-
Bug
-
Resolution: Other
-
P3
-
None
-
7u40
-
windows_7
FULL PRODUCT VERSION :
java version "1.7.0_45"
Java(TM) SE Runtime Environment (build 1.7.0_45-b18)
Java HotSpot(TM) Client VM (build 24.45-b08, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7601]
Linux
A DESCRIPTION OF THE PROBLEM :
KerberosAuthExample (you can find it in Source code for an executable test case) accesses a server using a Kerberos ticket.
In this example, after user authentication, a ticket is retrieved. Using this ticket, an SMB folder is accessed and the files are listed.
When using Java 6, this example works perfectly.
However, when using Java 7, I always receives "jcifs.smb.SmbAuthException: Access is denied".
I even tried the following krb5.conf to use Java 6 style encryption but got the same exception:
[libdefaults]
default_realm = kijkim.oracle.com
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
clockskew = 300
default_tkt_enctypes=DES-CBC-MD5 DES-CBC-CRC RC4-HMAC
default_tgs_enctypes=DES-CBC-MD5 DES-CBC-CRC RC4-HMAC
preferred_enctypes = DES-CBC-MD5 DES-CBC-CRC RC4-HMAC
REGRESSION. Last worked in version 6u45
ADDITIONAL REGRESSION INFORMATION:
java version "1.6.0_45"
Java(TM) SE Runtime Environment (build 1.6.0_45-b06)
Java HotSpot(TM) Client VM (build 20.45-b01, mixed mode)
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. prepare a Windows Server 2008 (username: administrator, password: ora.1216, hostname: kijkim-gx520.kijkim.oracle.com, IP address: 10.179.127.32)
2. On the server,
2-1. setup as PDC and DNS server (active directory domain name (realm): KIJKIM.ORACLE.COM)
2-2. create 'smb' directory and share it (user: administrator)
3. prepare a Windows 7 PC
3-1 On the PC,
3-2. download http://jcifs.samba.org/src/jcifs-krb5-1.3.17.zip and extract jcifs-krb5-1.3.17.jar
3-3. compile KerberosAuthExample (in Source code for an executable test case) and run as follows:
c:\> java -cp .;jcifs-krb5-1.3.17.jar KerberosAuthExample
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
C:\>c:\jdk1.6.0_45\bin\java -cp .;jcifs-krb5-1.3.17.jar KerberosAuthExample
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt f
alse ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is fa
lse principal is null tryFirstPass is true useFirstPass is false storePass is fa
lse clearPass is false
username from shared state is administrator
username from shared state is administrator
password is ora.1216
Acquire TGT using AS Exchange
principal is administrator@KIJKIM.ORACLE.COM
EncryptionKey: keyType=3 keyBytes (hex dump)=0000: D9 6B D3 34 01 4F B0 89
EncryptionKey: keyType=1 keyBytes (hex dump)=0000: D9 6B D3 34 01 4F B0 89
EncryptionKey: keyType=23 keyBytes (hex dump)=0000: AF 7D 59 43 43 9B 42 77 CF
55 54 BC 70 40 18 37 ..YCC.Bw.UT.p@.7
EncryptionKey: keyType=16 keyBytes (hex dump)=0000: F4 EA 57 CD 16 E9 16 37 B6
92 9D 4A 7F DF AD 58 ..W....7...J...X
0010: 8F 83 62 D9 32 43 3E 5E
EncryptionKey: keyType=17 keyBytes (hex dump)=0000: CD 80 9D 5E EC 75 5C BF 51
26 71 80 8C 5D CE 7B ...^.u\.Q&q..]..
[Krb5LoginModule] authentication succeeded
Commit Succeeded
Files:
-->smbFile1.txt
-->smbFile2.txt
ACTUAL -
C:\>c:\jdk1.7.0_45\bin\java -cp .;jcifs-krb5-1.3.17.jar KerberosAuthExample
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt f
alse ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is fa
lse principal is null tryFirstPass is true useFirstPass is false storePass is fa
lse clearPass is false
username from shared state is administrator
username from shared state is administrator
password is ora.1216
principal is administrator@KIJKIM.ORACLE.COM
[Krb5LoginModule] authentication succeeded
Commit Succeeded
Files:
jcifs.smb.SmbAuthException: Access is denied.
