-
Bug
-
Resolution: Duplicate
-
P4
-
8
-
x86
-
windows_2008
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8060122 | 8-pool | Mala Bankal | P4 | Closed | Duplicate | |
| JDK-8055524 | 7-pool | Mala Bankal | P2 | Closed | Not an Issue |
FULL PRODUCT VERSION :
java version "1.8.0_05"
Java(TM) SE Runtime Environment (build 1.8.0_05-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.5-b02, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7601]
A DESCRIPTION OF THE PROBLEM :
In a Kerberos Constrained delegation suitation (client -> server -> b)
if the client didn't call requestCredDeleg(true);
when server calls getDelegCred() will return a Krb5ProxyCredentials wrapped.
and when the server calls requestCredDeleg(true);
iniSecContext will throw the following exception:
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Generic error (description in e-text) (60) - Client principal does not match)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(Unknown Source)
... 408 more
Caused by: KrbException: Generic error (description in e-text) (60) - Client principal does not match
at sun.security.krb5.KrbCred.<init>(Unknown Source)
at sun.security.jgss.krb5.InitialToken$OverloadedChecksum.<init>(Unknown Source)
at sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
... 412 more
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
see attached source
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
expect it to work
ACTUAL -
an example was raised from the client side.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Generic error (description in e-text) (60) - Client principal does not match)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(Unknown Source)
... 408 more
Caused by: KrbException: Generic error (description in e-text) (60) - Client principal does not match
at sun.security.krb5.KrbCred.<init>(Unknown Source)
at sun.security.jgss.krb5.InitialToken$OverloadedChecksum.<init>(Unknown Source)
at sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
... 412 more
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
// the structure of this test uses a lot of the names and methods from the Krb5 tests in openjdk: test/sun/security/krb5/auto/S4U2proxy.java
// it uses the Context class from there as well.
@Test
public void testCredDelegeNY() throws Exception {
try {
c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_SPNEGO_MECH_OID);
s.startAsServer(null, new Oid[] {GSSUtil.GSS_SPNEGO_MECH_OID, GSSUtil.GSS_KRB5_MECH_OID}, false);
Context.handshake(c, s);
Context p = s.delegated();
p.startAsClient(OneKDC.BACKEND, GSSUtil.GSS_SPNEGO_MECH_OID);
b.startAsServer(null, new Oid[] {GSSUtil.GSS_SPNEGO_MECH_OID}, false);
p.getCredential().requestCredDeleg(true);
System.out.println("--- handshake p -> b");
Context.handshake(p, b);
} catch(Exception e) {
e.printStackTrace();
throw e;
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
don't call requestCredDeleg(true);
but because the server cannot tell that from the GSSContext if it should, it needs to be done for all requests.
Alternatively, patch KrbCred, and comment out the following lines in the contractor:
/*
if (!serviceTicket.getClient().equals(client))
throw new KrbException(Krb5.KRB_ERR_GENERIC,
"Client principal does not match");
*/
java version "1.8.0_05"
Java(TM) SE Runtime Environment (build 1.8.0_05-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.5-b02, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7601]
A DESCRIPTION OF THE PROBLEM :
In a Kerberos Constrained delegation suitation (client -> server -> b)
if the client didn't call requestCredDeleg(true);
when server calls getDelegCred() will return a Krb5ProxyCredentials wrapped.
and when the server calls requestCredDeleg(true);
iniSecContext will throw the following exception:
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Generic error (description in e-text) (60) - Client principal does not match)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(Unknown Source)
... 408 more
Caused by: KrbException: Generic error (description in e-text) (60) - Client principal does not match
at sun.security.krb5.KrbCred.<init>(Unknown Source)
at sun.security.jgss.krb5.InitialToken$OverloadedChecksum.<init>(Unknown Source)
at sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
... 412 more
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
see attached source
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
expect it to work
ACTUAL -
an example was raised from the client side.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Generic error (description in e-text) (60) - Client principal does not match)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(Unknown Source)
... 408 more
Caused by: KrbException: Generic error (description in e-text) (60) - Client principal does not match
at sun.security.krb5.KrbCred.<init>(Unknown Source)
at sun.security.jgss.krb5.InitialToken$OverloadedChecksum.<init>(Unknown Source)
at sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
... 412 more
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
// the structure of this test uses a lot of the names and methods from the Krb5 tests in openjdk: test/sun/security/krb5/auto/S4U2proxy.java
// it uses the Context class from there as well.
@Test
public void testCredDelegeNY() throws Exception {
try {
c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_SPNEGO_MECH_OID);
s.startAsServer(null, new Oid[] {GSSUtil.GSS_SPNEGO_MECH_OID, GSSUtil.GSS_KRB5_MECH_OID}, false);
Context.handshake(c, s);
Context p = s.delegated();
p.startAsClient(OneKDC.BACKEND, GSSUtil.GSS_SPNEGO_MECH_OID);
b.startAsServer(null, new Oid[] {GSSUtil.GSS_SPNEGO_MECH_OID}, false);
p.getCredential().requestCredDeleg(true);
System.out.println("--- handshake p -> b");
Context.handshake(p, b);
} catch(Exception e) {
e.printStackTrace();
throw e;
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
don't call requestCredDeleg(true);
but because the server cannot tell that from the GSSContext if it should, it needs to be done for all requests.
Alternatively, patch KrbCred, and comment out the following lines in the contractor:
/*
if (!serviceTicket.getClient().equals(client))
throw new KrbException(Krb5.KRB_ERR_GENERIC,
"Client principal does not match");
*/
- backported by
-
JDK-8055524 Kerberos Constrained delegation
-
- Closed
-
-
-
- Closed
-
- duplicates
-
-
- Resolved
-
- relates to
-
-
- Resolved
-