RFR 8227437: S4U2proxy cannot continue because server's TGT cannot be found

Weijun Wang weijun.wang at oracle.com
Tue Jul 16 01:21:16 UTC 2019


Hi Martin,

There is only one place I don't quite understand.

In SubjectComber::findAux, you have

 151                     while (iterator.hasNext()) {
 152                         Object obj = iterator.next();
 153                         if (obj instanceof KerberosTicket) {
 155                             KerberosTicket ticket = (KerberosTicket)obj;
 164                             if (!ticket.isCurrent()) {
 ...
 186                             } else {
 ...
 195                                     KerberosPrincipal clientAlias = KerberosSecrets
 196                                             .getJavaxSecurityAuthKerberosAccess()
 197                                             .kerberosTicketGetClientAlias(ticket);
 198                                     if (clientPrincipal == null ||
 199                                         clientPrincipal.equals(
 200                                             ticket.getClient().getName()) ||
 201                                             (clientAlias != null &&
 202                                             clientPrincipal.equals(
 203                                                     clientAlias.getName()))) {
 ...
 207                                             // Record names so that tickets will
 208                                             // all belong to same principals
 209                                             if (clientPrincipal == null) {
 210                                                 if (clientAlias == null) {
 211                                                     clientPrincipal =
 212                                                             ticket.getClient().getName();
 213                                                 } else {
 214                                                     clientPrincipal =
 215                                                             clientAlias.getName();
 216                                                 }
 217                                             }
 ...
 227                                             answer.add(credClass.cast(ticket));
 228                                         }
 229                                     }
 230                                 }
 231                             }
 232                         }
 233                     } 

Suppose we have 2 tickets:

 client1(clientAlias1) -> ...
 client1 -> ...  // I don't know why this one has no alias

and clientPrincipal is null at the beginning.

Now, when the 1st ticket is checked, the if check on lines 198-203 will succeed, and clientPrincipal is assigned clientAlias1 on line 214. Next, when the 2nd ticket is checked, because it has no alias and client1 != clientPrincipal (now clientAlias1), it will not be added. Is this intended?

Why not simply assign ticket.getClient().getName() to clientPrincipal?

Thanks,
Max

> On Jul 16, 2019, at 8:47 AM, Martin Balao <mbalao at redhat.com> wrote:
> 
> Hi,
> 
> I'd like to propose the following fix for JDK-8227437 [1] (*):
> 
> * http://cr.openjdk.java.net/~mbalao/webrevs/8227437/8227437.webrev.00/
> 
> JDK-8227437 bug appeared after the OpenJDK Kerberos client supported
> RFC-6806 [2].
> 
> When requesting a TGT (ticket-granting-ticket), there may be client name
> canonicalization and/or realm referrals. When requesting a TGS
> (ticket-granting-service), there may be realm referrals. As a result,
> the client or service names we use to request a ticket may be different
> than those we get in the returned ticket. I.e.: we may use the subject
> principal "subject at REALM-1.COM" as a client name to request a TGT and
> get a ticket whose client name is "subject-canonical at REALM-2.COM".
> 
> Even though the ticket credentials belong to the subject, we are unable
> to locate them based on the client or service names when there is a
> change. In the previous example, we will use "subject at REALM-1.COM"
> subject principal as a client name to find the ticket but the actual
> ticket has a "subject-canonical at REALM-2.COM" client name.
> 
> To fix this problem, we now save the original client and service names
> as "alias" fields in Credentials and KerberosTicket objects (if there is
> a change). This allows to find subject credentials properly.
> 
> Note: client and service alias information is not populated (saved or
> retrieved) across credentials caches: file-based-caches [3][4], Windows
> native cache or macOS native cache. As a result, the client name must
> match the subject principal for the credential to be found (see
> Credentials::acquireTGTFromCache). If the credential is not found, a
> request to the KDC may be issued.
> 
> Testing:
> 
> * ReferralsTest extended to cover this bug
> 
> * Regression testing on jdk/sun/security/krb5 passed
> 
> * Tested in my local Windows 2016 referrals environment
> 
> Look forward to your comments.
> 
> Thanks,
> Martin.-
> 
> --
> [1] - https://bugs.openjdk.java.net/browse/JDK-8227437
> [2] - https://bugs.openjdk.java.net/browse/JDK-8215032
> [3] - https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html
> [4] -
> https://web.mit.edu/kerberos/krb5-devel/doc/formats/ccache_file_format.html
> 
> (*) - we have worked together with Max (@weijun) during the last week to
> come up with this version.



More information about the security-dev mailing list