-
Bug
-
Resolution: Fixed
-
P4
-
6, 6u29
-
b01
-
x86
-
linux, linux_redhat_4.0
-
Verified
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-2212648 | 7u2 | Weijun Wang | P4 | Resolved | Fixed | b03 |
| JDK-2212948 | 6u121 | Ivan Gerasimov | P4 | Resolved | Fixed | b01 |
| JDK-8147420 | 6u115 | Ivan Gerasimov | P4 | Resolved | Fixed | b03 |
FULL PRODUCT VERSION :
Java HotSpot(TM) 64-Bit Server VM (build 14.1-b02, mixed mode)
/!\ same bug with open jdk 1.7
ADDITIONAL OS VERSION INFORMATION :
Linux x86_64 Intel(R) Xeon(R) CPU L5520 @ 2.27GHz GNU/Linux
EXTRA RELEVANT SYSTEM CONFIGURATION :
/!\ same bug with open jdk 1.7
A DESCRIPTION OF THE PROBLEM :
Authentication to remote server fails. Error doesn't appear in the logs but the debugger points out the following error:
KRB_AP_ERR_MODIFIED (erreur 41) Message stream modified
in sun.security.krb5.KrbKdcRep class, line 56
Cross-realm authentication to one remote service is processed in
sun.security.krb5.internal.CredentialsUtil class.
It consists in the obtention of a token for the krbtgt/REALM1@REALM2 principal.
Function acquireServiceCreds() negotiates with the kdc, by throwing requests and receiving responses. equalsWithoutRealm() function is called.
The function equalsWithoutRealm() in sun.security.krb5.PrincipalName checks the conformity between principal asked in request and principal obtained in response.
However, there is a type mismatch between the two krbtgt principals: request asks for a KRB_NT_SRV_INST type whereas the kdc answers with a KRB_NT_PRINCIPAL type. Thus, equalsWithoutRealm function fails and authentication is refused.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Try to access from one realm to whatever remote 'kerberized' service.
For example: GSSAPI and JNDI for remote LDAP server.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Expected result: successful authentication with remote service access.
ACTUAL -
Error is caught but not reported in system.out, and remote authentication fails.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
KRB_AP_ERR_MODIFIED (erreur 41) Message stream modified
in sun.security.krb5.KrbKdcRep class, line 56
is reached but never thrown to the logs.
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
Modifying the acquireServiceCreds() function solves the problem. But maybe the best solution is to change the request for a cross-realm krbtgt.
Line 134 in CredentialsUtil.java:
for (cTgt = ccreds, i = 0; i < realms.length;)
{
// tempService = new ServiceName(PrincipalName.TGS_DEFAULT_SRV_NAME,
// serviceRealm, realms[i]);
if (!localRealm.equalsIgnoreCase(serviceRealm)) { //do cross-realm authentication
if (DEBUG) {
System.out.println(">>>DEBUG: Credentails request cross realm ticket for " + "krbtgt/" + serviceRealm + "@" + localRealm);
}
tempService = new ServiceName("krbtgt/" + serviceRealm + "@" + realms[i]);
}else{
tempService = new ServiceName(PrincipalName.TGS_DEFAULT_SRV_NAME,
serviceRealm, realms[i]);
}
if (DEBUG)
{
System.out.println(">>> Credentials acquireServiceCreds: main loop: [" + i +"] tempService=" + tempService);
}
...
...
...
SUPPORT :
YES
Java HotSpot(TM) 64-Bit Server VM (build 14.1-b02, mixed mode)
/!\ same bug with open jdk 1.7
ADDITIONAL OS VERSION INFORMATION :
Linux x86_64 Intel(R) Xeon(R) CPU L5520 @ 2.27GHz GNU/Linux
EXTRA RELEVANT SYSTEM CONFIGURATION :
/!\ same bug with open jdk 1.7
A DESCRIPTION OF THE PROBLEM :
Authentication to remote server fails. Error doesn't appear in the logs but the debugger points out the following error:
KRB_AP_ERR_MODIFIED (erreur 41) Message stream modified
in sun.security.krb5.KrbKdcRep class, line 56
Cross-realm authentication to one remote service is processed in
sun.security.krb5.internal.CredentialsUtil class.
It consists in the obtention of a token for the krbtgt/REALM1@REALM2 principal.
Function acquireServiceCreds() negotiates with the kdc, by throwing requests and receiving responses. equalsWithoutRealm() function is called.
The function equalsWithoutRealm() in sun.security.krb5.PrincipalName checks the conformity between principal asked in request and principal obtained in response.
However, there is a type mismatch between the two krbtgt principals: request asks for a KRB_NT_SRV_INST type whereas the kdc answers with a KRB_NT_PRINCIPAL type. Thus, equalsWithoutRealm function fails and authentication is refused.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Try to access from one realm to whatever remote 'kerberized' service.
For example: GSSAPI and JNDI for remote LDAP server.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Expected result: successful authentication with remote service access.
ACTUAL -
Error is caught but not reported in system.out, and remote authentication fails.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
KRB_AP_ERR_MODIFIED (erreur 41) Message stream modified
in sun.security.krb5.KrbKdcRep class, line 56
is reached but never thrown to the logs.
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
Modifying the acquireServiceCreds() function solves the problem. But maybe the best solution is to change the request for a cross-realm krbtgt.
Line 134 in CredentialsUtil.java:
for (cTgt = ccreds, i = 0; i < realms.length;)
{
// tempService = new ServiceName(PrincipalName.TGS_DEFAULT_SRV_NAME,
// serviceRealm, realms[i]);
if (!localRealm.equalsIgnoreCase(serviceRealm)) { //do cross-realm authentication
if (DEBUG) {
System.out.println(">>>DEBUG: Credentails request cross realm ticket for " + "krbtgt/" + serviceRealm + "@" + localRealm);
}
tempService = new ServiceName("krbtgt/" + serviceRealm + "@" + realms[i]);
}else{
tempService = new ServiceName(PrincipalName.TGS_DEFAULT_SRV_NAME,
serviceRealm, realms[i]);
}
if (DEBUG)
{
System.out.println(">>> Credentials acquireServiceCreds: main loop: [" + i +"] tempService=" + tempService);
}
...
...
...
SUPPORT :
YES
- backported by
-
JDK-2212648 [Kerberos] Cross-realm authentication fails, due to nameType problem
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
- duplicates
-
-
- Closed
-