Name: nt126004 Date: 06/28/2002


FULL PRODUCT VERSION :
java version "1.4.0"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.0-b92)
Java HotSpot(TM) Client VM (build 1.4.0-b92, mixed mode)

FULL OPERATING SYSTEM VERSION :
Microsoft Windows 2000 [Version 5.00.2195]

EXTRA RELEVANT SYSTEM CONFIGURATION :
OS on the Active Directory servers:

Microsoft Windows 2000 [Version 5.00.2195]

A DESCRIPTION OF THE PROBLEM :
I have setup one parent domain and one child domain using
Active Directory. I have an admin account in the parent
domain which is part of the Enterprise Admins group, which
means that it has privilege in both the parent and the
child domain. Using JAAS and Kerberos loginModule, I login
using the admin account to the parent domain. Then I use
JNDI and Subject.doAs to get attributes of an object in the
child domain. I specify in the PROVIDER_URL the host name
of the Active Directory hosting the child domain. However,
I get a "KrbException: Message stream modified (41)" error.
Everything works fine if I access an object in the parent
doamin.

I've turned on audit log in the Active Directory. I can see
that I have successfully obtained an Authentication Ticket
for the admin account from the parent domain. I am also
successfully granted a Service Ticket by the parent domain
to access the child domain. I do not see any error in the
child domain.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1.Run the source code provide. The jaas.conf and krb5.conf
must be present. The default realm of the krb5.conf file
points to the parent domain.
2.Login using the admin account
3.When it gets to the getAttributes line, it crashes.

EXPECTED VERSUS ACTUAL BEHAVIOR :
Since the admin account is an Enterprise Admin account, I
should be able to read an object in the child domain.

Although there is the error, I still get the following in
the Event Viewer of the Active Directory:
Authentication Ticket Granted:
  User Name: cmsadmin
  Supplied Realm Name: APPLIANCE.FOO.COM
  User ID: APPLIANCE\cmsadmin
  Service Name: krbtgt
  Service ID: APPLIANCE\krbtgt
  Ticket Options: 0x0
  Ticket Encryption Type: 0x1
  Pre-Authentication Type: 2
  Client Address: 163.187.84.52
 
Service Ticket Granted:
  User Name: cmsadmin
  User Domain: APPLIANCE.FOO.COM
  Service Name: CANOPENER.APPLIANCE.FOO.COM
  Service ID: %{S-1-5-21-515967899-
287218729-1801674531-0}
  Ticket Options: 0x0
  Ticket Encryption Type: 0x1
  Client Address: 163.187.84.52

