Krb5.java, has an error message and KrbException.java does use it, but
no error message is mapped to the code.
Request: Maybe someone (Max?) log an improvement request with JBS to
add missing error codes 26--28, 51 from [1] and
> public static final int KRB_AP_ERR_NOREALM = 62;
> public static final int KRB_AP_ERR_GEN_CRED = 63;
look incorrect. Plus the mapping in errMsgList for those.
Note: Tried with OpenJDK 8.
Best regards,
Michael
[1] https://www.rfc-editor.org/rfc/rfc4120#section-7.5.9