at jcifs.smb.SmbTransport.checkStatus(SmbTransport.java:596)
at jcifs.smb.SmbTransport.send(SmbTransport.java:722)
at jcifs.smb.Kerb5Authenticator.setup(Kerb5Authenticator.java:214)
at jcifs.smb.Kerb5Authenticator.access$000(Kerb5Authenticator.java:30)
at jcifs.smb.Kerb5Authenticator$1.run(Kerb5Authenticator.java:168)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:415)
at jcifs.smb.Kerb5Authenticator.sessionSetup(Kerb5Authenticator.java:166
)
at jcifs.smb.SmbSession.sessionSetup(SmbSession.java:320)
at jcifs.smb.SmbSession.send(SmbSession.java:239)
at jcifs.smb.SmbTree.treeConnect(SmbTree.java:176)
at jcifs.smb.SmbFile.doConnect(SmbFile.java:925)
at jcifs.smb.SmbFile.connect(SmbFile.java:974)
at jcifs.smb.SmbFile.connect0(SmbFile.java:890)
at jcifs.smb.SmbFile.getType(SmbFile.java:1302)
at jcifs.smb.SmbFile.doEnum(SmbFile.java:1753)
at jcifs.smb.SmbFile.listFiles(SmbFile.java:1735)
at jcifs.smb.SmbFile.listFiles(SmbFile.java:1668)
at KerberosAuthExample.main(KerberosAuthExample.java:42)
ERROR MESSAGES/STACK TRACES THAT OCCUR :
jcifs.smb.SmbAuthException: Access is denied.
at jcifs.smb.SmbTransport.checkStatus(SmbTransport.java:596)
at jcifs.smb.SmbTransport.send(SmbTransport.java:722)
at jcifs.smb.Kerb5Authenticator.setup(Kerb5Authenticator.java:220)
at jcifs.smb.Kerb5Authenticator.access$000(Kerb5Authenticator.java:30)
at jcifs.smb.Kerb5Authenticator$1.run(Kerb5Authenticator.java:168)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:415)
at jcifs.smb.Kerb5Authenticator.sessionSetup(Kerb5Authenticator.java:166
)
at jcifs.smb.SmbSession.sessionSetup(SmbSession.java:320)
at jcifs.smb.SmbSession.send(SmbSession.java:239)
at jcifs.smb.SmbTree.treeConnect(SmbTree.java:176)
at jcifs.smb.SmbFile.doConnect(SmbFile.java:925)
at jcifs.smb.SmbFile.connect(SmbFile.java:974)
at jcifs.smb.SmbFile.connect0(SmbFile.java:890)
at jcifs.smb.SmbFile.getType(SmbFile.java:1302)
at jcifs.smb.SmbFile.doEnum(SmbFile.java:1753)
at jcifs.smb.SmbFile.listFiles(SmbFile.java:1735)
at jcifs.smb.SmbFile.listFiles(SmbFile.java:1668)
at KerberosAuthExample.main(KerberosAuthExample.java:43)
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import java.util.HashMap;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginException;
import jcifs.Config;
import jcifs.smb.Kerb5Authenticator;
import jcifs.smb.SmbFile;
import com.sun.security.auth.module.Krb5LoginModule;
/**
* @author Shun
*
*/
public class KerberosAuthExample {
private static String NAME = "administrator";
private static String PWD = "ora.1216";
private static String URL = "smb://kijkim-gx520.kijkim.oracle.com/smb/";
private static String KDC = "10.179.127.32";
private static String REALM = "KIJKIM.ORACLE.COM";
public static void main(String[] args) throws LoginException {
Config.setProperty("jcifs.smb.client.capabilities",Kerb5Authenticator.CAPABILITIES);
Config.setProperty("jcifs.smb.client.flags2",Kerb5Authenticator.FLAGS2);
Config.setProperty("jcifs.smb.client.signingPreferred", "true");
try {
// login
Subject subject = new Subject();
login(subject);
System.out.println("Files:");
// list file
SmbFile file = new SmbFile(URL, new Kerb5Authenticator(subject));
SmbFile[] files = file.listFiles();
for( int i = 0; i < files.length; i++ ) {
System.out.println( "-->" + files[i].getName() );
}
} catch (Exception e) {
e.printStackTrace();
}
}
public static void login(Subject subject) throws LoginException{
System.setProperty("java.security.krb5.kdc", KDC);
System.setProperty("java.security.krb5.realm", REALM);
Map state = new HashMap();
state.put("javax.security.auth.login.name", NAME);
state.put("javax.security.auth.login.password", PWD.toCharArray());
Map option = new HashMap();
option.put("debug", "true");
option.put("tryFirstPass", "true");
option.put("useTicketCache", "false");
option.put("doNotPrompt", "false");
option.put("storePass", "false");
Krb5LoginModule login = new Krb5LoginModule();
login.initialize(subject, null, state, option);
if(login.login()){
login.commit();
}
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
KerberosAuthExample works on JDK7 if SMB signing is disabled on the Windows Server (http://support.exinda.com/topic/how-to-disable-smb-signing-on-windows-servers-to-improve-smb-performance).
java version "1.7.0_45"
Java(TM) SE Runtime Environment (build 1.7.0_45-b18)
Java HotSpot(TM) Client VM (build 24.45-b08, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7601]
Linux
A DESCRIPTION OF THE PROBLEM :
KerberosAuthExample (you can find it in Source code for an executable test case) accesses a server using a Kerberos ticket.
