[JDK-8223172] Incomplete/Unusable Kerberos Cross-Realm Referrals Support

Weijun Wang weijun.wang at oracle.com
Thu Oct 10 02:47:51 UTC 2019 

Hi Michael,

Thanks for trying this new feature, you are always the first one.

If I remember correctly, when Martin developed this new feature, he was thinking of adding as little as possible spec change at the beginning. Therefore although there is a new KerberosPrincipal::KRB_NT_ENTERPRISE constant, it was just an integer and anyone can hardcode it. His next steps will be `kinit -e` and a new Krb5LoginModule option.

And welcome to provide more detail on your usecase.

--Max

> On Sep 26, 2019, at 5:27 AM, Osipov, Michael <michael.osipov at siemens.com> wrote:
> 
> Hi folks,
> 
> apologies upfront that I wasn't able when Martin Balao asked for a review of the code. I finally made to test it and cannot see that it is working anyhow here.
> 
> I won't dive into my usecase now, but will depict two simple cases which are not possible.
> 
> All tests were performed with Oracle JDK 13 on Windows 7:
>> java version "13" 2019-09-17
>> Java(TM) SE Runtime Environment (build 13+33)
>> Java HotSpot(TM) 64-Bit Server VM (build 13+33, mixed mode, sharing)
> 
> 1. kinit (JDK bundled) does not work. It does neither provide an '-E' option, nor does it send NT-ENTERPRISE, but only NT-UNKNOWN:
> 
>> 0000   30 25 a0 03 02 01 00 a1 1e 30 1c 1b 1a 6d 69 63   0%.......0...mic
>> 0010   68 61 65 6c 2e 6f 73 69 70 6f 76 40 73 69 65 6d   hael.osipov at siem
>> 0020   65 6e 73 2e 63 6f 6d                              ens.com
> 
> In byte 0x06 is the name type NT-UNKNOWN (0). In contrast to this with MIT Kerberos 1.17 and 'kinit -E' I see in Wireshark:
> 
>> 0000   30 25 a0 03 02 01 0a a1 1e 30 1c 1b 1a 6d 69 63   0%.......0...mic
>> 0010   68 61 65 6c 2e 6f 73 69 70 6f 76 40 73 69 65 6d   hael.osipov at siem
>> 0020   65 6e 73 2e 63 6f 6d                              ens.com
> 
> byte 0x06 is now name type NT-ENTERPRISE-PRINCIPAL (10).
> 
> Trying the very same with LSA on Windows with "run as user" I get for my implicit UPN osipovmi at AD001.SIEMENS.NET always type 10. It only uses NT-PRINCIPAL when I provide the local part (samAccountName).
> 
> 2. Using the appropriate OID for the enterprise principal:
> 
>> 	public static void main(String[] args) throws GSSException {
>> 		GSSManager m = GSSManager.getInstance();
>> 		Oid msUpnOid = new Oid("1.3.6.1.4.1.311.20.2.3");
>> 		Oid krb5PrincipalOid = new Oid("1.2.840.113554.1.2.2.1");
>> 		Oid krb5EnterprisePrincialOid = new Oid("1.2.840.113554.1.2.2.6");
>> 		Oid krb5MechOid = new Oid("1.2.840.113554.1.2.2");
>> 		GSSName upn = m.createName("michael.osipov at siemens.com", krb5EnterprisePrincialOid);
>> 	}
> 
> gives me:
>> Exception in thread "main" GSSException: Name of unsupported type provided (Mechanism level: 1.2.840.113554.1.2.2.6 is an unsupported nametype)
>> 	at java.security.jgss/sun.security.jgss.krb5.Krb5NameElement.getInstance(Krb5NameElement.java:87)
>> 	at java.security.jgss/sun.security.jgss.krb5.Krb5MechFactory.getNameElement(Krb5MechFactory.java:99)
>> 	at java.security.jgss/sun.security.jgss.GSSManagerImpl.getNameElement(GSSManagerImpl.java:184)
>> 	at java.security.jgss/sun.security.jgss.GSSNameImpl.getElement(GSSNameImpl.java:478)
>> 	at java.security.jgss/sun.security.jgss.GSSNameImpl.init(GSSNameImpl.java:201)
>> 	at java.security.jgss/sun.security.jgss.GSSNameImpl.<init>(GSSNameImpl.java:170)
>> 	at java.security.jgss/sun.security.jgss.GSSNameImpl.<init>(GSSNameImpl.java:151)
>> 	at java.security.jgss/sun.security.jgss.GSSManagerImpl.createName(GSSManagerImpl.java:109)
>> 	at com.siemens.dynamowerk.Main.main(Main.java:20)
> 
> and yes, the OID has never been defined in that class [1], but is present in MIT Kerberos [2].
> 
> I haven't tried a programmatical kinit, but as mentioned in the notes [3], Krb5LoginModule does not support it, so I don't even have to try.
> 
> 
> Any insights?
> 
> Beside that, it'd be very cool if this gets into 11u or better yet to 8u. I have talked with Weijun about this several times many years ago for Java 7+. I have no option to use anything else, but Java 8 for now.
> 
> If someone  wants to know better about my usecase, I'd be happy to lay it out in detail. I do need at least krb5EnterprisePrincialOid and better msUpnOid for my usecase.
> 
> The only option I see now is to write a delegating wrapper for this:
> 
>> GSSName upn = m.createName("michael.osipov at siemens.com", krb5PrincipalOid);
>> GSSName wrappedUpn = new WrappedGSSName(upn, krb5EnterprisePrincialOid);
>> System.out.println(wrappedUpn);
>> System.out.println(wrappedUpn.getStringNameType());
> 
>> michael.osipov at siemens.com
>> 1.2.840.113554.1.2.2.6
> 
> Michael
> 
> [1] https://github.com/AdoptOpenJDK/openjdk-jdk13u/blob/bb0786d980437800b9d6efe17e42d18241714ea1/src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5MechFactory.java#L51-L61
> [2] https://web.mit.edu/kerberos/krb5-devel/doc/appdev/gssapi.html
> [3] http://mail.openjdk.java.net/pipermail/security-dev/2018-December/018952.html

More information about the security-dev mailing list