-
Bug
-
Resolution: Cannot Reproduce
-
P4
-
None
-
7
-
x86
-
linux
FULL PRODUCT VERSION :
/usr/bin/java -version
java version "1.7.0_05"
Java(TM) SE Runtime Environment (build 1.7.0_05-b06)
Java HotSpot(TM) 64-Bit Server VM (build 23.1-b03, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Linux lava12128 2.6.32.54-0.3-default #1 SMP 2012-01-27 17:38:56 +0100 x86_64 x86_64 x86_64 GNU/Linux
A DESCRIPTION OF THE PROBLEM :
I recently upgraded to JDK7u5 and started seeing the following exception.
It is mentioned in bug 7183594 that the user only get this exception if IP-address is set to PROVIDER_URL. In my case, I got this Exception even when FQDN is set to PROVIDER_URL. I got this exception when I use paging for my query.
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7183594
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1) Java1.7_5
2) props.put(Context.REFERRAL, "follow");
3) Paging control is used for LDAP search result
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
LDAP groups should be returned.
ACTUAL -
Got an exception.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
javax.naming.PartialResultException [Root exception is javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]]]
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(Unknown Source)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(Unknown Source)
at ...
....
.....
....
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at com.emc.avamar.userauth.service.DirectoryServiceUserAuth.getAllUniqueGrpBySearch(DirectoryServiceUserAuth.java:1598)
at com.emc.avamar.userauth.test.AvldapMcguiTest.main(AvldapMcguiTest.java:110)
Caused by: javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]]
at com.sun.jndi.ldap.LdapReferralContext.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapReferralException.getReferralContext(Unknown Source)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreReferrals(Unknown Source)
... 8 more
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at com.sun.jndi.url.ldap.ldapURLContextFactory.getObjectInstance(Unknown Source)
at javax.naming.spi.NamingManager.getURLObject(Unknown Source)
at javax.naming.spi.NamingManager.processURL(Unknown Source)
at javax.naming.spi.NamingManager.processURLAddrs(Unknown Source)
at javax.naming.spi.NamingManager.getObjectInstance(Unknown Source)
... 11 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
... 23 more
Caused by: KrbException: Server not found in Kerberos database (7)
at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
at sun.security.krb5.KrbTgsReq.sendAndGetCreds(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
... 26 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(Unknown Source)
at sun.security.krb5.internal.TGSRep.init(Unknown Source)
at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)
... 32 more
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
/**
*
* PagedResultsControlJndiClient.java
* Sample code to demostrate how Paged Results Control works.
*
*/
import javax.naming.*;
import javax.naming.directory.*;
import javax.naming.ldap.*;
import java.util.Hashtable;
public class PagedResultsControlJndiClient
{
static final String PAGED_RESULT_CONTROL_OID = "1.2.840.113556.1.4.319";
public static void main(String[] args)
{
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
// Note: Active Directory Server supports Paged Results Control
// SunOne does not supports Paged Results Control but it supports
// Virtual List View Control instead.
