-
Bug
-
Resolution: Duplicate
-
P3
-
None
-
7u45
-
linux
FULL PRODUCT VERSION :
java version "1.7.0_45"
Java(TM) SE Runtime Environment (build 1.7.0_45-b18)
Java HotSpot(TM) 64-Bit Server VM (build 24.45-b08, mixed mode);
java version "1.7.0_45"
OpenJDK Runtime Environment (rhel-2.4.3.1.el5_10-x86_64 u45-b15)
OpenJDK 64-Bit Server VM (build 24.45-b08, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Linux dellirium 3.11.0-12-generic #19-Ubuntu SMP Wed Oct 9 16:20:46 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux;
Linux c2n1 2.6.18-194.32.1.el5 #1 SMP Wed Jan 5 17:52:25 EST 2011 x86_64 x86_64 x86_64 GNU/Linux
EXTRA RELEVANT SYSTEM CONFIGURATION :
tested on Centos5, Centos6, Ubuntu 13.04, Ubuntu 13.10
A DESCRIPTION OF THE PROBLEM :
It seem that some issues with addressful(less) tickets were already solved as mentioned in https://bugs.openjdk.java.net/browse/JDK-4501327. Unfortunately that fix applies only to AS requests. I found out that when you're using forwardable tickets 'noaddress' flag is ignored and forwarded tickets are always addressless.
ADDITIONAL REGRESSION INFORMATION:
java version "1.7.0_45"
Java(TM) SE Runtime Environment (build 1.7.0_45-b18)
Java HotSpot(TM) 64-Bit Server VM (build 24.45-b08, mixed mode);
java version "1.7.0_45"
OpenJDK Runtime Environment (rhel-2.4.3.1.el5_10-x86_64 u45-b15)
OpenJDK 64-Bit Server VM (build 24.45-b08, mixed mode)
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
On client side - follow instructions from http://hc.apache.org/httpcomponents-client-4.2.x/tutorial/html/authentication.html#spnego and run example httpclient code with SPNEGO/Kerberos Authentication.
In addition to above instruction in [libdefaults] section of clients /etc/krb5.conf we defined:
>>>>>>>>>>>>>>>>
[libdefaults]
default_realm = C2MGMT.COM
dns_lookup_realm = false
kdc_timeout = 1000
udp_preference_limit = 0
dns_lookup_kdc = false
forwardable = yes
noaddresses = false
<<<<<<<<<<<<<<<<<<<
On server side - use any spnego-ready server which allow looging/validating tickets - we used apache with mod_auth_kerb and bash script cgi with below code:
>>>>>>>>>>>>>>>>
#!/bin/bash
echo "---------------------------------" >> /tmp/k.log
echo "KRB5CCNAME=$KRB5CCNAME" >> /tmp/k.log
if [ "x$KRB5CCNAME" != "x" ]; then
klist -fan -c ${KRB5CCNAME:5} >> /tmp/k.log
fi
<<<<<<<<<<<<<<<<
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
No matter what if we used noaddresses = false or noaddresses = true on server we're getting (/tmp/k.log) :
---------------------------------
KRB5CCNAME=FILE:/tmp/krb5cc_apache_4EGT8w
Ticket cache: FILE:/tmp/krb5cc_apache_4EGT8w
Default principal: portal@C2MGMT.COM
Valid starting Expires Service principal
11/05/13 15:33:40 11/06/13 15:33:40 krbtgt/C2MGMT.COM@C2MGMT.COM
Flags: FfT
Addresses: (none)
ACTUAL -
I would expect that if noaddresses = true above result is expected:
Addresses: (none)
but in case you set noaddresses = false, you should get something like
Addresses: 10.105.56.136
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
Here is my patch base on openjdk7 sources (/openjdk/jdk/src/share/classes/sun/security/krb5/KrbCred.java):
# This patch file was generated by NetBeans IDE
# This patch can be applied using context Tools: Apply Diff Patch action on respective folder.
# It uses platform neutral UTF-8 encoding.
# Above lines and this line are ignored by the patching process.
81,82c81,82
< if (server.getNameType() == PrincipalName.KRB_NT_SRV_HST)
< sAddrs= new HostAddresses(server);
---
> //if (server.getNameType() == PrincipalName.KRB_NT_SRV_HST)
> // sAddrs= new HostAddresses(server);
83a84,95
> /* amg:tibor */
> // I commented out two above lines as I'm not sure what it does ;)
> // My understanding is that we should add address or not base on what is set in configuration.
> // On our environmant KDC replays KrbTgsRep with type set to 0, that's why I allow it here
> // - I wasn't able to find any information if this can be configured. I force this type to
> // allow HostAddresses constructor work properly, maybe this validation there is also not required.