ERROR MESSAGES/STACK TRACES THAT OCCUR :
>>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
>>>crc32: daf783e2
>>>crc32: 11011010111101111000001111100010
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbAsReq etypes are: 1 1
>>> KrbKdcReq send: kdc=blender.appliance.foo.com, port=88, timeout=30000, #byte
s=226
>>> KrbKdcReq send: #bytes read=1407
>>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
>>>crc32: 22baeffd
>>>crc32: 100010101110101110111111111101
>>> KrbAsRep cons in KrbAsReq.getReply cmsadmin
***Login Success***
>>> Credentials acquireServiceCreds: same realm
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
>>>crc32: bf55d141
>>>crc32: 10111111010101011101000101000001
>>> KrbKdcReq send: kdc=blender.appliance.foo.com, port=88, timeout=30000, #byte
s=1402
>>> KrbKdcReq send: #bytes read=1369
>>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
>>>crc32: 903b891b
>>>crc32: 10010000001110111000100100011011
KrbException: Message stream modified (41)
        at sun.security.krb5.ad.a(DashoA6275:48)
        at sun.security.krb5.KrbTgsRep.<init>(DashoA6275:65)
        at sun.security.krb5.KrbTgsReq.getReply(DashoA6275:221)
        at sun.security.krb5.internal.a0.a(DashoA6275:280)
        at sun.security.krb5.internal.a0.a(DashoA6275:94)
        at sun.security.krb5.Credentials.acquireServiceCreds(DashoA6275:550)
        at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:50
4)
        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:2
13)
        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:1
58)
        at com.sun.security.sasl.gsskerb.GssKerberosV5.evaluateChallenge(GssKerb
erosV5.java:160)
        at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:113)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
sorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:324)
        at com.sun.jndi.ldap.LdapClient.saslBind(LdapClient.java:374)
        at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:190)
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2516)
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:263)
        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.jav
a:76)
        at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:6
62)
        at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:243
)
        at javax.naming.InitialContext.init(InitialContext.java:219)
        at javax.naming.InitialContext.<init>(InitialContext.java:195)
        at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.jav
a:80)
        at JndiAction.run(GSSExample.java:116)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:319)
        at GssExample.main(GSSExample.java:83)
javax.naming.AuthenticationException: GSSAPI. Root exception is com.sun.securit
y.sasl.preview.SaslException: GSS initiate failed [Caused by GSSException: No va
lid credentials provided (Mechanism level: Message stream modified (41))]
        at com.sun.security.sasl.gsskerb.GssKerberosV5.evaluateChallenge(GssKerb
erosV5.java:180)
        at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:113)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
sorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:324)
        at com.sun.jndi.ldap.LdapClient.saslBind(LdapClient.java:374)
        at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:190)
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2516)
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:263)
        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.jav
a:76)
        at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:6
62)
        at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:243
)
        at javax.naming.InitialContext.init(InitialContext.java:219)
        at javax.naming.InitialContext.<init>(InitialContext.java:195)
        at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.jav
a:80)
        at JndiAction.run(GSSExample.java:116)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:319)
        at GssExample.main(GSSExample.java:83)
Caused by: GSSException: No valid credentials provided (Mechanism level: Message
 stream modified (41))
        at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:53
1)
        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:2
13)
        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:1
58)
        at com.sun.security.sasl.gsskerb.GssKerberosV5.evaluateChallenge(GssKerb
erosV5.java:160)
        ... 19 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Message
 stream modified (41))
        at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:53
1)
        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:2
13)
        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:1
58)
        at com.sun.security.sasl.gsskerb.GssKerberosV5.evaluateChallenge(GssKerb
erosV5.java:160)
        at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:113)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
sorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:324)
        at com.sun.jndi.ldap.LdapClient.saslBind(LdapClient.java:374)
        at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:190)
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2516)
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:263)
        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.jav
a:76)
        at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:6
62)
        at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:243
)
        at javax.naming.InitialContext.init(InitialContext.java:219)
        at javax.naming.InitialContext.<init>(InitialContext.java:195)
        at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.jav
a:80)
        at JndiAction.run(GSSExample.java:116)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:319)
        at GssExample.main(GSSExample.java:83)

REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
import javax.naming.*;
import javax.naming.directory.*;
import javax.security.auth.login.*;
import javax.security.auth.Subject;

import java.util.Hashtable;

/*
 * usage: java
 * -Djava.security.auth.login.config=jaas.conf * -Djava.security.krb5.conf=krb5.conf * -Dsun.security.krb5.debug=true * GssExample
 *
 */
class GssExample {

    public static void main(String[] args) {

// 1. Log in (to Kerberos) to the parent domain (e.g.
APPLIANCE.FOO.COM)
// the kdc of which is blender.appliance.foo.com
LoginContext lc = null;
try {
lc = new LoginContext(GssExample.class.getName(), new
SampleCallbackHandler());

// Attempt authentication
// You might want to do this in a "for" loop to give
// user more than one chance to enter correct
username/password
lc.login();
System.out.println("***Login Success***");

} catch (LoginException le) {
System.err.println("Authentication attempt failed" +
le);
System.exit(-1);
}


try {

Subject sub = lc.getSubject();
Subject.doAs(sub, new JndiAction());

}
catch(Exception e){
e.printStackTrace();
}
}
}

class JndiAction implements java.security.PrivilegedAction {

    public JndiAction() {
    }

    public Object run() {

DirContext ctx = null;

try {

String dn = "cn=chd1,
cn=users,dc=canopener,dc=appliance,dc=foo,dc=com"; //object in child domain
String url
= "ldap://electric.canopener.appliance.foo.com:389/"; //host of child domain

String[] attr = {"cn"};

Hashtable env = new Hashtable(11);
env.put
(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, url);
env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
env.put("javax.security.sasl.qop","auth-int");
env.put
("javax.security.sasl.server.authentication","false");

/* Create initial context */
ctx = new InitialDirContext(env);

System.out.println(ctx.getAttributes(dn, attr));

ctx.close();

} catch (NamingException e) {
e.printStackTrace();
}
return null;
    }
}
---------- END SOURCE ----------
(Review ID: 153915)
======================================================================