KrbException exception does not contain error string although error is well-known

Wei-Jun Wang weijun.wang at oracle.com
Fri Sep 22 19:58:29 UTC 2023


I'd fix it in one commit. https://bugs.openjdk.org/browse/JDK-8316771 filed.

Thanks,
Max

> On Sep 22, 2023, at 10:35 AM, Osipov, Michael (IN IT IN) <michael.osipov at siemens.com> wrote:
> 
> Nothing at hand, at the moment. I was first waiting for you to confirm the issue. I think two distinct PRs are necessary here with two JBS issues?
> 
> M
> 
> On 2023-09-20 20:06, Wei-Jun Wang wrote:
>> I'll look into it. Thanks!
>> Do you have a patch? :-)
>> --Max
>>> On Aug 9, 2023, at 3:30 AM, Osipov, Michael (SMD IT IN) <michael.osipov at siemens.com> wrote:
>>> 
>>> Folks, Max,
>>> 
>>> consider the following code snippet configured with the Krb5LoginModule:
>>>> LoginContext lc = new LoginContext(loginEntryName);
>>>> lc.login();
>>> 
>>> then a LoginException is thrown with the following stacktrace:
>>>> 2023-08-01T00:09:31.601 SCHWERWIEGEND [https-openssl-apr-8444-exec-5417] net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.getPrincipal Exception acquiring directory server connection
>>>>    javax.naming.NamingException: null (29) [Root exception is javax.security.auth.login.LoginException: null (29)]
>>>>        at net.sf.michaelo.dirctxsrc.DirContextSource.getGssApiDirContext(DirContextSource.java:625)
>>>>        at net.sf.michaelo.dirctxsrc.DirContextSource.getDirContext(DirContextSource.java:685)
>>>>        at net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.open(ActiveDirectoryRealm.java:572)
>>>>        at net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.acquire(ActiveDirectoryRealm.java:506)
>>>>        at net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.getPrincipal(ActiveDirectoryRealm.java:432)
>>>>        at net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.getPrincipal(ActiveDirectoryRealm.java:461)
>>>>        at net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.getPrincipal(ActiveDirectoryRealm.java:426)
>>>>        at org.apache.catalina.realm.RealmBase.authenticate(RealmBase.java:497)
>>>>        at net.sf.michaelo.tomcat.authenticator.SpnegoAuthenticator.doAuthenticate(SpnegoAuthenticator.java:163)
>>>>        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:564)
>>>>        ...
>>>>        at java.lang.Thread.run(Thread.java:750)
>>>>    Caused by: javax.security.auth.login.LoginException: null (29)
>>>>        at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:810)
>>>>        at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
>>>>        at sun.reflect.GeneratedMethodAccessor10719.invoke(Unknown Source)
>>>>        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>>>        at java.lang.reflect.Method.invoke(Method.java:498)
>>>>        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
>>>>        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
>>>>        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
>>>>        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
>>>>        at java.security.AccessController.doPrivileged(Native Method)
>>>>        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
>>>>        at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
>>>>        at net.sf.michaelo.dirctxsrc.DirContextSource.getGssApiDirContext(DirContextSource.java:574)
>>>>        ... 23 more
>>>>    Caused by: KrbException: null (29)
>>>>        at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
>>>>        at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:335)
>>>>        at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:488)
>>>>        at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:782)
>>>>        ... 35 more
>>>>    Caused by: KrbException: Identifier doesn't match expected value (906)
>>>>        at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
>>>>        at sun.security.krb5.internal.ASRep.init(ASRep.java:64)
>>>>        at sun.security.krb5.internal.ASRep.<init>(ASRep.java:59)
>>>>        at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
>>>>        ... 38 more
>>> 
>>> I am trying to obtain a TGT to authenticate thorugh SASL GSSAPI to Active Directory via LDAP. This happened to me now repeatedly in the last couple of days around midnight. Looking up error code 29 says KDC_ERR_SVC_UNAVAILABLE, obviously the AD DC server is maintenance mode. What bugs me is that KDC_ERR_SVC_UNAVAILABLE(29) is documented in Krb5.java, has an error message and KrbException.java does use it, but no error message is mapped to the code.
>>> 
>>> Request: Maybe someone (Max?) log an improvement request with JBS to
>>> add missing error codes 26--28, 51 from [1] and
>>>>    public static final int KRB_AP_ERR_NOREALM          = 62;
>>>>    public static final int KRB_AP_ERR_GEN_CRED         = 63;
>>> 
>>> look incorrect. Plus the mapping in errMsgList for those.
>>> 
>>> Note: Tried with OpenJDK 8.
>>> 
>>> Best regards,
>>> 
>>> Michael
>>> 
>>> [1] https://urldefense.com/v3/__https://www.rfc-editor.org/rfc/rfc4120*section-7.5.9__;Iw!!ACWV5N9M2RV99hQ!NAnnEyD5OZ3aXFClFAbzuSz344ZIBcwaUSH0iXe_005rJuCa-xP9-BARuknsTOZNP-MFJSjAiIMQm8mI7AyLsisF4Mg$




More information about the security-dev mailing list