> if((server.getNameType() == PrincipalName.KRB_NT_UNKNOWN || server.getNameType() == PrincipalName.KRB_NT_SRV_HST) && Config.getInstance().useAddresses() ) {
> PrincipalName newServer = new PrincipalName(server.getName(), PrincipalName.KRB_NT_SRV_HST);
> sAddrs= new HostAddresses(newServer);
> }
> /* amg:tibor */
>
java version "1.7.0_45"
Java(TM) SE Runtime Environment (build 1.7.0_45-b18)
Java HotSpot(TM) 64-Bit Server VM (build 24.45-b08, mixed mode);
java version "1.7.0_45"
OpenJDK Runtime Environment (rhel-2.4.3.1.el5_10-x86_64 u45-b15)
OpenJDK 64-Bit Server VM (build 24.45-b08, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Linux dellirium 3.11.0-12-generic #19-Ubuntu SMP Wed Oct 9 16:20:46 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux;
Linux c2n1 2.6.18-194.32.1.el5 #1 SMP Wed Jan 5 17:52:25 EST 2011 x86_64 x86_64 x86_64 GNU/Linux
EXTRA RELEVANT SYSTEM CONFIGURATION :
tested on Centos5, Centos6, Ubuntu 13.04, Ubuntu 13.10
A DESCRIPTION OF THE PROBLEM :
It seem that some issues with addressful(less) tickets were already solved as mentioned in https://bugs.openjdk.java.net/browse/JDK-4501327. Unfortunately that fix applies only to AS requests. I found out that when you're using forwardable tickets 'noaddress' flag is ignored and forwarded tickets are always addressless.
ADDITIONAL REGRESSION INFORMATION:
java version "1.7.0_45"
Java(TM) SE Runtime Environment (build 1.7.0_45-b18)
Java HotSpot(TM) 64-Bit Server VM (build 24.45-b08, mixed mode);
java version "1.7.0_45"
OpenJDK Runtime Environment (rhel-2.4.3.1.el5_10-x86_64 u45-b15)
OpenJDK 64-Bit Server VM (build 24.45-b08, mixed mode)
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
On client side - follow instructions from http://hc.apache.org/httpcomponents-client-4.2.x/tutorial/html/authentication.html#spnego and run example httpclient code with SPNEGO/Kerberos Authentication.
In addition to above instruction in [libdefaults] section of clients /etc/krb5.conf we defined:
>>>>>>>>>>>>>>>>
[libdefaults]
default_realm = C2MGMT.COM
dns_lookup_realm = false
kdc_timeout = 1000
udp_preference_limit = 0
dns_lookup_kdc = false
forwardable = yes
noaddresses = false
<<<<<<<<<<<<<<<<<<<
On server side - use any spnego-ready server which allow looging/validating tickets - we used apache with mod_auth_kerb and bash script cgi with below code:
>>>>>>>>>>>>>>>>
#!/bin/bash
echo "---------------------------------" >> /tmp/k.log
echo "KRB5CCNAME=$KRB5CCNAME" >> /tmp/k.log
if [ "x$KRB5CCNAME" != "x" ]; then
klist -fan -c ${KRB5CCNAME:5} >> /tmp/k.log
fi
<<<<<<<<<<<<<<<<
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
No matter what if we used noaddresses = false or noaddresses = true on server we're getting (/tmp/k.log) :
---------------------------------
KRB5CCNAME=FILE:/tmp/krb5cc_apache_4EGT8w
Ticket cache: FILE:/tmp/krb5cc_apache_4EGT8w
Default principal: portal@C2MGMT.COM
Valid starting Expires Service principal
11/05/13 15:33:40 11/06/13 15:33:40 krbtgt/C2MGMT.COM@C2MGMT.COM
Flags: FfT
Addresses: (none)
ACTUAL -
I would expect that if noaddresses = true above result is expected:
Addresses: (none)
but in case you set noaddresses = false, you should get something like
Addresses: 10.105.56.136
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
Here is my patch base on openjdk7 sources (/openjdk/jdk/src/share/classes/sun/security/krb5/KrbCred.java):
# This patch file was generated by NetBeans IDE
# This patch can be applied using context Tools: Apply Diff Patch action on respective folder.
# It uses platform neutral UTF-8 encoding.
# Above lines and this line are ignored by the patching process.
81,82c81,82
< if (server.getNameType() == PrincipalName.KRB_NT_SRV_HST)
< sAddrs= new HostAddresses(server);
---
> //if (server.getNameType() == PrincipalName.KRB_NT_SRV_HST)
> // sAddrs= new HostAddresses(server);
83a84,95
> /* amg:tibor */
> // I commented out two above lines as I'm not sure what it does ;)
> // My understanding is that we should add address or not base on what is set in configuration.
> // On our environmant KDC replays KrbTgsRep with type set to 0, that's why I allow it here
> // - I wasn't able to find any information if this can be configured. I force this type to
> // allow HostAddresses constructor work properly, maybe this validation there is also not required.
> if((server.getNameType() == PrincipalName.KRB_NT_UNKNOWN || server.getNameType() == PrincipalName.KRB_NT_SRV_HST) && Config.getInstance().useAddresses() ) {
> PrincipalName newServer = new PrincipalName(server.getName(), PrincipalName.KRB_NT_SRV_HST);
> sAddrs= new HostAddresses(newServer);
> }
> /* amg:tibor */
>
- duplicates
-
JDK-8132111 Do not request for addresses for forwarded TGT
- Resolved