env.put(Context.PROVIDER_URL, "ldap://myAD.mydomain.com:389");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "###@###.###");
env.put(Context.SECURITY_CREDENTIALS, "mypassword");
try{
/* Open an LDAP connection for the provided principal and credentials */
LdapContext ctx = new InitialLdapContext(env, null);
System.out.println("Initial binding done!");
/* Query the server to see if the paged result control is supported */
if(!isPagedResultControlSupported(ctx)){
System.out.println("The server does not support Paged Results Control.");
System.exit(1);
}
/* Activate paged results */
int pageSize = 5;
byte[] cookie = null;
int total;
ctx.setRequestControls(
new Control[]{new PagedResultsControl(pageSize, Control.CRITICAL)});
System.out.println("Paged control set!");
int count = 0;
while(true){
count++;
System.err.println("Search loop count = " + count);
SearchControls ctls = new SearchControls();
ctls.setSearchScope(SearchControls.ONELEVEL_SCOPE);
ctls.setCountLimit(0);
// Perform the search
NamingEnumeration results = ctx.search("dc=mydomain,dc=com",
"(objectclass=*)", ctls);
try{
// Iterate over a batch of search results
while (results != null && results.hasMore()) {
// Display an entry
SearchResult entry = (SearchResult)results.next();
System.out.println("entryDN=" + entry.getName());
}
}catch(Exception pe){
System.out.println(pe.toString()); // Patial Result Exception
}
// Examine the paged results control response
Control[] controls = ctx.getResponseControls();
if(controls!=null){
for(int k = 0; k<controls.length; k++){
if(controls[k] instanceof PagedResultsResponseControl){
PagedResultsResponseControl prrc =
(PagedResultsResponseControl)controls[k];
total = prrc.getResultSize();
cookie = prrc.getCookie();
}else{
// Handle other response controls (if any)
}
}
}
if(cookie==null)
break;
// Re-activate paged results
ctx.setRequestControls(new Control[]{
new PagedResultsControl(pageSize, cookie, Control.CRITICAL)});
}
// Close the LDAP association
ctx.close();
}catch (Exception e){
e.printStackTrace();
}
}
/**
* Is paged result control supported?
*
* Query the rootDSE object to find out if the paged result control
* is supported.
*/
static boolean isPagedResultControlSupported(LdapContext ctx)
throws NamingException
{
SearchControls ctl = new SearchControls();
ctl.setReturningAttributes(new String[]{"supportedControl"});
ctl.setSearchScope(SearchControls.OBJECT_SCOPE);
/* search for the rootDSE object */
NamingEnumeration results = ctx.search("", "(objectClass=*)", ctl);
while(results.hasMore()){
SearchResult entry = (SearchResult)results.next();
NamingEnumeration attrs = entry.getAttributes().getAll();
while (attrs.hasMore()){
Attribute attr = (Attribute)attrs.next();
NamingEnumeration vals = attr.getAll();
while (vals.hasMore()){
String value = (String) vals.next();
if(value.equals(PAGED_RESULT_CONTROL_OID))
return true;
}
}
}
return false;
}
}
---------- END SOURCE ----------
SUPPORT :
YES
/usr/bin/java -version
java version "1.7.0_05"
Java(TM) SE Runtime Environment (build 1.7.0_05-b06)
Java HotSpot(TM) 64-Bit Server VM (build 23.1-b03, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Linux lava12128 2.6.32.54-0.3-default #1 SMP 2012-01-27 17:38:56 +0100 x86_64 x86_64 x86_64 GNU/Linux
A DESCRIPTION OF THE PROBLEM :
I recently upgraded to JDK7u5 and started seeing the following exception.
It is mentioned in bug 7183594 that the user only get this exception if IP-address is set to PROVIDER_URL. In my case, I got this Exception even when FQDN is set to PROVIDER_URL. I got this exception when I use paging for my query.
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7183594
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1) Java1.7_5
2) props.put(Context.REFERRAL, "follow");
3) Paging control is used for LDAP search result
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
LDAP groups should be returned.
ACTUAL -
Got an exception.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
javax.naming.PartialResultException [Root exception is javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]]]
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(Unknown Source)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(Unknown Source)
at ...
....
.....
....
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at com.emc.avamar.userauth.service.DirectoryServiceUserAuth.getAllUniqueGrpBySearch(DirectoryServiceUserAuth.java:1598)
at com.emc.avamar.userauth.test.AvldapMcguiTest.main(AvldapMcguiTest.java:110)
Caused by: javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]]
at com.sun.jndi.ldap.LdapReferralContext.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapReferralException.getReferralContext(Unknown Source)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreReferrals(Unknown Source)
... 8 more
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at com.sun.jndi.url.ldap.ldapURLContextFactory.getObjectInstance(Unknown Source)
at javax.naming.spi.NamingManager.getURLObject(Unknown Source)
at javax.naming.spi.NamingManager.processURL(Unknown Source)
at javax.naming.spi.NamingManager.processURLAddrs(Unknown Source)
at javax.naming.spi.NamingManager.getObjectInstance(Unknown Source)
... 11 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
... 23 more
Caused by: KrbException: Server not found in Kerberos database (7)
at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
at sun.security.krb5.KrbTgsReq.sendAndGetCreds(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
... 26 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(Unknown Source)
at sun.security.krb5.internal.TGSRep.init(Unknown Source)
at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)
... 32 more
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
/**
*
* PagedResultsControlJndiClient.java
* Sample code to demostrate how Paged Results Control works.