In this example, after user authentication, a ticket is retrieved. Using this ticket, an SMB folder is accessed and the files are listed.
When using Java 6, this example works perfectly.
However, when using Java 7, I always receives "jcifs.smb.SmbAuthException: Access is denied".
I even tried the following krb5.conf to use Java 6 style encryption but got the same exception:
[libdefaults]
default_realm = kijkim.oracle.com
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
clockskew = 300
default_tkt_enctypes=DES-CBC-MD5 DES-CBC-CRC RC4-HMAC
default_tgs_enctypes=DES-CBC-MD5 DES-CBC-CRC RC4-HMAC
preferred_enctypes = DES-CBC-MD5 DES-CBC-CRC RC4-HMAC
REGRESSION. Last worked in version 6u45
ADDITIONAL REGRESSION INFORMATION:
java version "1.6.0_45"
Java(TM) SE Runtime Environment (build 1.6.0_45-b06)
Java HotSpot(TM) Client VM (build 20.45-b01, mixed mode)
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. prepare a Windows Server 2008 (username: administrator, password: ora.1216, hostname: kijkim-gx520.kijkim.oracle.com, IP address: 10.179.127.32)
2. On the server,
2-1. setup as PDC and DNS server (active directory domain name (realm): KIJKIM.ORACLE.COM)
2-2. create 'smb' directory and share it (user: administrator)
3. prepare a Windows 7 PC
3-1 On the PC,
3-2. download http://jcifs.samba.org/src/jcifs-krb5-1.3.17.zip and extract jcifs-krb5-1.3.17.jar
3-3. compile KerberosAuthExample (in Source code for an executable test case) and run as follows:
c:\> java -cp .;jcifs-krb5-1.3.17.jar KerberosAuthExample
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
C:\>c:\jdk1.6.0_45\bin\java -cp .;jcifs-krb5-1.3.17.jar KerberosAuthExample
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt f
alse ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is fa
lse principal is null tryFirstPass is true useFirstPass is false storePass is fa
lse clearPass is false
username from shared state is administrator
username from shared state is administrator
password is ora.1216
Acquire TGT using AS Exchange
principal is administrator@KIJKIM.ORACLE.COM
EncryptionKey: keyType=3 keyBytes (hex dump)=0000: D9 6B D3 34 01 4F B0 89
EncryptionKey: keyType=1 keyBytes (hex dump)=0000: D9 6B D3 34 01 4F B0 89
EncryptionKey: keyType=23 keyBytes (hex dump)=0000: AF 7D 59 43 43 9B 42 77 CF
55 54 BC 70 40 18 37 ..YCC.Bw.UT.p@.7
EncryptionKey: keyType=16 keyBytes (hex dump)=0000: F4 EA 57 CD 16 E9 16 37 B6
92 9D 4A 7F DF AD 58 ..W....7...J...X
0010: 8F 83 62 D9 32 43 3E 5E
EncryptionKey: keyType=17 keyBytes (hex dump)=0000: CD 80 9D 5E EC 75 5C BF 51
26 71 80 8C 5D CE 7B ...^.u\.Q&q..]..
[Krb5LoginModule] authentication succeeded
Commit Succeeded
Files:
-->smbFile1.txt
-->smbFile2.txt
ACTUAL -
C:\>c:\jdk1.7.0_45\bin\java -cp .;jcifs-krb5-1.3.17.jar KerberosAuthExample
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt f
alse ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is fa
lse principal is null tryFirstPass is true useFirstPass is false storePass is fa
lse clearPass is false
username from shared state is administrator
username from shared state is administrator
password is ora.1216
principal is administrator@KIJKIM.ORACLE.COM
[Krb5LoginModule] authentication succeeded
Commit Succeeded
Files:
jcifs.smb.SmbAuthException: Access is denied.
