Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.0.0-RC2, 1.0.0
    • Fix Version/s: 1.0.1
    • Component/s: None
    • Labels:
      None
    • Environment:
      Debian, Fedora

      Description

      The Kerby kdc does not accept preauthication form a MIT Kerberos client starting from version 1.11. V1.11 hallmarks the implementation of the FAST OTP standard in MIT Kerberos, apparently with changes not understood by Kerby.
      More details on stacktraces are available from:
      http://mail-archives.apache.org/mod_mbox/directory-kerby/201705.mbox/browser
      A failing test is available from:
      https://github.com/vtslab/directory-kerby/tree/MitIssue

      Without an update on Mit Kerberos compatibility Directory Kerby is not usable for testing kerberos functionality in Apache TInkerpop's gremlin-python module (the more so because the Mit Kerberos 1.10 source distribution does not compile anymore with the gcc-5.x from recent LTS Linux distributions).

        Issue Links

          Activity

          Hide
          HadoopMarc Marc de Lignie added a comment -

          For people wanting to use Directory Kerby 1.0.0 with MIT Kerberos and a recent Linux distro right now, the following workaround applies (tested on Ubuntu 16.04LTS). The problem, at least for me, was to find out how to compile this source, i.e. learning about the extra needed compiler flags. You will probably need to install some additional Ubuntu packages, like build-essential, automake and autotools-dev; read the error messages.

          $ wget http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10.7-signed.tar
          $ tar -xf krb5-1.10.7-signed.tar
          $ tar -xf krb5-1.10.7.tar.gz
          $ cd krb5-1.10.7/src
          $ ./configure LDFLAGS='-z muldefs' CPPFLAGS='-DCONFIG_SMALL'
          $ make
          $ sudo make install

          In a fresh terminal check:
          $ krb5-config --version

          If you use python's mit kerberos wrapper from PYPI, reinstall it so that it links to the new default shared kerberos libraries.

          This workaround does not alleviate the necessity to resolve the current issue; kerberos-1.10 is at N-5. Even the gpg key is not valid anymore, so this workaround is at your own risc
          pub rsa2048/749D7889 2014-06-16 [SCEA] [ingetrokken op: 2016-08-16]
          uid [ingetrok] Tom Yu <tlyu@mit.edu>

          Cheers, Marc

          Show
          HadoopMarc Marc de Lignie added a comment - For people wanting to use Directory Kerby 1.0.0 with MIT Kerberos and a recent Linux distro right now, the following workaround applies (tested on Ubuntu 16.04LTS). The problem, at least for me, was to find out how to compile this source, i.e. learning about the extra needed compiler flags. You will probably need to install some additional Ubuntu packages, like build-essential, automake and autotools-dev; read the error messages. $ wget http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10.7-signed.tar $ tar -xf krb5-1.10.7-signed.tar $ tar -xf krb5-1.10.7.tar.gz $ cd krb5-1.10.7/src $ ./configure LDFLAGS='-z muldefs' CPPFLAGS='-DCONFIG_SMALL' $ make $ sudo make install In a fresh terminal check: $ krb5-config --version If you use python's mit kerberos wrapper from PYPI, reinstall it so that it links to the new default shared kerberos libraries. This workaround does not alleviate the necessity to resolve the current issue; kerberos-1.10 is at N-5. Even the gpg key is not valid anymore, so this workaround is at your own risc pub rsa2048/749D7889 2014-06-16 [SCEA] [ingetrokken op: 2016-08-16] uid [ingetrok] Tom Yu <tlyu@mit.edu> Cheers, Marc
          Hide
          coheigea Colm O hEigeartaigh added a comment -

          Hi Marc,

          Would it be possible to submit a PR based on your fork to Kerby master so that we have a failing test to reproduce the issue?

          Colm.

          Show
          coheigea Colm O hEigeartaigh added a comment - Hi Marc, Would it be possible to submit a PR based on your fork to Kerby master so that we have a failing test to reproduce the issue? Colm.
          Hide
          HadoopMarc Marc de Lignie added a comment -

          Hi Colm.,

          The test requires manual involvement, so I would guess the PR is not very likely to be accepted as is. So, I would rather like you to fetch and cherry-pick the relevant commit into your development clone and make an automated test out of it.

          Cheers, Marc

          Show
          HadoopMarc Marc de Lignie added a comment - Hi Colm., The test requires manual involvement, so I would guess the PR is not very likely to be accepted as is. So, I would rather like you to fetch and cherry-pick the relevant commit into your development clone and make an automated test out of it. Cheers, Marc
          Hide
          HadoopMarc Marc de Lignie added a comment -

          Hi Jiajia,

          I tested your patch for this issue on my system with succes, see below. Great work.
          + 1 For closing this issue.