*
*/
import javax.naming.*;
import javax.naming.directory.*;
import javax.naming.ldap.*;
import java.util.Hashtable;
public class PagedResultsControlJndiClient
{
static final String PAGED_RESULT_CONTROL_OID = "1.2.840.113556.1.4.319";
public static void main(String[] args)
{
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
// Note: Active Directory Server supports Paged Results Control
// SunOne does not supports Paged Results Control but it supports
// Virtual List View Control instead.
env.put(Context.PROVIDER_URL, "ldap://myAD.mydomain.com:389");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "###@###.###");
env.put(Context.SECURITY_CREDENTIALS, "mypassword");
try{
/* Open an LDAP connection for the provided principal and credentials */
LdapContext ctx = new InitialLdapContext(env, null);
System.out.println("Initial binding done!");
/* Query the server to see if the paged result control is supported */
if(!isPagedResultControlSupported(ctx)){
System.out.println("The server does not support Paged Results Control.");
System.exit(1);
}
/* Activate paged results */
int pageSize = 5;
byte[] cookie = null;
int total;
ctx.setRequestControls(
new Control[]{new PagedResultsControl(pageSize, Control.CRITICAL)});
System.out.println("Paged control set!");
int count = 0;
while(true){
count++;
System.err.println("Search loop count = " + count);
SearchControls ctls = new SearchControls();
ctls.setSearchScope(SearchControls.ONELEVEL_SCOPE);
ctls.setCountLimit(0);
// Perform the search
NamingEnumeration results = ctx.search("dc=mydomain,dc=com",
"(objectclass=*)", ctls);
try{
// Iterate over a batch of search results
while (results != null && results.hasMore()) {
// Display an entry
SearchResult entry = (SearchResult)results.next();
System.out.println("entryDN=" + entry.getName());
}
}catch(Exception pe){
System.out.println(pe.toString()); // Patial Result Exception
}
// Examine the paged results control response
Control[] controls = ctx.getResponseControls();
if(controls!=null){
for(int k = 0; k<controls.length; k++){
if(controls[k] instanceof PagedResultsResponseControl){
PagedResultsResponseControl prrc =
(PagedResultsResponseControl)controls[k];
total = prrc.getResultSize();
cookie = prrc.getCookie();
}else{
// Handle other response controls (if any)
}
}
}
if(cookie==null)
break;
// Re-activate paged results
ctx.setRequestControls(new Control[]{
new PagedResultsControl(pageSize, cookie, Control.CRITICAL)});
}
// Close the LDAP association
ctx.close();
}catch (Exception e){
e.printStackTrace();
}
}
/**
* Is paged result control supported?
*
* Query the rootDSE object to find out if the paged result control
* is supported.
*/
static boolean isPagedResultControlSupported(LdapContext ctx)
throws NamingException
{
SearchControls ctl = new SearchControls();
ctl.setReturningAttributes(new String[]{"supportedControl"});
ctl.setSearchScope(SearchControls.OBJECT_SCOPE);
/* search for the rootDSE object */
NamingEnumeration results = ctx.search("", "(objectClass=*)", ctl);
while(results.hasMore()){
SearchResult entry = (SearchResult)results.next();
NamingEnumeration attrs = entry.getAttributes().getAll();
while (attrs.hasMore()){
Attribute attr = (Attribute)attrs.next();
NamingEnumeration vals = attr.getAll();
while (vals.hasMore()){
String value = (String) vals.next();
if(value.equals(PAGED_RESULT_CONTROL_OID))
return true;
}
}
}
return false;
}
}
---------- END SOURCE ----------
SUPPORT :
YES
- relates to
-
-
- Closed
-