You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2017/05/31 11:27:04 UTC
[jira] [Commented] (DIRKRB-614) Kerby (simplekdc) fails to handle
unknown PADATA
[ https://issues.apache.org/jira/browse/DIRKRB-614?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16031006#comment-16031006 ]
Colm O hEigeartaigh commented on DIRKRB-614:
--------------------------------------------
Hi [~drankye],
I've run in to this problem as well when using "curl --negotiate" with Kerby. I see the following error with 1.0.0:
Caused by: java.io.IOException: Unexpected item context [0] [tag=0xA0, off=0, len=3+207], expecting 0x30
at org.apache.kerby.asn1.type.Asn1Encodeable.decode(Asn1Encodeable.java:220)
at org.apache.kerby.asn1.type.Asn1Encodeable.decode(Asn1Encodeable.java:207)
at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:83)
Do we know what the unknown PADATA is and how other KDCs handle it?
By the way, with regards to your comment about disabling the preauth check, this does not work. KdcRequest.kdcFindFast is called even if preauthcontext.isPreauthRequired() is false.
> Kerby (simplekdc) fails to handle unknown PADATA
> -------------------------------------------------
>
> Key: DIRKRB-614
> URL: https://issues.apache.org/jira/browse/DIRKRB-614
> Project: Directory Kerberos
> Issue Type: Bug
> Affects Versions: 1.0.0-RC2
> Environment: SimpleKDC
> Reporter: Bolke de Bruin
> Attachments: kerb_heimdal.pcapng, kerb.pcap
>
>
> I am using simplekdc wrapped in an application to allow CI for Apache Airflow.
> While testing I found out that on my development system (OS X - Heimdal with MIT Shim) everything worked fine, but when moving over to the CI (MIT) system it stopped working with the following error.
> {code}
> 2016-11-26 17:08:51,974 ERROR [pool-1-thread-3] impl.DefaultKdcHandler: Error occured while processing request:
> org.apache.kerby.kerberos.kerb.KrbException: Decoding failed
> at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:85)
> at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:70)
> at org.apache.kerby.kerberos.kerb.server.request.KdcRequest.kdcFindFast(KdcRequest.java:208)
> at org.apache.kerby.kerberos.kerb.server.request.KdcRequest.process(KdcRequest.java:168)
> at org.apache.kerby.kerberos.kerb.server.KdcHandler.handleMessage(KdcHandler.java:115)
> at org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.handleMessage(DefaultKdcHandler.java:67)
> at org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.run(DefaultKdcHandler.java:52)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: java.io.IOException: Unexpected item context [0] [tag=0xA0, off=0, len=3+198], expecting 0x30
> at org.apache.kerby.asn1.type.Asn1Encodeable.decode(Asn1Encodeable.java:210)
> at org.apache.kerby.asn1.type.Asn1Encodeable.decode(Asn1Encodeable.java:197)
> at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:83)
> ... 9 more
> {code}
> Digging in with Wireshark showed that the MIT libraries are sending extra PAData which makes Kerby not respond (Wireshark records this as "Unknown 136"). This behavior can be replicated by using "kvno".
> Heimdal on OSX does not send this and gets a response.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)