          Cheers, Marc

          marc@AntecMarc:~/Projects/directory-kerby$ . kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/MitIssueTest.sh
          [7271] 1497704603.215880: Retrieving drankye@TEST.COM from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found
          [7271] 1497704603.216057: Retrieving drankye@TEST.COM from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found
          kerberos.authGSSClientInit successful
          [7271] 1497704603.216410: Getting credentials drankye@TEST.COM -> test-service/localhost@ using ccache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
          [7271] 1497704603.216435: Retrieving drankye@TEST.COM -> test-service/localhost@ from FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc with result: -1765328243/Matching credential not found (filename: kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc)
          [7271] 1497704603.216451: Retrying drankye@TEST.COM -> test-service/localhost@TEST.COM with result: -1765328243/Matching credential not found (filename: kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc)
          [7271] 1497704603.216454: Server has referral realm; starting with test-service/localhost@TEST.COM
          [7271] 1497704603.216503: Retrieving drankye@TEST.COM -> krbtgt/TEST.COM@TEST.COM from FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc with result: 0/Success
          [7271] 1497704603.216525: Starting with TGT for client realm: drankye@TEST.COM -> krbtgt/TEST.COM@TEST.COM
          [7271] 1497704603.216527: Requesting tickets for test-service/localhost@TEST.COM, referrals on
          [7271] 1497704603.216553: Generated subkey for TGS request: aes128-cts/B84F
          [7271] 1497704603.216588: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
          [7271] 1497704603.216689: Encoding request body and padata into FAST request
          [7271] 1497704603.216730: Sending request (836 bytes) to TEST.COM
          [7271] 1497704603.216753: Resolving hostname localhost
          [7271] 1497704603.216808: Initiating TCP connection to stream 127.0.0.1:32893
          [7271] 1497704603.216910: Sending TCP request to stream 127.0.0.1:32893
          [7271] 1497704603.233757: Received answer (550 bytes) from stream 127.0.0.1:32893
          [7271] 1497704603.233766: Terminating TCP connection to stream 127.0.0.1:32893
          [7271] 1497704603.499207: Response was not from master KDC
          [7271] 1497704603.499262: Decoding FAST response
          [7271] 1497704603.499339: TGS reply didn't decode with subkey; trying session key (
          [7271] 1497704603.499359: Decoding FAST response
          [7271] 1497704603.499438: TGS reply is for drankye@TEST.COM -> test-service/localhost@TEST.COM with session key aes128-cts/F165
          [7271] 1497704603.499469: TGS request result: 0/Success
          [7271] 1497704603.499476: Received creds for desired service test-service/localhost@TEST.COM
          [7271] 1497704603.499491: Storing drankye@TEST.COM -> test-service/localhost@ in FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
          [7271] 1497704603.499609: Also storing drankye@TEST.COM -> test-service/localhost@TEST.COM based on ticket
          [7271] 1497704603.499628: Removing drankye@TEST.COM -> test-service/localhost@TEST.COM from FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
          [7271] 1497704603.499766: Creating authenticator for drankye@TEST.COM -> test-service/localhost@, seqnum 1022979379, subkey aes128-cts/6609, session key aes128-cts/F165
          [7271] 1497704603.499795: Negotiating for enctypes in authenticator: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
          First kerberos.authGSSClientStep successful

          marc@AntecMarc:~/Projects/directory-kerby$ klist
          Ticket cache: FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc
          Default principal: drankye@TEST.COM

          Valid starting Expires Service principal
          17-06-17 15:03:00 17-06-17 23:03:00 krbtgt/TEST.COM@TEST.COM
          renew until 19-06-17 15:03:00
          17-06-17 15:03:23 17-06-17 23:03:00 test-service/localhost@
          renew until 17-06-17 23:03:00
          17-06-17 15:03:23 17-06-17 23:03:00 test-service/localhost@TEST.COM
          renew until 17-06-17 23:03:00

          marc@AntecMarc:~/Projects/directory-kerby$ lsb_release -a
          No LSB modules are available.
          Distributor ID: Ubuntu
          Description: Ubuntu 16.04.2 LTS
          Release: 16.04
          Codename: xenial

          marc@AntecMarc:~/Projects/directory-kerby$ klist -V
          Kerberos 5 version 1.15.1

