-
Enhancement
-
Resolution: Won't Fix
-
P4
-
6u29
-
x86
-
windows_xp
-
Not verified
FULL PRODUCT VERSION :
java version "1.6.0_29"
Java(TM) SE Runtime Environment (build 1.6.0_29-b11)
Java HotSpot(TM) Client VM (build 20.4-b02, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows XP [Version 5.1.2600]
A DESCRIPTION OF THE PROBLEM :
I have configured my krb5.ini to resolve KDCs via DNS, this is supported in Java 7. I did not want to enter KDC again for all apps and the GSS-API I just wanted to do this for Java.
I have done this in my krb5.ini:
[libdefaults]
default_realm = WW004.SIEMENS.NET
forwardable = true
renewable = true
dns_lookup_kdc = true
[appdefaults]
java = {
WW004.SIEMENS.NET = {
kdc = ww004.siemens.net
}
}
[domain_realm]
.ww002.siemens.net = WW002.SIEMENS.NET
.ww004.siemens.net = WW004.SIEMENS.NET
.siemens.net = SIEMENS.NET
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
This fails unter Windows, Linux and HP-UX. The OS does no matter since the config parsing code is OS-agnostic.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
I java should pick up appdefaults and set options and realms/kdcs appropriately.
ACTUAL -
Completely ignored by Java.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
/java -Dsun.security.krb5.debug=true -Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.auth.login.config=/home/smartld/ldap-client/login.conf -Djava.security.krb5.conf=./krb5.conf -Dsun.security.jgss.debug=true -jar ldap-client.jar 157.163.178.67
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /etc/smartld.keytab refreshKrb5Config is false principal is host/blnn725x.ww004.siemens.net tryFirstPass is false useFirstPass is false storePass is false clearPass is false
>>> KeyTabInputStream, readName(): WW004.SIEMENS.NET
>>> KeyTabInputStream, readName(): host
>>> KeyTabInputStream, readName(): blnn725x.ww004.siemens.net
>>> KeyTab: load() entry length: 76; type: 3
Added key: 3version: 15
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
principal's key obtained from the keytab
Acquire TGT using AS Exchange
>>> KdcAccessibility: reset
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
[Krb5LoginModule] authentication failed
Cannot get kdc for realm WW004.SIEMENS.NET
Exception in thread "main" javax.security.auth.login.LoginException: Cannot get kdc for realm WW004.SIEMENS.NET
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at GssapiLdapConnect.main(GssapiLdapConnect.java:26)
Caused by: KrbException: Cannot get kdc for realm WW004.SIEMENS.NET
at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:196)
at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:175)
at sun.security.krb5.KrbAsReq.send(KrbAsReq.java:431)
at sun.security.krb5.Credentials.sendASRequest(Credentials.java:400)
at sun.security.krb5.Credentials.acquireTGT(Credentials.java:350)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:672)
... 12 more
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
public class GssapiLdapConnect {
public static void main(String[] args) throws LoginException, PrivilegedActionException, NamingException {
final Hashtable<String, Object> dirOptions = new Hashtable<String, Object>();
dirOptions.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
dirOptions.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
dirOptions.put(Context.PROVIDER_URL, "ldap://" + args[0] + ":389");
// dirOptions.put("com.sun.jndi.ldap.trace.ber", System.err);
LoginContext lc = new LoginContext("ldap-client");
lc.login();
DirContext context = Subject.doAs(lc.getSubject(), new PrivilegedExceptionAction<DirContext>() {
public DirContext run() throws Exception {
return new InitialDirContext(dirOptions);
}
});
System.out.println(context.getAttributes("", new String[] {"defaultNamingContext"}));
context.close();
lc.logout();
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Add the KDCs to the [realms] section but this would lose any load-balancing and round-robin methods through DNS.
java version "1.6.0_29"
Java(TM) SE Runtime Environment (build 1.6.0_29-b11)
Java HotSpot(TM) Client VM (build 20.4-b02, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows XP [Version 5.1.2600]
A DESCRIPTION OF THE PROBLEM :
I have configured my krb5.ini to resolve KDCs via DNS, this is supported in Java 7. I did not want to enter KDC again for all apps and the GSS-API I just wanted to do this for Java.
I have done this in my krb5.ini:
[libdefaults]
default_realm = WW004.SIEMENS.NET
forwardable = true
renewable = true
dns_lookup_kdc = true
[appdefaults]
java = {
WW004.SIEMENS.NET = {
kdc = ww004.siemens.net
}
}
[domain_realm]
.ww002.siemens.net = WW002.SIEMENS.NET
.ww004.siemens.net = WW004.SIEMENS.NET
.siemens.net = SIEMENS.NET
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
This fails unter Windows, Linux and HP-UX. The OS does no matter since the config parsing code is OS-agnostic.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
I java should pick up appdefaults and set options and realms/kdcs appropriately.
ACTUAL -
Completely ignored by Java.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
/java -Dsun.security.krb5.debug=true -Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.auth.login.config=/home/smartld/ldap-client/login.conf -Djava.security.krb5.conf=./krb5.conf -Dsun.security.jgss.debug=true -jar ldap-client.jar 157.163.178.67
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /etc/smartld.keytab refreshKrb5Config is false principal is host/blnn725x.ww004.siemens.net tryFirstPass is false useFirstPass is false storePass is false clearPass is false
>>> KeyTabInputStream, readName(): WW004.SIEMENS.NET
>>> KeyTabInputStream, readName(): host
>>> KeyTabInputStream, readName(): blnn725x.ww004.siemens.net
>>> KeyTab: load() entry length: 76; type: 3
Added key: 3version: 15
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
principal's key obtained from the keytab
Acquire TGT using AS Exchange
>>> KdcAccessibility: reset
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
[Krb5LoginModule] authentication failed
Cannot get kdc for realm WW004.SIEMENS.NET
Exception in thread "main" javax.security.auth.login.LoginException: Cannot get kdc for realm WW004.SIEMENS.NET
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at GssapiLdapConnect.main(GssapiLdapConnect.java:26)
Caused by: KrbException: Cannot get kdc for realm WW004.SIEMENS.NET
at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:196)
at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:175)
at sun.security.krb5.KrbAsReq.send(KrbAsReq.java:431)
at sun.security.krb5.Credentials.sendASRequest(Credentials.java:400)
at sun.security.krb5.Credentials.acquireTGT(Credentials.java:350)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:672)
... 12 more
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
public class GssapiLdapConnect {
public static void main(String[] args) throws LoginException, PrivilegedActionException, NamingException {
final Hashtable<String, Object> dirOptions = new Hashtable<String, Object>();
dirOptions.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
dirOptions.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
dirOptions.put(Context.PROVIDER_URL, "ldap://" + args[0] + ":389");
// dirOptions.put("com.sun.jndi.ldap.trace.ber", System.err);
LoginContext lc = new LoginContext("ldap-client");
lc.login();
DirContext context = Subject.doAs(lc.getSubject(), new PrivilegedExceptionAction<DirContext>() {
public DirContext run() throws Exception {
return new InitialDirContext(dirOptions);
}
});
System.out.println(context.getAttributes("", new String[] {"defaultNamingContext"}));
context.close();
lc.logout();
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Add the KDCs to the [realms] section but this would lose any load-balancing and round-robin methods through DNS.