at jcifs.smb.SmbTransport.checkStatus(SmbTransport.java:596)
at jcifs.smb.SmbTransport.send(SmbTransport.java:722)
at jcifs.smb.Kerb5Authenticator.setup(Kerb5Authenticator.java:214)
at jcifs.smb.Kerb5Authenticator.access$000(Kerb5Authenticator.java:30)
at jcifs.smb.Kerb5Authenticator$1.run(Kerb5Authenticator.java:168)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:415)
at jcifs.smb.Kerb5Authenticator.sessionSetup(Kerb5Authenticator.java:166
)
at jcifs.smb.SmbSession.sessionSetup(SmbSession.java:320)
at jcifs.smb.SmbSession.send(SmbSession.java:239)
at jcifs.smb.SmbTree.treeConnect(SmbTree.java:176)
at jcifs.smb.SmbFile.doConnect(SmbFile.java:925)
at jcifs.smb.SmbFile.connect(SmbFile.java:974)
at jcifs.smb.SmbFile.connect0(SmbFile.java:890)
at jcifs.smb.SmbFile.getType(SmbFile.java:1302)
at jcifs.smb.SmbFile.doEnum(SmbFile.java:1753)
at jcifs.smb.SmbFile.listFiles(SmbFile.java:1735)
at jcifs.smb.SmbFile.listFiles(SmbFile.java:1668)
at KerberosAuthExample.main(KerberosAuthExample.java:42)
ERROR MESSAGES/STACK TRACES THAT OCCUR :
jcifs.smb.SmbAuthException: Access is denied.
at jcifs.smb.SmbTransport.checkStatus(SmbTransport.java:596)
at jcifs.smb.SmbTransport.send(SmbTransport.java:722)
at jcifs.smb.Kerb5Authenticator.setup(Kerb5Authenticator.java:220)
at jcifs.smb.Kerb5Authenticator.access$000(Kerb5Authenticator.java:30)
at jcifs.smb.Kerb5Authenticator$1.run(Kerb5Authenticator.java:168)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:415)
at jcifs.smb.Kerb5Authenticator.sessionSetup(Kerb5Authenticator.java:166
)
at jcifs.smb.SmbSession.sessionSetup(SmbSession.java:320)
at jcifs.smb.SmbSession.send(SmbSession.java:239)
at jcifs.smb.SmbTree.treeConnect(SmbTree.java:176)
at jcifs.smb.SmbFile.doConnect(SmbFile.java:925)
at jcifs.smb.SmbFile.connect(SmbFile.java:974)
at jcifs.smb.SmbFile.connect0(SmbFile.java:890)
at jcifs.smb.SmbFile.getType(SmbFile.java:1302)
at jcifs.smb.SmbFile.doEnum(SmbFile.java:1753)
at jcifs.smb.SmbFile.listFiles(SmbFile.java:1735)
at jcifs.smb.SmbFile.listFiles(SmbFile.java:1668)
at KerberosAuthExample.main(KerberosAuthExample.java:43)
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import java.util.HashMap;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginException;
import jcifs.Config;
import jcifs.smb.Kerb5Authenticator;
import jcifs.smb.SmbFile;
import com.sun.security.auth.module.Krb5LoginModule;
/**
* @author Shun
*
*/
public class KerberosAuthExample {
private static String NAME = "administrator";
private static String PWD = "ora.1216";
private static String URL = "smb://kijkim-gx520.kijkim.oracle.com/smb/";
private static String KDC = "10.179.127.32";
private static String REALM = "KIJKIM.ORACLE.COM";
public static void main(String[] args) throws LoginException {
Config.setProperty("jcifs.smb.client.capabilities",Kerb5Authenticator.CAPABILITIES);
Config.setProperty("jcifs.smb.client.flags2",Kerb5Authenticator.FLAGS2);
Config.setProperty("jcifs.smb.client.signingPreferred", "true");
try {
// login
Subject subject = new Subject();
login(subject);
System.out.println("Files:");
// list file
SmbFile file = new SmbFile(URL, new Kerb5Authenticator(subject));
SmbFile[] files = file.listFiles();
for( int i = 0; i < files.length; i++ ) {
System.out.println( "-->" + files[i].getName() );
}
} catch (Exception e) {
e.printStackTrace();
}
}
public static void login(Subject subject) throws LoginException{
System.setProperty("java.security.krb5.kdc", KDC);
System.setProperty("java.security.krb5.realm", REALM);
Map state = new HashMap();
state.put("javax.security.auth.login.name", NAME);
state.put("javax.security.auth.login.password", PWD.toCharArray());
Map option = new HashMap();
option.put("debug", "true");
option.put("tryFirstPass", "true");
option.put("useTicketCache", "false");
option.put("doNotPrompt", "false");
option.put("storePass", "false");
Krb5LoginModule login = new Krb5LoginModule();
login.initialize(subject, null, state, option);
if(login.login()){
login.commit();
}
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
KerberosAuthExample works on JDK7 if SMB signing is disabled on the Windows Server (http://support.exinda.com/topic/how-to-disable-smb-signing-on-windows-servers-to-improve-smb-performance).
- duplicates
-
-
- Closed
-