You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Colm O hEigeartaigh (Jira)" <ji...@apache.org> on 2023/02/20 07:34:00 UTC
[jira] [Closed] (DIRKRB-762) The AS request appears with an NPE when preauth_required is set to false
[ https://issues.apache.org/jira/browse/DIRKRB-762?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh closed DIRKRB-762.
--------------------------------------
> The AS request appears with an NPE when preauth_required is set to false
> ------------------------------------------------------------------------
>
> Key: DIRKRB-762
> URL: https://issues.apache.org/jira/browse/DIRKRB-762
> Project: Directory Kerberos
> Issue Type: Bug
> Affects Versions: 2.0.0, 2.0.1, 2.0.2
> Reporter: Jichao Wang
> Assignee: Colm O hEigeartaigh
> Priority: Major
> Fix For: 2.0.3
>
> Attachments: kdc-npe.png
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> If change the value of preauth_required in the kdc.conf file to false, then using the following code to access the KDC causes an NPE error.
> * Test.java
> {code:java}
> // Test.java Run on JDK8 or JDK11
> public class Test {
> public static void main(String[] args) throws Exception {
> System.setProperty("java.security.krb5.realm", "HADOOP.COM");
> System.setProperty("java.security.krb5.kdc", "wslhost");
> LoginContext lc = new LoginContext("SampleClient",
> new Subject(),
> null,
> new CustomConfiguration("hadoop@HADOOP.COM", "/root/wjc/hadoop.keytab"));
> lc.login();
> System.out.println(lc.getSubject().toString());
> }
> } {code}
> *
> CustomConfiguration.java
> {code:java}
> import javax.security.auth.login.AppConfigurationEntry;
> import java.util.HashMap;
> import java.util.Map;
> class CustomConfiguration
> extends javax.security.auth.login.Configuration {
> private static final Map<String, String> BASIC_JAAS_OPTIONS =
> new HashMap<String, String>();
> private static final Map<String, String> KEYTAB_KERBEROS_OPTIONS =
> new HashMap<String, String>();
> private static final AppConfigurationEntry KEYTAB_KERBEROS_LOGIN =
> new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",
> AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
> KEYTAB_KERBEROS_OPTIONS);
> private static final AppConfigurationEntry[] KEYTAB_KERBEROS_CONF =
> new AppConfigurationEntry[]{KEYTAB_KERBEROS_LOGIN};
> static {
> KEYTAB_KERBEROS_OPTIONS.put("doNotPrompt", "true");
> KEYTAB_KERBEROS_OPTIONS.put("useKeyTab", "true");
> KEYTAB_KERBEROS_OPTIONS.put("storeKey", "true");
> KEYTAB_KERBEROS_OPTIONS.put("refreshKrb5Config", "true");
> KEYTAB_KERBEROS_OPTIONS.putAll(BASIC_JAAS_OPTIONS);
> }
> private String keytabPrincipal;
> private String keytabFile;
> public CustomConfiguration(String keytabPrincipal, String keytabFile) {
> this.keytabPrincipal = keytabPrincipal;
> this.keytabFile = keytabFile;
> }
> private CustomConfiguration() {
> }
> public String getKeytabFile() {
> return keytabFile;
> }
> public String getKeytabPrincipal() {
> return keytabPrincipal;
> }
> @Override
> public AppConfigurationEntry[] getAppConfigurationEntry(String appName) {
> KEYTAB_KERBEROS_OPTIONS.put("keyTab", keytabFile);
> KEYTAB_KERBEROS_OPTIONS.put("principal", keytabPrincipal);
> return KEYTAB_KERBEROS_CONF;
> }
> } {code}
> Kerberos client error information is as follows:
> {code:java}
> Exception in thread "main" javax.security.auth.login.LoginException: null (5001)
> at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:781)
> at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:592)
> at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:726)
> at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665)
> at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663)
> at java.base/java.security.AccessController.doPrivileged(Native Method)
> at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663)
> at java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:574)
> at org.example.Main.main(Main.java:14)
> Caused by: KrbException: null (5001)
> at java.security.jgss/sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
> at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:326)
> at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:371)
> at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:753)
> ... 8 more
> Caused by: KrbException: Identifier doesn't match expected value (906)
> at java.security.jgss/sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
> at java.security.jgss/sun.security.krb5.internal.ASRep.init(ASRep.java:64)
> at java.security.jgss/sun.security.krb5.internal.ASRep.<init>(ASRep.java:59)
> at java.security.jgss/sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
> ... 11 more {code}
> The position where NPE occurs on kerby-kdc is as follows:
> !kdc-npe.png!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
For additional commands, e-mail: dev-help@directory.apache.org