          Show
          HadoopMarc Marc de Lignie added a comment - Hi Jiajia, I tested your patch for this issue on my system with succes, see below. Great work. + 1 For closing this issue. Cheers, Marc marc@AntecMarc:~/Projects/directory-kerby$ . kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/MitIssueTest.sh [7271] 1497704603.215880: Retrieving drankye@TEST.COM from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found [7271] 1497704603.216057: Retrieving drankye@TEST.COM from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found kerberos.authGSSClientInit successful [7271] 1497704603.216410: Getting credentials drankye@TEST.COM -> test-service/localhost@ using ccache FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc [7271] 1497704603.216435: Retrieving drankye@TEST.COM -> test-service/localhost@ from FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc with result: -1765328243/Matching credential not found (filename: kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc) [7271] 1497704603.216451: Retrying drankye@TEST.COM -> test-service/localhost@TEST.COM with result: -1765328243/Matching credential not found (filename: kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc) [7271] 1497704603.216454: Server has referral realm; starting with test-service/localhost@TEST.COM [7271] 1497704603.216503: Retrieving drankye@TEST.COM -> krbtgt/TEST.COM@TEST.COM from FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc with result: 0/Success [7271] 1497704603.216525: Starting with TGT for client realm: drankye@TEST.COM -> krbtgt/TEST.COM@TEST.COM [7271] 1497704603.216527: Requesting tickets for test-service/localhost@TEST.COM, referrals on [7271] 1497704603.216553: Generated subkey for TGS request: aes128-cts/B84F [7271] 1497704603.216588: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts [7271] 1497704603.216689: Encoding request body and padata into FAST request [7271] 1497704603.216730: Sending request (836 bytes) to TEST.COM [7271] 1497704603.216753: Resolving hostname localhost [7271] 1497704603.216808: Initiating TCP connection to stream 127.0.0.1:32893 [7271] 1497704603.216910: Sending TCP request to stream 127.0.0.1:32893 [7271] 1497704603.233757: Received answer (550 bytes) from stream 127.0.0.1:32893 [7271] 1497704603.233766: Terminating TCP connection to stream 127.0.0.1:32893 [7271] 1497704603.499207: Response was not from master KDC [7271] 1497704603.499262: Decoding FAST response [7271] 1497704603.499339: TGS reply didn't decode with subkey; trying session key ( [7271] 1497704603.499359: Decoding FAST response [7271] 1497704603.499438: TGS reply is for drankye@TEST.COM -> test-service/localhost@TEST.COM with session key aes128-cts/F165 [7271] 1497704603.499469: TGS request result: 0/Success [7271] 1497704603.499476: Received creds for desired service test-service/localhost@TEST.COM [7271] 1497704603.499491: Storing drankye@TEST.COM -> test-service/localhost@ in FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc [7271] 1497704603.499609: Also storing drankye@TEST.COM -> test-service/localhost@TEST.COM based on ticket [7271] 1497704603.499628: Removing drankye@TEST.COM -> test-service/localhost@TEST.COM from FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc [7271] 1497704603.499766: Creating authenticator for drankye@TEST.COM -> test-service/localhost@, seqnum 1022979379, subkey aes128-cts/6609, session key aes128-cts/F165 [7271] 1497704603.499795: Negotiating for enctypes in authenticator: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts First kerberos.authGSSClientStep successful marc@AntecMarc:~/Projects/directory-kerby$ klist Ticket cache: FILE:kerby-kerb/kerb-kdc-test/target/tmp/test-tkt.cc Default principal: drankye@TEST.COM Valid starting Expires Service principal 17-06-17 15:03:00 17-06-17 23:03:00 krbtgt/TEST.COM@TEST.COM renew until 19-06-17 15:03:00 17-06-17 15:03:23 17-06-17 23:03:00 test-service/localhost@ renew until 17-06-17 23:03:00 17-06-17 15:03:23 17-06-17 23:03:00 test-service/localhost@TEST.COM renew until 17-06-17 23:03:00 marc@AntecMarc:~/Projects/directory-kerby$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.04.2 LTS Release: 16.04 Codename: xenial marc@AntecMarc:~/Projects/directory-kerby$ klist -V Kerberos 5 version 1.15.1
          Hide
          jiajia Jiajia Li added a comment -

          Thanks Marc reporting this issue and checking the fix.

          Show
          jiajia Jiajia Li added a comment - Thanks Marc reporting this issue and checking the fix.
          Hide
          jiajia Jiajia Li added a comment -

          commit a6224d2cf60e8e18ba5e307f1a4a2bc4c01a55b4
          Author: plusplusjiajia <jiajia.li@intel.com>
          Date: Wed Jun 14 10:43:46 2017 +0800

          Fix DIRKRB-614 and DIRKRB-631.

          Show
          jiajia Jiajia Li added a comment - commit a6224d2cf60e8e18ba5e307f1a4a2bc4c01a55b4 Author: plusplusjiajia <jiajia.li@intel.com> Date: Wed Jun 14 10:43:46 2017 +0800 Fix DIRKRB-614 and DIRKRB-631 .

            People

            • Assignee:
              jiajia Jiajia Li
              Reporter:
              HadoopMarc Marc de Lignie
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development